Crackdown on companies failing to preserve business communications on messaging apps
In September 2022, the Department of Justice (DOJ) announced several significant updates to its criminal enforcement program. The DOJ emphasized that in order to receive cooperation credit, corporations should have proper document preservation policies and procedures in place to timely preserve, collect, and disclose relevant documents located in the U.S. and overseas.
The DOJ’s policy updates coincide with the Securities and Exchange Commission’s (SEC) and the Commodity Futures Trading Commission’s (CFTC) enforcement actions penalizing corporations for failing to monitor and preserve business communications conducted through instant messaging platforms (such as WhatsApp) on their employees’ personal devices.
Corporations should pay attention to their current compliance programs and policies to ensure that they adequately monitor and preserve all relevant business communications.
Corporations must timely preserve, collect, and disclose relevant documents to the DOJ to receive cooperation credit
In September 2022, the DOJ issued updated guidance clarifying the factors that the government will consider when pursuing resolutions with corporations (see our prior client alert discussing these updates in detail). In particular, corporations seeking cooperation credit must “timely preserve, collect, and disclose relevant documents located both in the US and overseas.” Corporations will receive cooperation credit if they are able to navigate foreign data privacy laws and blocking statutes to produce documents located overseas. Corporations that use such foreign laws to shield misconduct and subsequently fail to produce foreign evidence may not receive such credit.
This guidance also instructed DOJ prosecutors to consider if a corporation has implemented an effective compliance program regulating the use of personal devices and third-party messaging platforms to ensure that business-related communications are preserved. As part of its program, a corporation should provide training to employees about its compliance policy and should discipline employees for violations. The DOJ expects a corporation to be able to collect and provide to them non-privileged responsive documents, including work-related communications (e.g., texts, e-messages, and chats) and data contained on phones and tablets that are used by its employees for business purposes.
The DOJ emphasized that the frequency with which personal devices and third-party messaging platforms are used for business communications poses “significant corporate compliance risks, particularly as to the ability of companies to monitor the use of such devices and to recover relevant data from them during a subsequent investigation.” The DOJ plans to issue further guidance on best corporate practices regarding the use of personal devices and third-party messaging platforms.
The SEC and CFTC have fined corporations nearly $2 billion for failures to monitor and retain business communications on messaging platforms
The DOJ’s focus on how corporations handle messaging applications on employees’ personal devices coincides with similar scrutiny by the SEC and CFTC.
Since 2021, the SEC and CFTC have been conducting industry-wide investigations across Wall Street firms to ascertain whether they have been adequately monitoring and retaining business communications conducted through messaging platforms on personal devices. So far, the SEC and CFTC have fined more than a dozen Wall Street firms nearly $2 billion for “widespread and longstanding” failures to monitor and retain such business communications.
These firms admitted that for a number of years their employees routinely communicated about business matters on their personal devices, including through text messages, WhatsApp, Signal, and personal emails. Although regulated entities are required to retain employees’ work messages, none of these records were preserved. The failings were widespread and implicated employees across multiple levels of management within these firms, including supervisors and executives. In addition to the financial penalties, each of the firms agreed to retain compliance consultants to conduct comprehensive reviews of their policies and procedures relating to the retention of business communications found on employees’ personal devices and their frameworks for addressing non-compliance by employees. The director of the SEC’s Division of Enforcement, Gurbir S. Grewal, stated that these newly implemented measures will help prevent violations going forward. Grewal also stated that the enforcement actions, both in terms of the firms involved and the size of the penalties ordered, “underscore the importance of recordkeeping requirements: they’re sacrosanct. If there are allegations of wrongdoing or misconduct, [the SEC] must be able to examine a firm’s books and records to determine what happened.”
These enforcement actions by the SEC and CFTC illustrate the enforcement agencies’ ongoing commitment to protecting market integrity. In December 2021, the SEC and CFTC similarly brought enforcement actions against another large firm for failing to preserve employees’ written communications. SEC Chair Gary Gensler stated that recordkeeping obligations are an essential part of market integrity and a foundational component of the SEC’s ability to conduct market oversight. The SEC has continued to encourage corporations to proactively examine their document preservation policies and procedures, and self-report failures to the SEC before the agency identifies violations by companies. As early as 2018, the SEC issued guidelines to help corporations to comply with their recordkeeping obligations in relation to the use of electronic messaging – such as text, instant messaging, and personal email – for business communications. Examples include prohibiting business use of messaging apps that allow employees to communicate anonymously, disallowing the automatic deletion of messages, and prohibiting third-party viewing or back-up. Where the use of personal devices for business purposes is permitted, there should be policies regulating such use in relation to messaging applications, texting, and personal emails. Corporations should include a statement in their internal policies informing employees that violations may result in disciplinary action including dismissal.
It is anticipated that these U.S. enforcement agencies will likely expand their recordkeeping probe into other industries. Much of the world worked from home during the Covid-19 pandemic and more corporations accepted a hybrid work model, which makes it harder for corporations to monitor and preserve employees’ business communications. The use of personal devices and messaging platforms (such as text messages, WhatsApp, Signal, Line, and WeChat) is also widespread in many industries subject to the supervision of these U.S. enforcement agencies.
Enforcement agencies in the UK and APAC also require companies to monitor and retain business communications on messaging platforms
Corporations operating in the UK and the Asia-Pacific region should be aware that enforcement agencies in these regions are also actively requiring corporations to monitor and retain work-related communications conducted through messaging platforms on personal devices.
In 2021, the UK’s Financial Conduct Authority issued a guideline reminding corporations that they should have appropriate recordkeeping procedures in place for their employees working remotely.
In Asia-Pacific, enforcement agencies have similarly issued guidelines requiring corporations to monitor and retain business communications. For example, in 2019, the Monetary Authority of Singapore issued a guideline stating that “electronic communication channels, such as messaging platforms, are increasingly common and may require the use of sophisticated monitoring tools. Records of such communications should be made available to [compliance] staff for their review and active monitoring.” A Singapore financial market industry group also issued a best practice guide reminding corporations to “provide personnel with clear guidance on approved modes and channels of communication.”
In 2020, the Australian Securities and Investments Commission issued guidelines addressing recordkeeping risks associated with remote working. Companies should ensure that employees use only company-authorized communication channels for business communications and that such communications are monitored.
Further, in 2021, the China Securities Regulatory Commission (SRC) imposed the maximum fine of RMB 300,000 (around $50,000) on a company for its failure to monitor and retain more than half of its employees’ business communications conducted through WeChat. In early 2022, the SRC fined another company the maximum amount for failing to retain business communications in multiple WeChat groups.
Data privacy laws and blocking statutes
As mentioned above, the DOJ’s guidance noted that companies may need to navigate foreign data privacy laws and blocking statutes to produce relevant materials located outside the U.S., as they can create barriers to sharing documents with the DOJ.
For example, corporations operating in multiple countries should be aware of local data privacy laws and blocking statutes when responding to U.S. enforcement agencies’ document requests and investigations. Failure to comply with local regulations could result in significant penalties and reputational harm. For example, corporations must obtain prior approval from the Chinese government before transferring data stored in China to a foreign enforcement authority. The standards for obtaining such approval are currently unclear and may be up to the discretion of the Chinese government on a case-by-case basis (see our prior client alert discussing China’s data blocking statutes).
Corporations must also understand and comply with the fragmented data privacy laws in Asia-Pacific before accessing and retrieving business communications on their employees’ personal devices. These devices typically contain both business data and employees’ personal data, such as personal messages, emails, photos, and bank account details. For example, China imposes a stringent requirement on corporations to obtain consent from individuals before they are able to collect and process personal data. By contrast, other Asia-Pacific countries provide for certain exceptions to obtaining employees’ consent. For instance, in Singapore, consent is not required to collect personal data where it is necessary for any “investigation,” and where it is reasonable to expect that seeking the individual’s consent would compromise the availability or accuracy of the personal data. In South Korea, employees are not required to obtain consent where it is necessary for them to comply with their legal obligations…