Information governance (IG) is a key corporate strategy than can help companies realize the value and minimize risk from the data they generate and receive. This is evident from the guidance on antitrust compliance programs the U.S. Department of Justice (DOJ) recently promulgated. Companies with an IG program including information retention policies and education on inappropriate document destruction stand a much greater chance of obtaining relief from antitrust violations than enterprises lacking IG measures.
DOJ Antitrust Guidance and Information Governance
DOJ antitrust compliance programs have traditionally applied to companies seeking leniency. Now, however, DOJ’s programs will also apply in the charging and sentencing stages, as announced on July 11, 2019, by Assistant Attorney General Makan Delrahim. In the updated guidance, DOJ’s Antitrust Division provides key details on how it evaluates antitrust compliance programs. While program design, implementation, and effectiveness are the dominant factors, the guidance also emphasizes information governance as a key aspect of an effective antitrust compliance program.
The DOJ guidance provides direction on a number of different antitrust issues. That direction is memorialized in nine factors that DOJ will use to determine whether a company has implemented an operative antitrust compliance program. IG measures are prominently featured among the factors that characterize such a compliance program.
Factor 1: Design and Comprehensiveness
As an initial matter, the guidance cautions against a so-called “paper program” and insists that compliance programs should include controls that reduce the risk of antitrust violations. IG is an important aspect of such a program. Corporate information systems that track or otherwise memorialize key data (such as in a data map) can demonstrate the existence of such controls. For example, DOJ will consider whether an enterprise has “a way of tracking business contacts with competitors or attendance at trade association meetings, trade shows, and other meetings attended by competitors” and whether the company typically monitors that “tracking system.”
In addition, DOJ will consider whether a company has “clear document retention guidelines” and training for employees on the implications of “ document destruction and obstruction of justice.” IG measures such as an information retention policy, together with a reasonable retention schedule and related practices, may help establish what information exists inside a company at a point in time. Legal hold programs can also facilitate the preservation of information as legally required in the event of an investigation or litigation.
Factor 4: Risk Assessment
The risk assessment factor considers whether companies have designed their compliance programs to “detect the particular types of misconduct” to which they are most susceptible. Among the many risks that could pose compliance hazards for companies, DOJ spotlights “new methods of electronic communication” as an especially troublesome issue:
For example, as employees utilize new methods of electronic communication, what is the company doing to evaluate and manage the antitrust risk associated with these new forms of communication?
DOJ appears to be targeting the growing use of mobile communication applications, workplace collaboration tools, and ephemeral messaging among enterprises. While not specifying measures to address the challenges these tools present, DOJ’s directive to “evaluate and manage” this risk signals the need for IG measures that can substantiate the good faith use of such technology. Regarding, for example, ephemeral messaging, such measures could include a written policy that sets out the company’s legitimate business needs for this communication tool. The policy would additionally discuss the benefits and risks of the technology and identify appropriate risk mitigation strategies the company has implemented.
Factor 6: Periodic Review, Monitoring, and Auditing
This factor spotlights the importance of regular monitoring and audits to ensure that employees are actually complying with program requirements and objectives. This includes “periodic review of documents/communications from specific employees.” Such a review or audit of documents and communications from company employees is an important part of an effective IG program in which companies seek to determine whether employees are complying with procedures designed to address the use of information. This often includes, among other things, information retention policies, BYOD procedures, social media protocols, and practices regarding the use of mobile communication tools.
Factor 9: Remediation and Role of the Compliance Program in the Discovery of the Violation
A final factor that interplays with IG is remediation. Under this factor, DOJ emphasizes that a compliance program’s effectiveness is often determined by its ability to both prevent and remediate harm from antitrust violations. One particularly useful IG element that DOJ highlights in this regard is—once again—the need to train company employees “on the ramifications of document destruction and obstruction of justice.”
IG is Essential for an Antitrust Compliance Program
As the DOJ guidance makes clear, IG is an essential aspect of an effective antitrust compliance program. Companies should accordingly seek to bolster their compliance programs with IG measures.
Before doing so, a company should conduct an assessment to determine whether there are any deficiencies with its present IG program. An assessment by IG experts that provides guidance on weaknesses and areas where measures can strengthen compliance will help a company determine the next steps for addressing the issues. For example, an assessment should reveal whether an existing data map or retention policies are both current and reasonable such that they would further a company’s compliance goals and satisfy DOJ inquiries.
An assessment may also reveal whether policies and protocols regarding the use of mobile devices and communication applications are sufficient to satisfy DOJ guidance. This step is critical given the current proliferation of ephemeral messaging and other encrypted communication apps. While these apps do much to facilitate compliance with data protection laws and reduce digital clutter, they may also create an opaque compliance environment and prevent the type of recordkeeping transparency that the DOJ requires.
After an assessment is complete, companies without current or workable IG measures can map company data, implement or update information retention policies, and determine whether and when affected data should be eliminated pursuant to the corporate records retention schedule. They can also lay out appropriate use cases for ephemeral messaging or other encrypted communication applications. Companies can also set appropriate education and training intervals for employees, along with monitoring, audits, and enforcement of information related policies and procedures. All of which should prove essential for establishing the type of antitrust compliance program that can help comply with DOJ expectations.