In September 2022, the U.S. Department of Justice (DOJ) issued a memo announcing revisions to the DOJ’s corporate criminal enforcement policies and practices. The memo made clear that the DOJ expects “all corporations with robust compliance programs [to] have effective policies governing the use of personal devices and third-party messaging platforms for corporate communications, . . . provide clear training to employees about such policies, and . . . enforce such policies when violations are identified.” This policy effectively applies to every business that could conceivably face DOJ inquiry and evidences the DOJ’s growing frustration with its inability to obtain relevant texts and instant messages from target subjects, especially when these communications are occurring outside of employer-provided communication platforms.

The memo advises prosecutors who are evaluating a corporation’s compliance program “to consider whether the corporation has implemented effective policies and procedures governing the use of personal devices and third-party messaging platforms to ensure that business-related electronic data and communications are preserved.” These considerations are particularly important as to corporations seeking “cooperation credit in connection with an investigation.” Based on the DOJ’s renewed attention to this issue, it is imperative that organizations establish employee policies that do at least the following:

1. Clearly define the scope of “business-related communications.”
2. In consultation with the company’s data security and HR experts, outline what devices and applications are permissible or prohibited, and provide guidance on their appropriate use.
3. Address the employer’s right to access data and messages on employees’ devices in the event of an investigation or litigation.
4. Provide for comprehensive trainings on a periodic basis to all levels within the organization (senior executives should not be exempt from such trainings; in fact, they must lead by example).
5. Establish clear monitoring and enforcement mechanisms, including disciplinary consequences for violations of the organization’s policies.

To be sure, drafting robust policies may not be sufficient. Companies should consider establishing, and devoting resources to, mechanisms that proactively seek to ensure that all their employees abide by their policies. A recent matter serves as an illustrative lesson. In December 2021, the Securities Exchange Commission and the Commodity Futures Trading Commission imposed $200 million in fines against an investment management company for the loss of work-related messages that were sent via apps on employees’ personal devices, despite the fact that the firm’s policies forbade the use of personal apps for business purposes. The firm’s culpability stemmed from its failure to adequately supervise employees’ compliance with its rules. The DOJ is expected to likewise take a tough stance with respect to a company’s obligation to preserve and save text and instant messages as a general practice, and may seek to push the outer bounds of case law establishing the contours of these obligations.

Compliance with these expectations presents specific challenges for ephemeral messaging services that by their nature are set to self-destruct, in addition to encrypted and cloud-based platforms that can be difficult to preserve and collect. A deep understanding of employee practices and their implications in consultation with eDiscovery counsel should be in the playbook both for litigation preparedness and anytime the duty to preserve arises.

While the DOJ’s guidance doesn’t establish any new legal obligations, it does highlight the challenges associated with the preservation, collection and discoverability of texts and instant messages in both the regulatory and civil litigation contexts.

[View source.]