Day: November 20, 2023

Categories
Corruption, Crime and Compliance

Electronics Communications Risks in The Era of Ephemeral Messaging

Ephemeral messaging applications like Snapchat, WhatsApp, and Telegram have presented a complex challenge for compliance professionals and legal counsel. On one hand, these technologies can reduce data storage and preservation costs, minimize breach exposure, and allow the prioritization of communications data. On the other hand, they can create blind spots by deleting communications records and seriously obstructing internal investigations. How can companies balance the benefits of ephemeral messaging against the risks of compliance program undermining? In this week’s episode of Corruption, Crime, and Compliance, Michael Volkov discusses recent DOJ guidance regarding ephemeral messaging risks and outlines practical steps organizations can take to strike the right balance.

You’ll hear him discuss:

  • Ephemeral messaging can reduce data storage and preservation costs, which can be significant for companies facing litigation or investigations. It also reduces potential breach exposure by deleting data.
  • However, ephemeral messaging can obstruct internal investigations and create corporate blind spots by deleting communications records before they can be reviewed. This undermines compliance programs.
  • DOJ’s guidance outlines several steps companies can take to allow ephemeral messaging while mitigating risks:
    • Understand how the apps delete data and what types of data are stored;
    • Tailor policies on use to your specific risk profile and business needs;
    • Clearly communicate policies to employees and ensure regular enforcement;
    • Examine how policies impact the ability to conduct investigations and respond to subpoenas;
    • Evaluate the overall reasonableness of the risk mitigation strategy.
  • Practical steps to make ephemeral messaging safer include:
    • Restricting use to specific authorized purposes like scheduling;
    • Requiring employees to maintain deletion settings;
    • Conducting periodic audits of devices;
    • Requiring preservation and company access to work communications,
    • Coordinating ephemeral messaging policies with broader data preservation policies.
  • If a company provides devices to employees, it has more control and ability to restrict apps and access data, but even then, steps need to be taken to mitigate risks.
  • BYOD policies are more complex since consent and privacy restrictions may limit what companies can do. However, a BYOD policy still needs to address comprehensively:
    •   Preserving data
    •   Allowing corporate audits and access
    •   Segregating work data where possible
    •   Outlining consequences for violations
    •   Respecting local privacy laws
    •   Getting employee consent
  • With the right policy framework, BYOD can potentially allow ephemeral messaging while protecting data availability.

KEY QUOTES:

“Companies have a vested interest in preserving their internal communications for a variety of reasons, to hold internal actors accountable, or even outside actors sometimes, and to protect the organization from potential private and government claims or investigations that may have serious direct or collateral consequences.” – Michael Volkov

“If the government issues a grand jury subpoena as part of a criminal investigation and the company fails to preserve data generated by use of an ephemeral messaging system, a company could be held liable for failing to preserve data relevant to the criminal investigation. Such consequences can be significant…” – Michael Volkov

“While a company may have limited access to employees’ personal devices when it supplies devices to its employees, the company should regularly secure certifications by its employees that has not used its personal device for work-related purposes, with emergency exceptions, of course. Similarly, companies have to develop testing protocols for its BYOD policy and secure employee consent to examine the personal device limited solely to business data.” – Michael Volkov

Resources

Michael Volkov on LinkedIn | Twitter

The Volkov Law Group

Categories
FCPA Compliance Report

Compliance Lessons from Venice – Doing Compliance The Old Fashioned Way

Today we begin a special holiday podcast series on compliance lessons from Venice. In Part 1, we are doing compliance in the old-fashioned way.

The importance of compliance departments and the simplicity of compliance programs cannot be overstated. These elements are vital in maintaining ethical standards within an organization. An effective compliance program must have a compliance department that is adequately staffed with professionals who can handle the day-to-day compliance work. He argues that these departments should not only have the necessary headcount but also the expertise to answer questions and provide guidance to company personnel. Fox also underscores the significance of basic methods in compliance programs, likening them to the simple yet effective block-and-tackle pulley system used in Venice. Join Tom Fox as he delves deeper into this topic in the Compliance Lessons from Venice podcast episode.

Categories
Blog

Simplifying Compliance Programs: The Power of Basic Approaches

This week I am running a three-part blog post series and three-part podcast series on compliance lessons from one of the most beautiful cities on earth, Venice. We will consider how construction in Venice can inform your compliance program, how the Venice ship building and repair business located in the Arsenale inform both corporate culture and your compliance program and how Venice created the first modern day hotline reporting system. In this first blog post and accompanying podcast we go back to basics by considering the importance of simplicity in compliance programs was highlighted, drawing a comparison to the simple yet effective block and tackle pulley system used in Venice.

One of the things that has long fascinated me about Venice is how so little of the 21st century has impacted it. Take construction, for example. All materials must be brought to the city via boat, offloaded and then lifted by hand or by a handmade machine. Seen to the upper stories of a building where the residents are located. As no one lives on the ground floor anymore, as all the ground floors are now flooded, if the building is not on the water, the ground floor is used as a commercial establishment, but unlike other large metropolitan areas, there is no room for cranes or other large mechanical lifting devices.

I thought about this when I saw workmen lifting up materials through a block and tackle pulley system, which has been in use since antiquity. Not only were these workers doing it the old-fashioned way, but they were also getting the job done. As I watched this most basic level of construction, I thought about some of the things the Department of Justice (DOJ) and Securities and Exchange Commission (SEC) have said about what and how a compliance department should be doing compliance.

Sometimes the most basic and obvious methods are overlooked in compliance programs. Just like the block and tackle pulley system in Venice, which may seem quaint and old-fashioned, it still gets the job done effectively. The same concept applies to compliance programs – simplicity can lead to optimal results.

One of the key factors in the importance of compliance departments is the availability of resources. A compliance department must be staffed with an appropriate number of professionals dedicated to the day-to-day work of compliance. This includes answering phone calls and responding to emails promptly. It is not enough to have someone in the seat; they must actively provide guidance and advice on complying with the company’s ethics and compliance program.

Having a live person to answer questions and walk noncompliance individuals through the process is essential. Compliance practitioners must possess the expertise to answer questions that come into the office. The DOJ has emphasized the importance of expertise in compliance functions, stating that it is not just about headcount but also about having knowledgeable practitioners who can provide accurate guidance.

However, balancing the need for resources with simplicity can be a challenge. Compliance departments must find the right balance between having enough staff to handle the workload and avoiding unnecessary complexity. It is crucial to avoid becoming the “land of no” and instead focus on providing practical answers and solutions to compliance-related queries.

Another challenge is ensuring that compliance departments are available and responsive when needed. Compliance personnel must be present to answer phone calls and respond to inquiries promptly. This includes being available on Fridays or during urgent situations. Failure to have someone available to answer questions can undermine the effectiveness of a compliance program.

The comparison to the block and tackle pulley system in Venice highlights the importance of simplicity in compliance programs. Sometimes, the old-fashioned way can be the most effective way. By keeping compliance programs simple and straightforward, organizations can ensure that employees understand and follow the policies and procedures.

Compliance departments are crucial for implementing and maintaining ethical standards within organizations. They provide the necessary resources and expertise to guide company personnel and ensure compliance policies are understood and adhered to at all levels. Simplicity in compliance programs is essential for optimal results, just like the block and tackle pulley system in Venice. Balancing resources, responsiveness, and simplicity can be challenging, but it is necessary to achieve an effective compliance program. By considering the impact on employees and making decisions that prioritize simplicity, organizations can create a culture of compliance that is both effective and efficient.