You can’t capture everything your employees communicate on their personal devices, so conducting a readiness assessment can help you stave off stiff penalties for violating federal record retention rules, white collar crime specialists say.
If you have a bring-your-own-device policy, should you reconsider that? Should you issue devices and require employees to limit business communications to those devices? Should you implement a software, like Smarsh or Proofpoint, to automatically retain texts and other easily deleted messages?
“Prelitigation, pre-investigation, let's just see if your house is in order,” Alison Grounds, a Troutman Pepper partner, said in a podcast hosted by the firm. “What communication platforms are your employees using?”
The Department of Justice focused attention on the use of personal devices and messaging apps when it revised its document retention policy in early March.
Other regulators have hit companies with substantial fines for their use of the technology, including $2 billion in fines imposed on more than a dozen Wall Street firms earlier this year when their employees and managers conducted business using messaging apps.
DOJ has acknowledged there can’t be a single retention policy for all types of companies, so companies must look at their business, risks and existing policies before deciding if they need to make changes.
“We will consider how policies governing these messaging applications should be tailored to the corporation’s risk profile and specific business needs and ensure that, as appropriate, business-related electronic data and communications can be preserved and accessed,” Assistant Attorney General Kenneth Polite, Jr., said in March.
“There is no one-size-fits-all or prescribed way to do this,” Abigail Hazlett, a partner in Troutman’s government investigations and white collar defense group, said in the podcast.
Whatever changes you make, make sure you can explain why you’re doing what you’re doing.
“Prosecutors are looking for companies to articulate the reason why,” Hazlett said.
For example, if you prohibit the use of messaging apps for employees in the United States but not those in another country, can you articulate a reason for the difference?
“Is there a rationale for that?" said Hazlett. “The reasons why are so important for communicating to the Department of Justice.”
As part of any assessment, you need to be clear what teams oversee what aspects of your company’s retention policies and whether that should remain the case.
“Maybe the legal hold policy and suspension policy is owned by legal, but the records retention, acceptable use, the privacy security could be owned by the privacy team or the information governance team,” Grounds said. “Or there could be different business units that have different policies.”
Nor is it enough to revise your policies and train on them; you have to ensure they’re being followed. The huge fines imposed on firms earlier this year, for example, weren’t for the absence of a policy or training but that the policies were being ignored.
“These were very sophisticated Wall Street firms,” Grounds said. “The problem here was the managers instilled with the authority to enforce these compliance programs and to make sure that the messaging and communication was being appropriately channeled were some of the very custodians who were using these offline channels to communicate. And it was rampant.”
You might consider conducting tests to make sure your employees are doing what they’re supposed to be doing.
“The testing may be a random sampling,” said Chris Haley, a managing director overseeing technical discovery and retention matters for Troutman. “Considering that you need to have some verification, it's not enough just to trust and train. You don't need to do a hundred devices a year maybe; it depends on your risk tolerance and risk profile. But not doing anything seems to be a bit concerning.”
The type of business you’re in matters, too. Employees at the Wall Street firms were using messaging apps — so-called off-channel communications — to communicate trading information, a highly regulated area. You can expect your retention policy to look different if you’re in a different business area.
“Your culture, your business, your clients, the regulatory requirements are all going to be factors in determining how you approach this and the risk that you're willing to take or not take and the solutions that you might put in place,” said Haley.
Bottom line: Messaging apps are in the spotlight and regulators have shown they’re prepared to impose big fines, and yet there isn’t a single set of instructions for what your retention policy should be.
So, conduct an assessment of what you’re doing and revise as needed with an eye toward the business you’re in, the type of risk you’re managing and whether what you’re doing is sufficient. Once you have a policy, be confident you can articulate why you’re doing what you’re doing, provide training and test that employees are following it.
“People are texting,” said Hazlett. “They're using Snapchat. They're using WhatsApp. So the DOJ wants companies to be able to respond to requests for business records, by explaining not just what its email systems look like, what its document management systems look like, but how its employees are communicating with each other and what its policies are governing, preserving and accessing those communications.”