There is a growing need for Norwegian businesses to respond to data and information requests originating from outside of Norway, especially from regulators in countries like the US.
Guidelines from the US Department of Justice (DOJ)
Guidelines from the US Department of Justice (DOJ) in relation to anti-corruption and self-reporting is a current hot issue. With third-party messaging apps and the use of personal devices like mobile phones, this issue has become increasingly challenging.
Avoiding criminal prosecution or minimizing penalties requires proactive planning and action far beyond simply having a compliance program in place. As described in the “Monaco-memo”, both corporate policy and the ability to produce responsive information completely are key factors in determining a company’s liability.
Companies should consider:
1. The need for a thoughtful and clear acceptable use policy
- The scope of the policy must be precise. Consider what elements of communication are subject to retention, e.g. text messages or apps. Employees must be reassured that they are not necessarily surrendering the contents of their entire device, only the information responsive to requests
- Consider whether there is truly a need to record all meetings, and if recording could make them subject to the burden of retention and production. Consider the question: Why should Teams meetings be treated differently from in-person meetings?
- Most importantly – perform due diligence to understand exactly what data needs to be captured in order to meet regulatory and compliance requirements
2. The need for appropriate retention, collection, and review tools
- Use of device management software may need to be supplemented by "middleware" applications that also preserve third party app communications
- Companies need to have proper knowledge of data collection procedures and availability of forensic defensibility
- Use of industry proven fact-finding document review tools, like Relativity to produce only relevant information and in a short time frame
3. Possessing the expertise for responding to cross-border requests for information (RFI)
- It is crucial to have consistently shown a good faith effort throughout the proceeding, including quick action from the beginning
- Explicit understanding of precisely what information regulators are asking for, and which options are available. Regulators tend to not consider who owns a device, but rather who is the owner of the information contained within them
- After review, understand exactly what specific information and data are being produced to the requesting parties
Final thoughts – be informed
Companies need to be aware of the resources both inside and outside the organization, that can assist in defining a clear and effective acceptable use policy. It is additionally important to keep in mind the effectiveness and defensibility of data preservation, collection, and review tools that are available.