Can the state of your company’s cybersecurity program and data retention program impact a prosecutor’s decision how—or even whether—to prosecute your company? New guidelines for federal prosecutors, announced on March 3, 2023, strongly indicate that the answer is ‘Yes.’ If you needed more ammunition in your battle for budget and personnel for your company’s data protection program, new arguments that tie data protection programs to the company’s continued viability are outlined here.
The updated prosecutorial Evaluation of Corporate Compliance Programs (ECCP) guidelines were announced on March 3, 2023, by Assistant Attorney General Kenneth Polite, Jr. as he delivered the keynote at the American Bar Association’s 38th Annual National Institute on White Collar Crime. In his remarks, Polite commented that, pursuant to the ECCP guidelines, prosecutors will now be asking questions related to companies’ policies governing electronic data and communication, particularly in preservation and retention of the company’s electronic communications. Polite remarked, significantly, that, “A company’s answers—or lack of answers—may very well affect the offer it receives to resolve criminal liability.”
When the Department of Justice (DOJ) investigates a company with regard to misconduct, prosecutors take into account the company’s current efforts towards corporate governance and compliance as factors that can work in the company’s favor when the DOJ is deciding whether to bring charges and/or negotiating pleas and deferred prosecution agreements. Companies that make good faith efforts to improve, implement, and remediate their compliance programs and internal controls are considered to be “cooperative” entities, which can result in a more favorable resolution.
The compliance criteria that DOJ prosecutors may take into consideration are outlined in the ECCP guidelines. When applying the criteria of the ECCP, the DOJ considers the preventative and remedial steps a company has taken to protect its information, weighed against its risk profile and specific business needs. The updated version of the ECCP guidelines has now been expanded to include not just general corporate governance measures, but specifically data privacy measures.
Much of this should not come as news. Companies already have myriad business incentives to prioritize data compliance, data retention and deletion, and cybersecurity risk management. Many customers are now demanding and/or requiring stronger cyber protections of their data as a standard practice and as a condition for doing business with companies. Proper cyber safeguards can be the difference between retaining and gaining new business or losing it.
Additionally, various legal frameworks under international, federal, and state law require companies within their scope to adhere to specific regulations regarding data confidentiality, privacy, and security. These frameworks include the General Data Protection Regulation (GDPR) in the European Union that impacts US companies doing business in or with EU Member States; the Health Insurance Portability and Accountability Act (HIPAA); the California Consumer Privacy Act (CCPA); the New York Stop Hacks and Improve Electronic Data Security (SHIELD) Act of 2019; and the Cybersecurity Regulations of New York’s Department of Financial Services (23 NYCRR Part 500).
Emerging now as yet another incentive for company compliance with data regulations is the added boon of potential preferential consideration in the event of a DOJ investigation into company misconduct.
The revised ECCP guidance includes a paragraph providing an overview of what prosecutors should consider as it relates to electronic communications:
“Messaging applications have become ubiquitous in many markets and offer important platforms for companies to achieve growth and facilitate communication. In evaluating a corporation’s policies and mechanisms for identifying, reporting, investigating, and remediating potential misconduct and violations of law, prosecutors should consider a corporation’s policies and procedures governing the use of personal devices, communications platforms, and messaging applications, including ephemeral messaging applications. Policies governing such applications should be tailored to the corporation’s risk profile and specific business needs and ensure that, as appropriate and to the greatest extent possible, business-related electronic data and communications are accessible and amenable to preservation by the company. Prosecutors should consider how the policies and procedures have been communicated to employees, and whether the corporation has enforced the policies and procedures on a regular and consistent basis in practice.”
The revised guidance also lists three categories that prosecutors will be looking at when evaluating a company’s compliance initiatives:
Communication Channels: This category looks at the apps and platforms companies use to communicate. The guidance also puts an emphasis here on the methods in place to preserve communications, no doubt a priority of the DOJ since it would want these communications accessible for review (the word “preservation” appears several times in the ECCP). Preservation is especially important for communications sent via apps with ephemeral (i.e., vanishing, self-destructing, self-deleting) message settings. Apps with ephemeral capabilities include Telegram, Signal, Wickr, Confide, Snapchat, WhatsApp, and Facebook Messenger, to name a few out of many. The ECCP notes that prosecutors should examine how company employees are allowed to use these applications and what settings are permissible by the company.
Policy Environment: The focus here is on documentation, policies, and procedures that provide guidance for the work force about how to preserve data from devices that are replaced; preserve data stored on employees’ personal devices (aka BYOD—“bring your own device”); and if so, how a company actively accesses and monitors employees’ business-related communications, including those made through messaging apps. Again, the focus is on providing means of access to the DOJ. Indeed, in his speech, Polite warned that “…if a company has not produced communications from these third-party messaging applications, our prosecutors will not accept that at face value. They’ll ask about the company’s ability to access such communications, whether they are stored on corporate devices or servers, as well as applicable privacy and local laws, among other things.”
Risk Management: Does the company discipline employees who refuse to comply with company policies on information management? The ECCP also takes into account whether certain messaging apps and BYOD programs may hinder the company’s own internal investigations and compliance regime; the scope of the company’s security safeguards; and whether these safeguards are appropriately proportionate to the risks associated with the sensitivity of the company’s business and its data.
The potential ramifications of these changes are numerous, especially considering that several popular messaging platforms have become the communication methods of choice for many businesses, often substituting for traditional emails, phone calls, and face-to-face conversations. The ubiquity of such messaging channels has created entirely new areas of liability under this ECCP.
Public companies and others who face risks of drawing the attention of the Department of Justice because of the nature of their industries, their work with US governmental agencies like the Department of Defense, or the countries with which the company transacts business or has facilities/employees should take the opportunity to be “schooled” by the ECCP in evaluating the state of their information safeguards and, particularly, how information is secured, shared, and retained.
If you have questions about or need assistance in preparing or revising information systems security and data retention safeguards, please contact Kenneth N. Rashbaum.
