Executives at Risk… WhatsApp with That?
By Stephen Toland, Attorney / Head of Austin Office
The U.S. Department of Justice (DOJ) continues to make corporate criminal enforcement a top priority in 2023. The latest corporate compliance guidelines issued by Deputy Attorney General Lisa Monaco in September 2022, and again in March 2023, addresses the risks of employee personal conversations on encrypted chat applications such as WhatsApp – risks that apply to personal conversations of all employees, including top executives. As awareness increases on this measure, organizations should create policy to minimize their risk should they find themselves part of a DOJ investigation.
What Brought This About?
The impetus behind the ban on encrypted messaging apps is the apps’ inability to retain messages after they are sent, frustrating DOJ prosecutors in their efforts to investigate white collar crime. These apps are widely used because they are more efficient and can expedite communications across time zones. However, the encryption feature is also attractive to those who want to communicate information that may be unethical.
Many multinational companies have already tightened their messaging policies in accordance with the Foreign Corrupt Practices Act (FCPA). In 2017, the DOJ demanded that companies seeking cooperation credit in FCPA cases must prohibit employees from using apps that don’t properly retain messages. Those rules were relaxed in 2019.
Deputy Attorney General Monaco’s recent directive marks a return to a tougher approach – or that merely having a policy to disfavor unmonitored chats won’t be enough for the DOJ.
Corporate Compliance Guidance
The 2023 DOJ Evaluation Guidance provides prosecutors with key factors to consider as they evaluate corporate compliance programs facing a criminal resolution. Monaco advised that “all corporations with robust compliance programs should have effective policies governing the use of personal devices and third-party messaging platforms.”
Those factors include:
- All employees should be interviewed to determine if employees are talking about work on external messaging apps;
- Current policy should be reviewed and updated to include messaging on third-party apps, in compliance with DOJ guidance;
- New and existing employees need to be trained on the importance of complying with the new policy;
- New compliance policy should be reviewed consistently, including an update to the employee handbook and posting the policy in public spaces at work;
- Supervisors and managers should be trained on how to apply workplace policies in a fair and consistent manner for employees who continue to use external messaging apps for work communications; and
- Voluntary self-disclosure of misconduct is recommended as the clearest path for a company to avoid a guilty plea or an indictment from the DOJ;
These guidelines set an expectation that company leadership will identify to DOJ prosecutors those individuals connected with corporate misconduct in a timely manner to receive cooperation credit. Additionally, they assume that prosecutors should try to resolve individual investigations prior to entering a corporate resolution.
If a company finds themselves in the midst of a DOJ investigation, more lenience will be shown to corporations with strong compliance programs that are tested, effective, adequately resourced, and fully implemented. Businesses that do not incorporate these guidelines into their corporate culture and turn a blind eye to them will instead see a more serious outcome from the DOJ.