Earlier this year the U.S. Department of Justice (DOJ) released new guidance that provides critical insight into how the DOJ will analyze corporate compliance programs with respect to employee communications on personal devices, messaging platforms and messaging applications. To the extent your compliance programs addresses this, or not, will impact any offer the DOJ makes to resolve possible criminal liability.
Elements of an Effective Corporate Compliance Program
The DOJ Compliance Manual provides that federal prosecutors will consider specific factors when conducting an investigation of a corporation and determining whether to bring charges or offer settlements and other plea arrangements. The specific factors considered include “the adequacy and effectiveness of the corporation’s compliance program at the time of the offense, as well as at the time of a charging decision” and the corporation’s remedial efforts “to implement an adequate and effective corporate compliance program or to improve an existing one.” The Compliance Manual sets forth three fundamental questions every prosecutor will ask when they investigate a compliance program:
- Is the corporation’s compliance program well designed?
- Is the program being applied earnestly and in good faith? Meaning is the program adequately resourced, funded and empowered to work?
- Does the compliance program work in practice?
New Guidance – Personal Devices
The DOJ expects that companies will revise corporate policies to reflect the current reality that employees use their personal devices and third party apps to communicate with respect to business matters. As a result, previous compliance policies were not collecting all electronic business data in response to an internal or DOJ investigation. While there is not a one size fits all policy or approach, certainly the larger the company, the more resources available, which should lead to a more robust program. If a company has a “Bring Your Device to Work Policy” extra care should be given with regards to efforts to preservation and access to corporate data. For example, does the compliance policy have written discipline procedures in place if an employee refuses access to corporate communications on private devices?
Going Forward Companies Should Review and Update Compliance Policies as Required
Electronic communications have been a part of the business landscape for the last twenty-five years. The DOJ’s new policy is an update to reflect the realities of how communication takes place and that the DOJ intends to capture all electronic communication – whether it’s through a business or personal device. As a result, Anderson Leavitt recommends that companies review their personal devise use and record preservation policies. And if you don’t have such policies, now it the time to create policies that are in line with the new DOJ guidance.
If you have any questions regarding this post, other employer employee compliance issues, or any other aspect of your business, please feel free to contact any of our business attorneys at Anderson Leavitt.
This entry is presented for informational purposes only and is not intended to constitute legal advice.