Our recent blog about the DOJ’s new guidance on personal devices and third-party messaging had me thinking about how I’ve personally been handling this new world of directors and personal devices. Here’s why: This concept is not so new, but rather is an extension of the job directors have had for almost 50 years to oversee a public company that maintains appropriately detailed books and records.
Below are some practice tips from a director’s perspective, as well as how a General Counsel might provide guidance to their board:
1. A plain English policy on devices. First, a policy is a must. The DOJ’s guidance specifically tells prosecutors that a company should be examined to see if it had—and was effectively implementing—policies and procedures about the use of personal devices.
If I am a director, I want to see a policy written in plain English so I can tell my chief compliance officer and general counsel that I could understand it. And as a GC, I want to make sure that the author has drafted it in truly plain English.
2. Data access, not ownership. The company probably doesn’t want to own my device and all the data on it. However, it does want to have reasonable access to my device for appropriate purposes, including assistance with any future investigations.
In some instances, I’m fine owning my own cellphone. Some companies will want to give me a phone with a request that I use it only for corporate business. This is normal; I will respect any requested limits of use on that company phone. In either case, I want to make sure that I’m maintaining the data in a way that follows the policy.
For example, if I’m using a messaging program, my company may tell me to limit my communications to business matters and send messages solely on an approved platform that enables retention of the messages. I won’t be permitted to use non-approved messaging channels to send business-related messages.
3. Where’s the training? I’ll take it! As a director, I am aware that I should set the right “tone at the top” and personally follow our compliance policies. So, if my company offers training, I’ll take it. The training should emphasize the types of business communication platforms that allow recording and access to business-related communications and encourages trainees to stick to those platforms.
4. I’ll watch out for California and other states. I’ll be alert to changes in California and other state privacy law protections. The California Privacy Act (CPA) will soon require companies to identify personal or personally identifiable information (PI or PII), and to be able to separate PII from business records.
The company will need to access business records on my device as part of its obligation as a public company to maintain accurate “books, records, and accounts.” Where will these state privacy changes lead? I’ll wait for the compliance team at the company to alert me.
5. Board committee oversight a must. In addition to following this myself, I want to make sure that my board—and the appropriate board committee (probably the audit or another compliance-focused committee)—gets periodic reporting about director use of devices. This is an aspect of my duty of care as a director and of my company’s obligation to maintain books, records, and accounts.
6. New wine in old bottles: the trick of applying a 45-year-old law to brand new devices! The company’s obligation to maintain books, records, and accounts dates back almost 50 years to the adoption of the Foreign Corrupt Practices Act (FCPA) in 1977. What’s new—and what we’re all wrapping our heads around—is that the FCPA’s duties to keep books and records apply to new-technology devices that that no person would have dreamed of back in 1977 (other than big fans of science fiction, perhaps).
The FCPA’s “books and records” provisions cover records that aren’t foreign, and certainly that aren’t corrupt! The FCPA just covers all records. This broad definition of “books and records” has always brought a significant corporate responsibility with it. To the board, it brings a duty of oversight. This more recent need to track messaging on personal devices is just the latest iteration.
In conclusion, as a director, I will endeavor to:
• Make sure that my company maintains accurate books and records.
• Make sure that my company has a compliance policy, as well as related training that is simple enough that I can understand it.
• Display leadership by enthusiastically complying.