March 8, 2023

Directors’ Personal Devices: Practice Pointers on Corporate Policies

In one of its more recent rounds of corporate criminal enforcement guidance, the DOJ noted that in assessing the effectiveness of corporate compliance programs, “prosecutors should consider whether the corporation has implemented effective policies and procedures governing the use of personal devices and third-party messaging platforms to ensure that business-related electronic data and communications are preserved.”

This Perkins Coie memo follows up on the DOJ’s guidance and suggests some practice pointers when it comes to personal device policies for corporate directors. This excerpt addresses some key points to consider in implementing such a policy:

1. A plain English policy on devices. First, a policy is a must. The DOJ’s guidance specifically tells prosecutors that a company should be examined to see if it had—and was effectively implementing—policies and procedures about the use of personal devices.

If I am a director, I want to see a policy written in plain English so I can tell my chief compliance officer and general counsel that I could understand it. And as a GC, I want to make sure that the author has drafted it in truly plain English.

2. Data access, not ownership. The company probably doesn’t want to own my device and all the data on it. However, it does want to have reasonable access to my device for appropriate purposes, including assistance with any future investigations.

In some instances, I’m fine owning my own cellphone. Some companies will want to give me a phone with a request that I use it only for corporate business. This is normal; I will respect any requested limits of use on that company phone. In either case, I want to make sure that I’m maintaining the data in a way that follows the policy.

For example, if I’m using a messaging program, my company may tell me to limit my communications to business matters and send messages solely on an approved platform that enables retention of the messages. I won’t be permitted to use non-approved messaging channels to send business-related messages.

The memo also emphasizes the importance of appropriate training, board oversight and the need to keep an eye on how state privacy laws continue to evolve. In particular, the memo points out that the California Privacy Act will soon require companies to identify personal or personally identifiable information and be able to separate such information from business records.

John Jenkins