FCPA investigators routinely face obstacles to gathering data from non-company email and messaging apps. In particular, such communications are often not stored on company devices, and where files exist, they may be encrypted or otherwise difficult to open.
Outside messaging apps, such as Snapchat and Wickr may automatically delete messages after a few seconds or days precisely so that users can keep their communications confidential.
Outside email accounts are also difficult to access and present obvious data privacy issues. These circumstances have long posed challenges for FCPA investigators, but now, the use of outside email and messaging apps also threatens to disqualify companies from receiving substantial benefits under the DOJ’s new FCPA Corporate Enforcement Policy.
Specifically, under the new DOJ policy, for a company to receive full credit — e.g., the presumption of a declination — for timely and appropriate remediation in the context of cooperating with a government investigation, the company must meet the following criteria (among others):
Appropriate retention of business records, and prohibiting the improper destruction or deletion of business records, including prohibiting employees from using software that generates but does not appropriately retain business records or communications [emphasis added].
This language is unprecedented in prior DOJ guidance on FCPA enforcement, and shows a significant evolution in the DOJ’s expectations for data controls.
In particular, the new Policy signals that the DOJ now expects companies to clearly instruct employees not to communicate about business matters using any type of email or messaging software that doesn’t properly store the relevant data. If a company fails to do so, it may not qualify for a declination or certain other benefits under the new DOJ Policy — even if the company has an otherwise state-of-the-art compliance program and satisfies all other requirements for cooperation under the DOJ Policy.
From a practical perspective, the new Policy suggests that the DOJ expects companies to:
- Maintain appropriate written standards for data controls, which clearly define the types of communication software that are permissible to use for business matters. The new Policy suggests that acceptable software should include only programs that create and store business-related emails and messages in a form that is reasonably accessible to the company (e.g., to preserve and collect in an investigation), and consistent with the company’s document retention rules.
- Effectively implement data controls through means such as training, automated checks (e.g., potentially blocking installation of unauthorized apps), obtaining employee consents (to facilitate data processing), routinely testing compliance (e.g., through audits), and enforcement through discipline where appropriate.
Many companies have already made substantial efforts to implement effective data controls, recognizing their importance to safeguard against a broad range of corporate risks. In light of the DOJ’s new Policy, corporate attention to this area will likely intensify.
For compliance professionals, it is important to first understand the perspectives and work habits of business personnel. For example, if company email servers are slow, employees may use personal Gmail accounts to get through more quickly. If the company doesn’t offer an internal messaging app, employees may use Skype to chat with a workmate down the hall rather than individually sending, opening, and deleting hundreds of short emails.
Employees may find it more reliable to reach customers and business partners through Viber if the business partners find it more economical, user-friendly, or compatible with their personal smartphones. Employees may prefer the functionality of WhatsApp in sending photos, accessing contacts, or chatting with project teams.
With a solid understanding of such factors, one can more effectively develop practical data controls that help companies address risk and position themselves to qualify for substantial benefits under the DOJ’s new enforcement Policy, with minimal disruption to legitimate business processes.
Nate Lankford, pictured above, is a member at Miller & Chevalier in Washington, D.C. He focuses his practice on matters involving the Foreign Corrupt Practices Act, business and human rights and other areas of international corporate compliance. He has conducted investigations and created tailored compliance programs for U.S. and international companies in several industries and advised companies on all areas of compliance program implementation.
Aiysha Hussain, pictured above, is a senior associate at Miller & Chevalier. She specializes in internal and government investigations. She has played a significant role in the execution of numerous internal investigations involving fraud, violations of the Foreign Corrupt Practices Act, and the False Claims Act.