Confidence. Dedication. Resolve.

DOJ Issues New Guidance – Effective Corporate Compliance Programs Must Account For Employee Personal Devices

On Behalf of | Jun 20, 2023 | Firm News

Earlier this year the U.S. Department of Justice (DOJ) released new guidance that provides critical insight into how the DOJ will analyze corporate compliance programs with respect to employee communications on personal devices, messaging platforms and messaging applications.  To the extent your compliance programs addresses this, or not, will impact any offer the DOJ makes to resolve possible criminal liability.

Elements of an effective corporate compliance program

The DOJ Compliance Manual provides that federal prosecutors will consider specific factors when conducting an investigation of a corporation and determining whether to bring charges or offer settlements and other plea arrangements.

The specific factors considered include “the adequacy and effectiveness of the corporation’s compliance program at the time of the offense, as well as at the time of a charging decision” and the corporation’s remedial efforts “to implement an adequate and effective corporate compliance program or to improve an existing one.”

The Compliance Manual sets forth three fundamental  questions every prosecutor will ask when they investigate a compliance program:

  1. Does the corporation’s compliance program have a solid design?
  2. Is the company applying the program earnestly and in good faith? Meaning, does the program have adequate resources, funds and empowerment to work?
  3. Does the compliance program work in practice?

An effective corporate compliance program should remain under continuous monitoring and improvement to ensure it adapts to evolving legal and regulatory requirements.

New guidance: Personal devices

The DOJ expects that companies will revise corporate policies to reflect the current reality that employees use their personal devices and third party apps to communicate with respect to business matters.  As a result, previous compliance policies were not collecting all electronic business data in response to an internal or DOJ investigation.

While there is not a one-size-fits-all policy or approach, certainly the larger the company, the more resources available. This should lead to a more robust program. If a company has a bring-your-own-device (BYOD) policy, they must devote extra care to efforts to preservation and access to corporate data.  For example, does the compliance policy have written discipline procedures in place if an employee refuses access to corporate communications on private devices?

How can companies ensure compliance with personal device usage?

Companies can ensure compliance with personal device usage by implementing clear and comprehensive policies that address the use of personal devices for work-related communications. These policies should outline permissible use, data security measures, and procedures for accessing work-related data on personal devices. Regular training and communication with employees about these policies are essential to ensure understanding and adherence.

Companies should also consider using mobile device management (MDM) solutions to monitor and manage devices, ensuring they meet security standards. Periodic audits and reviews of device usage can help identify any compliance gaps and reinforce policy adherence. Additionally, companies should establish disciplinary measures for non-compliance to underscore the importance of these guidelines.

What are the challenges in monitoring employee communications?

Monitoring employee communications presents several challenges, primarily related to privacy concerns and the balance between oversight and trust. Employees may view monitoring as intrusive, potentially affecting morale and trust. Companies must navigate legal requirements and restrictions regarding privacy and data protection, which can vary by jurisdiction.

Additionally, the use of diverse communication platforms and personal devices complicates the ability to track and manage communications consistently. Implementing effective monitoring requires robust technology solutions that can handle various platforms while ensuring data security. Moreover, companies need to develop clear policies that specify what is being monitored and why to maintain transparency and foster trust.

What are the risks of not having a BYOD policy?

Without a BYOD policy, companies face several risks, including data security threats and compliance issues. Personal devices may lack adequate security measures, increasing the risk of data breaches or loss of sensitive corporate information. The absence of a formal policy can lead to inconsistent practices among employees. This complicates efforts to secure and manage corporate data.

Furthermore, in the event of an investigation, companies may struggle to access or preserve necessary communications. This can potentially affect legal compliance and liability. A BYOD policy helps establish guidelines for secure device usage, data protection, and access protocols. These guidelines can mitigate these risks and ensuring a structured approach to personal device management.

Going forward, companies should review and update compliance policies as required

Electronic communications have been a part of the business landscape for the last twenty-five years.  The DOJ’s new policy is an update to reflect the realities of how communication takes place and that the DOJ intends to capture all electronic communication – whether it’s through a business or personal device.  As a result, Anderson Leavitt recommends that companies review their personal devise use and record preservation policies. If you don’t have such policies, now is the time to create policies that align with the new DOJ guidance.

Have questions regarding this post or another employer employee compliance issues? Contact any of our business attorneys at Anderson Leavitt.

This entry is presented for informational purposes only and is not intended to constitute legal advice.