The DOJ has softened its stance on the Snapchats of the app world, and in the process may have made things harder for compliance
As much as we think we crave choice, sometimes life is easier when choices are made for us.
Such might turn out to be the case with a recent U.S. Department of Justice decision on ephemeral messaging apps. Ephemeral means temporary. With an ephemeral messaging app, messages sent between users are exactly that: temporary. They disappear after a certain period of time. Ephemeral messaging may also involve encryption. Ephemeral messaging apps include Snapchat, Signal, and WhatsApp. Some are strictly for use on mobile devices. Others, like Confide, can also be used on a desktop. Wickr promotes an enterprise-ready version of its platform.
In 2017, the DOJ—as part of its Foreign Corrupt Practices Act Corporate Enforcement Policy—decreed that employees were prohibited from using ephemeral messaging apps. This is the original language:
"Appropriate retention of business records, and prohibiting the improper destruction or deletion of business records, including prohibiting employees from using software that generates but does not appropriately retain business records or communications."
The potential reward for complying with this prohibition was significant. When a company is found by a prosecutor to be in violation of the FCPA, the prosecutor can offer a deferred prosecution agreement, or DPA. A DPA is a pre-prosecution agreement made between the prosecutor and the company, under the supervision of a judge, which allows the company to avoid prosecution provided it meet certain criteria. This criteria typically includes the company having followed applicable guidelines as set forth in the FCPA Corporate Enforcement Policy. In 2017, that meant firms avoiding ephemeral messaging apps all together. Doing this was no guarantee an organization under threat of prosecution would instead get a DPA, but it would count strongly towards that highly desirable outcome.
Simple, then. Decision made for you. Well, until March of this year, that is, when the DOJ updated its FCPA Corporate Enforcement Policy language to read:
"Appropriate retention of business records, and prohibiting the improper destruction or deletion of business records, including implementing appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company’s ability to appropriately retain business records or communications."
So the language changed from being an outright prohibition on ephemeral messaging apps to the burden being placed on the company to implement appropriate guidance and controls on their use. Of course, any such guidance can only apply to those apps used on a company device (which doesn't necessarily mean employees aren't conducting business on their mobile phone using Snapchat unbeknownst to their employers, but there's little that can be done about that).
DO WHAT COMES NATURAL
While no company ever plans to be found in violation of the FCPA, those companies that operate in spaces where the potential exists must now take into consideration whether to allow the use of ephemeral messaging apps. And for those companies that do allow them, they must now determine exactly what appropriate guidance and controls on their use means. Not so simple anymore.
It's yet another regulatory grey area for compliance to negotiate. And compliance officers probably feel they have enough of those already. Why the sudden switch in approach by the DOJ? The original policy had only been in place for about 15 months. Nat Edmonds, a former member of the Justice Department's Foreign Corrupt Practices Act unit, recently told The Wall Street Journal: "The DOJ is limited by a desire not to be too prescriptive, but [this is] also because the technology is changing so fast."
And maybe that's it. It's hard to stop the march of technology. Software companies can rise and fall with amazing speed. Applications come and go. And even if an app has been around for awhile, it's likely in a constant state of evolution. Further, outright bans don't often work in the long run, whether in personal or professional spaces. When people, and organizations, are determined to do something in a certain way, they often do it, prohibited or not. So maybe the DOJ is merely bowing to reality in this situation.
But regardless of the DOJ's motivation, what's a compliance officer to do? "In practical terms," offer Nate Lankford and Dawn E. Murphy-Johnson in The FCPA Blog, "the revised policy suggests that companies should apply common compliance design and implementation approaches to develop risk-based communications and messaging platform controls." In other words, compliance officers should do what they always do, in any space in which they're responsible for managing risk. Lankford and Murphy-Johnson go onto make four specific recommendations, which will each be very familiar to any veteran compliance officer:
- MAKE A RISK ASSESSMENT – Take an inventory of all the messaging platforms currently used by the company in its official operations. Determine how the apps are used, what kinds of data they generate and store, and the legal obligations to maintain and/or restrict the use of that data.
- DEVELOP WRITTEN GUIDELINES– Based on the risk assessment, put the firm's desired policies regarding the use of ephemeral messaging apps into writing. Address permissible communications, company access to data, and data retention and destruction.
- TRAIN AND COMMUNICATE – Roll out the new policies and procedures, and maintain organizational awareness of them, with an appropriate amount of training. And get the word out on the new guidelines with an equally appropriate amount of communications.
- MONITOR AND TEST– Ensure your employees are actually following the new policies and procedures regarding ephemeral messaging apps with ongoing monitoring and testing. This will also help ensure any gaps are promptly identified and fixed.