Corporate compliance chiefs and general counsel are bombarding outside attorneys with questions about how to design a policy to retain employee messaging on encrypted software, white-collar lawyers say.
The intensifying dilemma for companies is fueled by recently stepped up Justice Department pressure in white collar investigations to produce encrypted chats on apps like Signal and WhatsApp. The enforcement push follows a wave of civil settlements on Wall Street over bankers’ inaccessible messages.
“To the extent this was a hot topic, it’s going to be even hotter,” said Brian R. Michael, a Los Angeles-based partner in Morrison Foerster’s investigations and white collar defense practice.
Clear solutions remain elusive. A DOJ policy announced March 3 directed prosecutors to levy steeper penalties against firms under investigation that are unable to preserve workers’ business-related messages.
Companies are struggling to determine if the benefits of obtaining such information, which is often buried in unmonitored devices or gets deleted by disappearing software, are worth the delicate, expensive effort.
‘Brick Walls’
Michael, formerly chief compliance officer for 21st Century Fox, said people in his prior role were already getting C-suite resistance about what’s feasible before the DOJ formalized its policy. But in-house lawyers and compliance officers now have a “compelling data point” to share with executive leadership “that the Justice Department means business.”
The ordeal was on display at the American Bar Association’s white-collar crime conference earlier this month, when one Fortune 500 executive raised concerns to a Justice Department attorney panelist about the ubiquity of ephemeral communications.
“If you say to a potential client, ‘you know, actually, can you email me instead?’ They’re going to look at you like you’re crazy,” said Sarah Levitt, chief compliance officer at a global consulting company, during a panel question-and-answer session.
DOJ presenter Lauren Kootman, an assistant chief in the criminal fraud section, recognized the burdens for business. “It’s a challenge on our end, too,” Kootman replied.
Kootman recalled her time in private practice “running into brick walls” when “communications went ephemeral,” noting it’s a “problem that we’re all trying to solve together.”
Some prosecutors have succeeded at breaking through ephemeral software to recover chats, such as in cases tied to the Jan. 6 Capitol insurrection. But such potential evidence continues to foil DOJ in many other instances, attorneys say.
‘Risk-Based’
Non-financial services entities, which aren’t regulated by the Securities and Exchange Commission, remain under no federal requirement to hand over employee communications to prosecutors.
But the inability to do so or to demonstrate enforceable internal protocols to retrieve those messages, could lead to harsher corporate resolutions, such as higher fines and guilty pleas, under the DOJ policy.
That approach is forcing companies to weigh their chances of facing a criminal probe against their appetite for alienating a workforce by collecting their personal phones, said defense attorneys who’ve been fielding client calls on the topic.
“There are concerns over how to strike the right balance between employees having a sense of personal privacy at work, and not feeling like their employer is Big Brother, versus a company’s interest in complying with the new guidance,” said Henry Van Dyck, who oversaw market integrity investigations at DOJ and is now a partner at Faegre Drinker. “That’s a difficult balance to strike for many companies.”
Jennifer Kennedy Park, a white-collar partner at Cleary Gottlieb in New York, called it a “risk-based decision.”
“I think a lot of companies are thinking, ‘What are the odds that I end up in front of the DOJ? Should I be treating my employees as though they are all potential criminals?’” she said.
Company policies vary over how closely, if at all, they surveil worker communications on their phones. That includes communications provided or subsidized by employers, or on company-provided software downloaded onto personal devices.
Challenges and cost-benefit analyses are unique to a company’s size, said Celia Cohen, a former federal prosecutor in Brooklyn and associate general counsel at JPMorgan Chase.
A multinational would more likely have the resources to provide phones or purchase monitoring software, but would have a tougher time accounting for a larger, dispersed workforce, said Cohen, now a partner at Ballard Spahr in New York. Smaller firms may not be able to afford the technology, while being less likely to face a government investigation.
Employee Phones
The department made clear that the mere existence of a policy won’t be sufficient. Prosecutors want to see policies enforced consistently across a company, and will examine whether workers who refused to produce their phones faced consequences.
“That’s the area that’s going to be the most challenging,” said Kennedy Park. “If you have a policy that says you cannot use ephemeral messaging platforms for business-related communications, the only way to surveil that is to take somebody’s personal phone.”
From there, the matter tends to go down a time-consuming path due to collateral consequences from attempting to seize workers’ phones, attorneys say. That can include employees demanding personal counsel—financed by their employer—to review their devices before handing them over.
No matter how sophisticated the strategy to retrieve encrypted messages, success will always be limited by a reality in white-collar crime: Intentional corporate wrongdoers constantly find new communication methods to evade government attention.
“There are people who are careless who would talk about these illicit activities on their company email and apps. You want to have that system in place to catch the low-hanging fruit,” said Hui Chen, a former DOJ compliance consultant who now advises companies at Ropes & Gray. “But let’s think about what percentage are you catching, in terms of all the illicit activities?”
To contact the reporter on this story:
To contact the editors responsible for this story: