The use of messaging apps, such as WhatsApp for business communications is widespread. Now the US Department of Justice has set a de facto standard for managing the use of such services in the business context in its latest update to the Evaluation of Corporate Compliance Programs (March 2023). And the bar appears to be pretty high: “Policies governing such applications should … ensure that, as appropriate and to the greatest extent possible, business-related electronic data and communications are accessible and amenable to preservation by the company.”
The guidance raises some interesting questions that Compliance Departments and their record retention partners should now focus on. For example, “What mechanisms has the company put in place to manage and preserve information contained within each of the electronic communication channels?” A particularly challenging area is messages sent/received by an employee’s own device (referred to here as BYOD - Bring Your Own Device) . What are your company’s policies regarding the use of personal devices for business communications? Is the company permitted to view such messages? How are the policies enforced? Are there exceptions? Does the company require employees to transfer messages from private phones on to company systems to ensure they are preserved? All of this in turn will raise some difficult questions around privacy and practical challenges to enforcement.
Companies will need to consider whether, in light of the latest guidance, they should adapt their policies and acknowledge the use of different messaging platforms (e.g.. WhatsApp, Slack, Wechat or Telegram, among many others), even ephemeral messaging applications, by employees. Whatever preservation or deletion measures the company has in place need to be supported by a robust rationale. Importantly, corporations should train and communicate regarding these policies and procedures and updates, to ensure awareness and facilitate compliance.
As part of their periodic risk assessment updates, companies need to factor in the use of messaging applications and assess whether these applications have impaired in any way the organization's compliance program or its ability to conduct internal investigations.
There is more in the DOJ’s latest update but this area is one which is particularly important for Compliance Departments to focus on, whether within the US or otherwise.
Comments