Ephemeral Messaging, FCPA, & the DOJ: Three Things Lawyers & Compliance Officers Need to Know
The DOJ’s evolution on this subject means it’s no longer acceptable to claim ignorance. Savvy lawyers, compliance officers, and auditors must ensure their organizations have policies in place.
In November of 2017, the Department of Justice modified its FCPA Corporate Enforcement Policy – the policy which guides compliance officers, corporate counsel, and internal auditors on compliance with the Foreign Corrupt Practices Act. The DOJ’s modification required companies subject to FCPA regulations to completely prohibit their employees from using ephemeral messaging – popular examples of which include WhatsApp, WeChat, Signal, Viber, and Snapchat.
This policy banned any company doing business across borders from using many popular platforms for communication without risking FCPA noncompliance; essentially limiting companies to conduct all communication through email and other standard forms of communication.
US Department of Justice updates ephemeral messaging policy
In March of this year, the DOJ updated their messaging app policy to refine their earlier prohibition. Now, companies are no longer expected to prohibit employees from using ephemeral messaging, but instead requires them to implement appropriate guidance and controls over these types of platforms and communications.
Specifically, the revisions state that for a company to receive full credit for timely and appropriate remediation, the company is required to satisfy requirements including:
Appropriate retention of business records, and prohibiting the improper destruction or deletion of business records, including implementing appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company’s ability to appropriately retain business records or communications or otherwise comply with the company’s document retention policies or legal obligations.
Essentially, the DOJ lifted an outright ban and instead, put in place the requirement that companies must’ve adequate retention policies and appropriate controls to maintain compliance.
Who is affected by the DOJ FCPA ephemeral messaging rule?
The cloud is simply a data center – containing varying levels of hardware and software, housing variable amounts of data – all accessible via secure logins via the internet. That’s it.
This new rule modification – like the original policy from 2017 – applies to any company with an FCPA policy or potentially at risk for FCPA violations. This means that any company doing business internationally should ensure compliance with the new policy. Some industries, however, face more FCPA scrutiny than others: Namely, manufacturing, mining, energy / oil & gas, pharmaceuticals, and of course any company doing business in any country that rates highly on the corruption index.
What do lawyers need to know?
The DOJ’s swiftly evolving sophistication on this subject means that it’s no longer acceptable to claim ignorance – no compliance officer or corporate counsel can now expect to say, “We don’t know how to deal with WhatsApp!” Savvy lawyers, compliance officers, and auditors must ensure their companies or clients ave policies in place to deal with these types of communication.
- Carefully consider your BYOD policies: When employees bring their personal phones into the workplace, mixing personal and business communications, data privacy issues can complicate compliance with retention policies around ephemeral messaging. When working in particularly high-risk areas, such as companies doing business in high-risk regions, or positions at higher risk such as procurement, supply chain, or employees with frequent government touch points, consider banning personal devices for work purposes outright. Ultimately, it’s cheaper for companies to provide phones for all these employees than later dealing with discovering data from a personal device when facing an FCPA investigation.
- Restrict use of messaging apps for business communication: If your business uses any messaging apps for business communication, restrict the use of such apps to devices that the company owns, or can control and review.
- Review data privacy policies and procedures: Ensure all business communications within a messaging app can be reviewed without violating an employee’s right to privacy on personal devices. This is especially important in jurisdictions with heightened data privacy regulations such as Europe, which is subject to the General Data Protection Regulation (GDPR). Refer again to No. 1 – it may be cheaper for compliance purposes to provide company-owned devices than risk potential FCPA violations coupled with GDPR sanctions – and potential additional sanctions should relevant communication that took place on ephemeral messaging apps ultimately be unrecoverable.
What’s clear is that there is now an onus on companies to have awareness of what’s going on with ephemeral messaging apps – companies must include these data types in their FCPA audits, compliance policies, and any data collections and discovery requests, or risk exposure to fines, sanctions, regulatory action, and reputational damage.
