Digesting and implementing the U.S. DOJ’s new compliance guidance for prosecutors on the use of personal devices and third party apps

Updated guidance

Further revisions to corporate criminal enforcement policies from the U.S. Department of Justice (DOJ) deputy attorney general Lisa Monaco published in September 2022 set out the latest update to strengthen the DOJ’s approach to corporate criminal enforcement. The guidance is aimed at prosecutors, but provides organizations with an unparalleled insight into what is considered to constitute an effective compliance program and  the processes for evaluating individual and corporate accountability. These include an evaluation of:

• A corporation’s history of misconduct
• Self-disclosure and cooperation
• The strength of the existing compliance program, and
• The use of compliance monitors 

A key feature of U.S. criminal enforcement is cooperation credit and for corporations to be eligible for such credit they must disclose to the DOJ all relevant, non-privileged facts about individual misconduct. The DOJ considers it ‘imperative’ that prosecutors gain access to all relevant facts about individual misconduct 'swiftly and without delay’ with such evidence including information and, critically, communications associated with relevant individuals. 

Use of personal devices and third party applications

From the perspective of the DOJ, the ubiquity of personal devices together with the rise in the use of third-party messaging platforms including the use of ephemeral and encrypted messaging applications pose ‘significant corporate compliance risks’. How companies address the use of personal devices and third-party messaging platforms can impact a prosecutor’s evaluation of the effectiveness of a corporation’s compliance program as well as the assessment of cooperation. The DOJ has expanded on its June 2020 Evaluation of Corporate Compliance Programs and identified several additional hallmarks of an effective compliance program including:

• The need for effective policies and procedures governing the use of personal devices and third-party messaging platforms to ensure that business-related electronic data and communications are preserved
• ‘Clear training’ to be provided to all employees about such policies (the 2020 guidance also stipulates that organizations should measure the effectiveness of training), and
• Such policies to be enforced when violations are identified
  
  

With regard to cooperation credit, prosecutors are required to consider whether a firm has, in practice, instituted policies to ensure that it will be able to collect and provide to the government all non-privileged responsive documents relevant to any investigation ‘including work-related communications (e.g. texts, e-messages, or chats)’ as well as data contained on phones, tablets, or other devices that are used for business purposes.

There is more guidance to come from the DOJ with a commitment to further study corporate best practices regarding the use of personal devices and third-party messaging platforms so the DOJ ‘can address these issues thoughtfully and consistently’.  

Considerations for compliance

The DOJ’s guidance is set against a backdrop of penalties of $2bn imposed on a number of financial services institutions for failures in record keeping around third-party messaging platforms such as WhatsApp. The lessons to be learned from the swathe of enforcement actions read across to the DOJ’s updated expectations with regard to the retention, monitoring and retrieval of communications and, as such, organizations of all types would be well advised to consider:   

• Firm wide record-keeping. Organizations  should consider the need for a firm wide, board sponsored review of record-keeping. Specifically, organizations should ensure there are no gaps in capturing or retaining communications across any of the SMS, collaboration or chat tools in place like Slack, Zoom, Microsoft Teams and Webex by Cisco as well as consumer apps like WhatsApp.  That includes in-meeting communications and images, GIFs, emojis or reactions that change meaning and context. Organizations should also bear in mind that their record-keeping obligations are global. It goes without saying that any gaps found in record-keeping should be remediated as a matter of urgency.

• Data governance and retrieval. Organizations need to embrace the fact that electronic communications data is a vital strategic asset and from there build a business-wide approach to data aggregation, management, storage, security, retrieval and destructions - in other words build a business-specific approach to data governance. Among other things it is a key message from the DOJ guidance that organizations are expected to not only be able not only capture but also quickly search and retrieve (in a reviewable format) all relevant communications for regulators, prosecutors and auditors.    

• Policies, skills and training. A key element of comprehensive record-keeping is training all employees on their obligations and ensuring that they have the technological skills to comply with all aspects of record capture and preservation. Given the expectations around training and its effectiveness, organizations may wish to consider requiring a regular attestation from staff certifying that they are aware of, and have complied with, the requirements.

• Technology. Organizations cannot practically meet their record keeping and data governance obligations without the help of technological solutions. In the first instance organizations need to ensure that their IT infrastructure is robust with a minimum of manual workarounds and then they should (re)assess the technological solutions in place which may need adjusting. Organizations should consider adopting tools built for rich, dynamic communications using artificial intelligence and machine learning which will enable them to comprehensively capture, supervise and detect risks across the vast volumes of communications.
  
  
• Accountability. Any effective corporate compliance program is centered around clear accountability. Organizations need to be able to not only track any breaches but show evidence of holding those concerned to individual account. Specifically DOJ prosecutors are required to evaluate an organization's commitment to fostering a strong culture of compliance at all levels - not just within its compliance department. For example, as part of this evaluation, prosecutors should consider how the organization has incentivized or sanctioned employee, executive, and director behavior, including through compensation plans, as part of its efforts to create a culture of compliance.  
  
  

“We have seen a rise in companies and individuals using these types of messaging systems, and companies must ensure that they can monitor and retain these communications as appropriate.”

Speech, DOJ Assistant Attorney General Kenneth A. Polite, September 2022 



“...prosecutors should consider whether the corporation has implemented effective policies and procedures governing the use of personal devices and third-party messaging platforms to ensure that business-related electronic data and communications are preserved” 

U.S. Department of Justice Criminal Division Further Revisions to Corporate Criminal Enforcement Policies, September 2022 

How Theta Lake can help

Theta Lake’s multi-award winning product suite provides patented compliance and security for modern communications utilizing over 100 frictionless partner integrations that include RingCentral, Webex by Cisco, Microsoft Teams, Slack, Zoom, Movius and more. Here’s some of the ways Theta Lake can help you comply with the updated guidance from the DOJ:

• Theta Lake captures and compliantly archives communications including videos, voice, chat, screen share and file transfer from mobile messaging platforms to SMS and WhatsApp to enable compliance with the DOJ guidance. It also acts as an archive connector, enabling existing archives and data storage to be utilized without disruption.
  
  
• Easily search and retrieve content to enable compliance with the 'swiftly and without delay’ criteria to deliver to the DOJ any communications associated with relevant individuals. 

• The ability to ensure that all aspects of messaging can be preserved, and a full audit trail provided to regulators or prosecutors. For example, chat messages can be viewed in their native format over the entire history of the conversation with full context retained together with in-meeting communications and images, GIFs, emojis or reactions that change meaning and context.  

• AI-enabled automated detection of misconduct requiring reporting to the DOJ or other regulators. Identified risks are surfaced in an AI-assisted review workflow providing an efficient and effective review process for compliance teams. 
  
  
• Theta Lake’s suite is SOC2, Type II audited and maps controls to ISO 27001 so confidential, privileged or sensitive data can be automatically redacted to meet data privacy and other legal obligations.