Bernstein Data

Email
info@bernsteindata.com

Call
Call Us: +1 (646) 893-1663

An Update to the Growing Regulatory Risk of Off-Channel and Ephemeral Communications

  1. Home
  2. Blog
  3. An Update to the Growing Regulatory Risk of Off-Channel and Ephemeral Communications

Data Privacy

building a data retention strategy that delivers results
ABOUT RANE — RANE (Risk Assistance Network + Exchange) is a global risk intelligence company that provides risk and security professionals with access to critical insights, analysis, and support, enabling them to more effectively anticipate, monitor, and respond to emerging risks and threats. RANE clients benefit from improved situational awareness, more efficient access to relevant intelligence and expertise, and better risk management outcomes. Join the millions who are tapping into the collective wisdom of the world’s largest community of risk and business professionals. For more information about RANE, visit www.ranenetwork.com
 

In November 2022, RANE published an Advisory on the growing challenges companies face in complying with expanding regulations concerning employees’ communications. Since then, there have been multiple developments that warrant an update. The original Advisory referenced a September 2022
speech in which Deputy U.S. Attorney General (DAG) Lisa Monaco announced significant policy changes to the U.S. Department of Justice (DOJ) corporate enforcement strategy, which included an intensified focus on personal device policies and controls and proper document preservation policies and
procedures. The policy changes were announced in tandem with a memorandum released the same day, which detailed the changes.

On March 3, 2023, Assistant Attorney General (AAG) Kenneth Polite announced noteworthy revisions to the DOJ’s Evaluation of Corporate Compliance Programs (ECCP) guidance. The revisions expand on DAG Monaco’s September 2022 comments and introduce new guidance for assessing companies’ compliance
efforts to monitor employees’ use of personal devices and communication platforms. On May 11, federal regulators then illustrated their heightened scrutiny of companies’ communications practices by fining two prominent broker-dealers. To review these developments and provide guidance for companies,
RANE again spoke with Matthew Bernstein, Founder and Information Governance Strategist at Bernstein Data.

What to Know

In a September 15, 2022 speech, DAG Monaco conveyed the DOJ’s increasing concern about the prolific use of certain messaging applications — including encrypted and ephemeral messaging applications such as WhatsApp, Signal and Telegram — by company employees for business purposes. The DOJ
explicitly noted that these types of communications are often conducted through personal devices rather than company-provided or -monitored programs. The rise in remote work and Bring Your Own Device (BYOD) programs has resulted in an environment that may be inconsistent with an effective
compliance program, especially with regard to the potential need to access necessary data and information for audits, reviews or investigations.

In response to these concerns, in March 2023, the DOJ announced revisions to its ECCP to specifically address corporations’ approaches to the use of personal devices and messaging applications. Due to the growing prevalence of these messaging applications and corporate BYOD policies, the DOJ now “expects companies to update their policies and practices accordingly.” Although the ECCP is intended to guide federal prosecutors, it nevertheless serves as a key reference for organizations, and the DOJ will expect organizations to be familiar with its evaluation criteria. To Bernstein, it is clear that the DOJ did not issue the updated evaluation merely as a reminder of the status quo but rather as a pointed notice about the issues it will be most concerned about going forward.

Tweet
Share
Share

About the Author

Matthew Bernstein

Matthew Bernstein has worked at the intersection of business and technology for more than twenty years, to transform organizations and to define, develop, and operationalize information management standards and solutions.

About Bernstein Data

MC Bernstein Data helps companies achieve their objectives related to Information Governance, including data privacy and protection; regulatory, litigation, and consumer responsiveness; information security; acquisitions and divestitures compliance; records management; data licensing management; and operational efficiency.

Learn More