“By incorporating the HR compliance program into the day-to-day operations of the business, companies can implement a living and breathing program where each employee bears responsibility for its success, facilitating a feedback loop of information that allows the program to remain effective for the long haul.”
– Alejandra Montenegro Almonte, Ann Sultan, Nicole Gökçebay, and Alexandra Beaulieu
This week, we navigate the pros and cons of using ephemeral messaging for business purposes and DOJ expectations for preserving data from messaging applications. We learn about updates to the DOJ’s evaluation of corporate compliance programs (ECCP), specifically focusing on ‘consequence management.’ Finally, we explore the real risks of workplace misconduct and consider how strong compliance programs help mitigate these risks.
United States: Preservation Of Ephemeral Messaging For Business Purposes
Ephemeral messaging, like WhatsApp and Snapchat, involves short-lived digital communication that is automatically deleted and end-to-end encrypted. There are three degrees of ephemerality: pure, quasi, and non-ephemeral. Ephemeral messaging reduces data storage and records management, enhances legal compliance, and improves data security. However, there are also legal risks, such as compliance with subpoenas and data preservation when litigation is “reasonably anticipated.” As a result, regulators caution against using ephemeral messaging, and companies should establish effective corporate compliance programs, review document-retention policies, and address ephemeral messaging and mobile device data. While ephemeral messaging has benefits, failing to comply with data preservation and regulatory obligations can have long-lasting consequences.
DOJ Outlines Compliance Expectations Relating to Preservation of Data from Messaging Applications
A new DOJ policy aims to improve the corporate preservation of data generated by employees and executives. The policy seeks to close significant gaps in data collection and review by companies for messaging applications, texting systems, and emails. The DOJ demands that companies tailor communication data policies to their business’s specific risk profile and needs and preserve business-related electronic data and communications to the maximum extent possible. Companies must also demonstrate that they have communicated and enforced policies and procedures, document how they will manage and preserve information on each communication channel, and enforce provisions to preserve employee data. The policy also demands that companies discipline executives and employees consistently for failures to comply with applicable policies and procedures.
The Week That Was in Compliance – The ECCP: Part 2 – Consequence Management
The DOJ has updated its evaluation of corporate compliance programs (ECCP), specifically focusing on ‘consequence management,’ which includes clawbacks and other financial penalties and incentives that can influence employee behavior. The ECCP mandates that prosecutors consider both aspects and that compliance professionals incorporate language beyond clawbacks into their compliance programs. The ECCP also poses questions about clawbacks and consequence management, requiring compliance programs to analyze each component and review executive contracts to determine if clawback provisions are set out. The DOJ ties hotline and speak up reports directly to a company’s culture of compliance and asks about substantiation rates, closure rates, consistent and fair application of discipline, and root cause analysis. These are concrete steps companies can implement to engender trust with employees that their concerns will be taken seriously and acted upon.
Rethinking Workplace Misconduct in a Changing Compliance Landscape
Workplace misconduct, be it harassment, discrimination, or cultural failings, can significantly negatively impact a company’s culture, reputation, and employee engagement. Therefore, companies should develop compliance frameworks tailored to their specific operations, risk profile, resources, and culture to prevent these risks. There are seven guiding principles to creating such a framework. The framework should include well-integrated policies, procedures, and training, a sound organizational governance structure, a values-driven culture, periodic risk assessments, an effective reporting and investigation system, and appropriate disciplinary action. Additionally, it should be emphasized that cultural and conduct standards at the top of the organization are essential for ensuring a values-driven culture.