Understanding the Game Plan: Your Communication Retention Strategy
In the sphere of corporate communication, regulators do not mandate a uniform retention policy. Instead, they rely on you to craft a persuasive justification for your chosen approach.
As impossible as it may seem to monitor all communications on your employees’ personal devices, the implementation of a readiness assessment could be the difference between navigating safe waters or drowning in hefty penalties for contravening federal record retention regulations, according to experts in the field of white-collar crime.
Considering Your Policies: Is It Time for a Change?
If your company operates on a bring-your-own-device policy, it might be time to reassess that stance. Should the organization provide devices and insist that employees confine business-related communication to them? Or should you turn to software solutions, such as Smarsh or Proofpoint, which automatically save texts and other easy-to-delete messages?
“Prelitigation, pre-investigation, let’s just see if your house is in order” Alison Grounds, a partner at Troutman Pepper, said during a podcast hosted by the firm. “What communication platforms are your employees using?”
DOJ’s New Focus: Personal Devices and Messaging Apps
The Department of Justice turned the spotlight on the use of personal devices and messaging apps when it revised its document retention policy in early March.
This shift came after other regulators slapped multiple firms with severe fines for technology misuse, with over a dozen Wall Street companies collectively shelling out $2 billion earlier this year for conducting business through messaging apps.
The DOJ has acknowledged the need for flexible retention policies tailored to each company’s unique nature. To determine if changes are necessary, businesses must critically assess their operations, potential risks, and current policies.
“We will consider how policies governing these messaging applications should be tailored to the corporation’s risk profile and specific business needs and ensure that, as appropriate, business-related electronic data and communications can be preserved and accessed,” Assistant Attorney General Kenneth Polite, Jr., announced in March.
“There is no one-size-fits-all or prescribed way to do this,” echoed Abigail Hazlett, a partner in Troutman’s government investigations and white-collar defense group, during the podcast.
The Importance of Transparency: Clearly Communicating Your Rationale
Whatever alterations you decide on, being able to articulate your reasons is crucial.
“Prosecutors are looking for companies to articulate the reason why,” Hazlett emphasized.
For instance, if you ban the use of messaging apps for domestic employees but not for international ones, can you explain the reasoning behind the disparity?
“Is there a rationale for that?” Hazlett asked, emphasizing the importance of these reasons in the eyes of the Department of Justice.
Delegating Duties: Who Handles What?
In any assessment, it’s vital to designate which teams are responsible for which parts of your company’s retention policies and decide whether this setup should continue.
“Maybe the legal hold policy and suspension policy is owned by legal, but the records retention, acceptable use, the privacy security could be owned by the privacy team or the information governance team” Grounds suggested. “Or there could be different business units that have different policies.”
But it’s not enough to simply revise policies and provide training; compliance must be enforced. Grounds pointed to the hefty fines imposed earlier this year, not for a lack of policy or training, but for ignoring established rules.
“These were very sophisticated Wall Street firms” Grounds said. “The problem here was the managers instilled with the authority to enforce these compliance programs and to make sure that the messaging and communication was being appropriately channeled were some of the very custodians who were using these offline channels to communicate. And it was rampant.”
Verification and Enforcement: Ensuring Compliance
Companies should consider testing for compliance, perhaps through a random sampling strategy, suggested Chris Haley, a managing director overseeing technical discovery and retention matters for Troutman.
“Considering that you need to have some verification, it’s not enough just to trust and train. You don’t need to do a hundred devices a year maybe; it depends on your risk tolerance and risk profile. But not doing anything seems to be a bit concerning” Haley said.