The DOJ’s evolution on this subject means it’s no longer acceptable to claim ignorance. Savvy lawyers, compliance officers, and auditors must ensure their organizations have policies in place.
In November of 2017, the Department of Justice modified its FCPA Corporate Enforcement Policy – the policy which guides compliance officers, corporate counsel, and internal auditors on compliance with the Foreign Corrupt Practices Act. The DOJ’s modification required companies subject to FCPA regulations to completely prohibit their employees from using ephemeral messaging – popular examples of which include WhatsApp, WeChat, Signal, Viber, and Snapchat.
This policy banned any company doing business across borders from using many popular platforms for communication without risking FCPA noncompliance; essentially limiting companies to conduct all communication through email and other standard forms of communication.
US Department of Justice updates ephemeral messaging policy
In March of this year, the DOJ updated their messaging app policy to refine their earlier prohibition. Now, companies are no longer expected to prohibit employees from using ephemeral messaging, but instead requires them to implement appropriate guidance and controls over these types of platforms and communications.
Specifically, the revisions state that for a company to receive full credit for timely and appropriate remediation, the company is required to satisfy requirements including:
Appropriate retention of business records, and prohibiting the improper destruction or deletion of business records, including implementing appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company’s ability to appropriately retain business records or communications or otherwise comply with the company’s document retention policies or legal obligations.
Essentially, the DOJ lifted an outright ban and instead, put in place the requirement that companies must’ve adequate retention policies and appropriate controls to maintain compliance.
Who is affected by the DOJ FCPA ephemeral messaging rule?
The cloud is simply a data center – containing varying levels of hardware and software, housing variable amounts of data – all accessible via secure logins via the internet. That’s it.
This new rule modification – like the original policy from 2017 – applies to any company with an FCPA policy or potentially at risk for FCPA violations. This means that any company doing business internationally should ensure compliance with the new policy. Some industries, however, face more FCPA scrutiny than others: Namely, manufacturing, mining, energy / oil & gas, pharmaceuticals, and of course any company doing business in any country that rates highly on the corruption index.
What do lawyers need to know?
The DOJ’s swiftly evolving sophistication on this subject means that it’s no longer acceptable to claim ignorance – no compliance officer or corporate counsel can now expect to say, “We don’t know how to deal with WhatsApp!” Savvy lawyers, compliance officers, and auditors must ensure their companies or clients ave policies in place to deal with these types of communication.
- Carefully consider your BYOD policies: When employees bring their personal phones into the workplace, mixing personal and business communications, data privacy issues can complicate compliance with retention policies around ephemeral messaging. When working in particularly high-risk areas, such as companies doing business in high-risk regions, or positions at higher risk such as procurement, supply chain, or employees with frequent government touch points, consider banning personal devices for work purposes outright. Ultimately, it’s cheaper for companies to provide phones for all these employees than later dealing with discovering data from a personal device when facing an FCPA investigation.
- Restrict use of messaging apps for business communication: If your business uses any messaging apps for business communication, restrict the use of such apps to devices that the company owns, or can control and review.
- Review data privacy policies and procedures: Ensure all business communications within a messaging app can be reviewed without violating an employee’s right to privacy on personal devices. This is especially important in jurisdictions with heightened data privacy regulations such as Europe, which is subject to the General Data Protection Regulation (GDPR). Refer again to No. 1 – it may be cheaper for compliance purposes to provide company-owned devices than risk potential FCPA violations coupled with GDPR sanctions – and potential additional sanctions should relevant communication that took place on ephemeral messaging apps ultimately be unrecoverable.
What’s clear is that there is now an onus on companies to have awareness of what’s going on with ephemeral messaging apps – companies must include these data types in their FCPA audits, compliance policies, and any data collections and discovery requests, or risk exposure to fines, sanctions, regulatory action, and reputational damage.