In September 2022, the Department of Justice (DOJ) announced several significant updates to its criminal enforcement program. The DOJ emphasized that in order to receive cooperation credit, corporations should have proper document preservation policies and procedures in place to timely preserve, collect, and disclose relevant documents located in the U.S. and overseas.
The DOJ’s policy updates coincide with the Securities and Exchange Commission’s (SEC) and the Commodity Futures Trading Commission’s (CFTC) enforcement actions penalizing corporations for failing to monitor and preserve business communications conducted through instant messaging platforms (such as WhatsApp) on their employees’ personal devices.
Corporations should pay attention to their current compliance programs and policies to ensure that they adequately monitor and preserve all relevant business communications.
Corporations must timely preserve, collect, and disclose relevant documents to the DOJ to receive cooperation credit
In September 2022, the DOJ issued updated guidance clarifying the factors that the government will consider when pursuing resolutions with corporations (see our prior client alert discussing these updates in detail). In particular, corporations seeking cooperation credit must “timely preserve, collect, and disclose relevant documents located both in the US and overseas.” Corporations will receive cooperation credit if they are able to navigate foreign data privacy laws and blocking statutes to produce documents located overseas. Corporations that use such foreign laws to shield misconduct and subsequently fail to produce foreign evidence may not receive such credit.
This guidance also instructed DOJ prosecutors to consider if a corporation has implemented an effective compliance program regulating the use of personal devices and third-party messaging platforms to ensure that business-related communications are preserved. As part of its program, a corporation should provide training to employees about its compliance policy and should discipline employees for violations. The DOJ expects a corporation to be able to collect and provide to them non-privileged responsive documents, including work-related communications (e.g., texts, e-messages, and chats) and data contained on phones and tablets that are used by its employees for business purposes.
The DOJ emphasized that the frequency with which personal devices and third-party messaging platforms are used for business communications poses “significant corporate compliance risks, particularly as to the ability of companies to monitor the use of such devices and to recover relevant data from them during a subsequent investigation.” The DOJ plans to issue further guidance on best corporate practices regarding the use of personal devices and third-party messaging platforms.
The SEC and CFTC have fined corporations nearly $2 billion for failures to monitor and retain business communications on messaging platforms
The DOJ’s focus on how corporations handle messaging applications on employees’ personal devices coincides with similar scrutiny by the SEC and CFTC.
Since 2021, the SEC and CFTC have been conducting industry-wide investigations across Wall Street firms to ascertain whether they have been adequately monitoring and retaining business communications conducted through messaging platforms on personal devices. So far, the SEC and CFTC have fined more than a dozen Wall Street firms nearly $2 billion for “widespread and longstanding” failures to monitor and retain such business communications.
These firms admitted that for a number of years their employees routinely communicated about business matters on their personal devices, including through text messages, WhatsApp, Signal, and personal emails. Although regulated entities are required to retain employees’ work messages, none of these records were preserved. The failings were widespread and implicated employees across multiple levels of management within these firms, including supervisors and executives. In addition to the financial penalties, each of the firms agreed to retain compliance consultants to conduct comprehensive reviews of their policies and procedures relating to the retention of business communications found on employees’ personal devices and their frameworks for addressing non-compliance by employees. The director of the SEC’s Division of Enforcement, Gurbir S. Grewal, stated that these newly implemented measures will help prevent violations going forward. Grewal also stated that the enforcement actions, both in terms of the firms involved and the size of the penalties ordered, “underscore the importance of recordkeeping requirements: they’re sacrosanct. If there are allegations of wrongdoing or misconduct, [the SEC] must be able to examine a firm’s books and records to determine what happened.”
These enforcement actions by the SEC and CFTC illustrate the enforcement agencies’ ongoing commitment to protecting market integrity. In December 2021, the SEC and CFTC similarly brought enforcement actions against another large firm for failing to preserve employees’ written communications. SEC Chair Gary Gensler stated that recordkeeping obligations are an essential part of market integrity and a foundational component of the SEC’s ability to conduct market oversight. The SEC has continued to encourage corporations to proactively examine their document preservation policies and procedures, and self-report failures to the SEC before the agency identifies violations by companies. As early as 2018, the SEC issued guidelines to help corporations to comply with their recordkeeping obligations in relation to the use of electronic messaging – such as text, instant messaging, and personal email – for business communications. Examples include prohibiting business use of messaging apps that allow employees to communicate anonymously, disallowing the automatic deletion of messages, and prohibiting third-party viewing or back-up. Where the use of personal devices for business purposes is permitted, there should be policies regulating such use in relation to messaging applications, texting, and personal emails. Corporations should include a statement in their internal policies informing employees that violations may result in disciplinary action including dismissal.
It is anticipated that these U.S. enforcement agencies will likely expand their recordkeeping probe into other industries. Much of the world worked from home during the Covid-19 pandemic and more corporations accepted a hybrid work model, which makes it harder for corporations to monitor and preserve employees’ business communications. The use of personal devices and messaging platforms (such as text messages, WhatsApp, Signal, Line, and WeChat) is also widespread in many industries subject to the supervision of these U.S. enforcement agencies.