Under the guise of corporate compliance, federal prosecutors are making a clear grab for control over how Americans communicate at work, says compliance and ethics author and speaker Joe Murphy.
The government has apparently decided it can use compliance programs as a lever to get us to control how we communicate. This goes under the tech-sounding words “ephemeral and off-channel communications.” But is this just a simple compliance policy implementation question? No. The DOJ is overreaching and misusing its authority in leveraging compliance programs to tell us how we should and should not communicate by adding ephemeral messaging to its “Evaluation of Corporate Compliance Programs” guidance.
Here are 10 reasons why this is problematic:
- In the US, the financial services industry has rules about recording and keeping records of communications. There is no law in the US that requires all other companies and organizations to do this.
- The government is using compliance programs as a lever to extend these narrowly targeted rules to everyone else. There is no legislation supporting this. There has been no consideration of the First Amendment threat from the government attempting to regulate how we communicate.
- There are already laws that cover the government’s concerns: We cannot obstruct investigations or engage in misprision of felony. Company policies only need to cover this.
- There is no limit to how far this goes. Every organization is subject to using compliance programs as a defense. So the compliance leverage applies everywhere: churches, nonprofits, unions, political parties. The government apparently has not even thought about this.
- This is not just about having a policy. The DOJ says we must act “to the greatest extent possible” to preserve these communications. That means every aspect of a compliance program applies to enforce DOJ’s demand: audits, monitoring, training, discipline, risk assessment, helpline calls, evaluations of success, etc.
- Controlling how everyone in an organization communicates and records their communications is a fool’s errand. As difficult as the compliance job is, this will destroy the compliance program’s credibility and divert it from preventing real crimes and misconduct.
- There is no limit to what this covers. What about Zoom calls and other video chat? If all it takes to record is to click the record button, then this would certainly be covered. Why not also require that all face-to-face communications be written up? There is no stopping point.
- This flies in the face of rules and laws relating to privacy. GDPR, for example, directs that records relating to people be kept only when needed. Because no law requires such vast retention, there is no legal defense. Imagine how much personal information would be retained if every Zoom call, including those taken from home, had to be retained.
- The record volume is enormous, with substantial costs and strains on already overworked IT staff. Consider how much volume would be created just by recording Zoom calls. The more communication is retained, the greater the risks from cybercrime.
- The DOJ tried this type of back door path once before, attempting to eviscerate attorney-client confidentiality by conditioning prosecutorial leniency on waiver of privilege protection. Congress reacted and the DOJ completely backed away.
Time has passed and perhaps the privilege waiver lesson has been forgotten. But each of these efforts, in its own way, was an abuse of power. And each deserves the same fate. For a push this broad and intrusive, perhaps we need to let the people, through their elected representatives, decide what standard they want to apply. We value our right to communicate in confidence with our legal counsel. And we value the right to communicate how we want, whether to document how we communicate and whether our job is to create and retain evidence for governments to use against us.