Consumer and business preferences have for years shifted away from traditional desktop email and Internet and onto the smartphone with the development of applications that offer a more powerful set of functions. The convenience of using smartphone apps for personal communications, social media, online shopping, travel, finance and other services has not only changed the online consumer experience, it has impacted business practices as well.
Many apps – nicknamed super-apps – interact and combine multiple features together, allowing seamless interaction between colleagues, customers, suppliers and other business parties through shared chat groups, providing efficient platforms to negotiate terms and circulate documents and records. Some of these super-apps are expressly designed for business collaboration. In some emerging economies and other jurisdictions, local employees are abandoning email and starting to communicate both business and personal affairs exclusively via smartphone apps.
However, conducting business communications through a personal smartphone or personal smartphone app account presents grave legal, compliance and risk-management challenges. Like a personal email account or private telephone, an employee's personal smartphone app account generally lies outside an employer's IT networks. Such activity means that massive amounts of data generated under these circumstances by smartphone apps – for instance, regarding payments or confidential communications – may be stored on third-party servers inaccessible to the employer, frustrating efforts to preserve and evaluate evidence in the face of regulatory probes or litigation. When data is not protected within the employers' network security systems, the risk of unauthorized access or disclosure grows. Furthermore, live communications through some smartphone apps take place outside of the employers' network surveillance functions designed to detect prohibited online activities on a real-time basis. If the company's legal documents and records are forwarded or distributed to employees via some smartphone apps, there is also the risk that attorney-client privilege may be waived. Additionally, in some jurisdictions, government regulators have real-time access to smartphone app chat conversations and apply keyword searches to monitor activity. This may result in company data being inadvertently disclosed to third-party regulators.
With the adoption in November 2017 of a new Foreign Corrupt Practices Act (FCPA) Corporate Enforcement Policy, the US Department of Justice (DOJ) confirmed its expectation that companies restrict the use of third-party apps for undocumented business communications. Pursuant to the FCPA Enforcement Policy (the Policy), if a company has "voluntarily self-disclosed misconduct in an FCPA matter, fully cooperated and timely and appropriately remediated," then there is "a presumption that the company will receive a declination absent aggravating circumstances" or a substantial reduction in penalty in the event of aggravating circumstances.
However, the Policy stipulates that certain compliance measures "will be required for a company to receive full credit for timely and appropriate remediation." Among them: "prohibiting the improper destruction or deletion of business records, including prohibiting employees from using software that generates but does not appropriately retain business records or communications." The DOJ's admonition reflects past experiences with evidentiary trails dead-ending with third-party messaging platforms or smartphone apps in foreign jurisdictions, all of which may be considered "software" under the Policy.
Outright prohibiting the use of third-party smartphone messenger apps and other apps might be ideal for managing data security and compliance risks, but that approach may not be commercially realistic. This is particularly true in jurisdictions where, for legitimate reasons of efficiency and convenience (as opposed to nefarious purposes of concealing misconduct) certain smartphone apps have become the dominant modes of business communication.
This is why prudent companies are seeking to ensure effective documentation and control of any business use of smartphone super-apps. This approach may entail a combination of formal policies defining permissible uses of smartphone super-apps, procedures for monitoring and verifying compliance, and technological solutions designed to ensure that any employee use of smartphone super-apps for business purposes is appropriate and properly documented. Such policies should conform to local employment laws and data privacy standards.
With the widespread adoption of smartphones, multinational companies operating in diverse markets around the world may be exposed to heightened compliance risks, particularly in light of the Policy. Now may be a good time to re-evaluate whether these practices are prevalent within your organization and what steps the company may take to mitigate these risks.