There’s been a lot of chatter recently about using ephemeral messaging and off-channel communications. This topic got a lot of air time from SEC Staff members and other panelists at Securities Enforcement Forum West 2023, with the acronym “BYOD” (D for device) repeatedly used throughout the day, highlighting that some companies are rethinking BYOD policies. If this is news to you, this Holland & Knight blog reviews recordkeeping requirements that apply to broker-dealers and investment advisers and recent, related SEC and DOJ actions. Then, the blog goes on to say this:
But what about public company issuers? Currently, under the federal securities laws, issuers are not subject to direct regulations on preservation of business communications. However, much like investment advisers, these types of communications may need to be retained by public companies if they satisfy another statutory recordkeeping obligation. For example, under Exchange Act Section 13(b)(2)(A), issuers are required to make and keep certain books and records that accurately and fairly reflect the transactions and dispositions of the assets of the issuer. But the scope of messages that issuers need to consider retaining may have increased exponentially. As detailed further below, recent DOJ guidance has brought these issues to their compliance doorstep as well.
This new DOJ guidance is from earlier this year. The DOJ expects all companies — not just regulated entities — to maintain and enforce policies to ensure that business-related (note how broad this is) electronic data and communications are preserved and can be accessed. During a DOJ inquiry, it will scrutinize a company’s policy environment and risk management framework around device use and message retention. This means that using certain platforms for electronic communication creates some compliance risks. In light of this guidance, here are some suggestions from the blog for all companies to consider:
– reviewing relevant document retention and other policies to ensure electronic communications are preserved, particularly when there is a threat of litigation or a government investigation
– assessing compliance policies concerning supervisory responsibilities of managers to subordinates
– the implications of a bring your own device (BYOD) policy – whereby employees are allowed to utilize their own devices for company purposes – as such policies are increasingly becoming an early discussion point between defense counsel and government attorneys on the scope of documents under company control
– written personnel certifications that they are complying with preservation and record retention requirements
– implementing, as appropriate, technological restrictions and surveillance programs – and regularly audit them – to ensure compliance with ongoing preservation obligations
– corrective action and employee discipline matrices to address instances of non-compliance
For more information, we’re posting related memos in our “Records Retention” Practice Area.
– Meredith Ervine