The DOJ Doubles Down on Data, Raising the Stakes for Proactive Information Governance

FTI Consulting’s Andrea Levine and Jake Frazier co-authored this article.

Two recent developments at the DOJ have signaled a continuation and intensification of the agency’s focus on the role of data, proactive compliance and analytics in the antitrust enforcement ecosystem.  On Sept. 15, Deputy Attorney General Lisa Monaco announced revisions to the DOJ’s corporate criminal enforcement policies, which place strong emphasis on corporate data as a key factor in maintaining, demonstrating and investigating compliance. The revisions were also released in an agency memo.

These changes provide guidance for prosecution of individual and corporate misconduct and emphasize what the DOJ considers best practices for effective corporate compliance programs. Corporate data practices and governance are implicated throughout the memo, including their importance in ensuring the preservation of data that is pertinent to business communications and activity. 

Broadly, the DOJ has also demonstrated a pattern of hiring former compliance officials and investing in specialists who have the expertise needed to dissect whether corporate compliance programs are underpinned with sufficient data and analytics. The agency announced in September the appointment of a notable data analytics and global compliance expert to a newly created advisory position within its fraud section. In this role, Matt Galvin, former Anheuser-Busch InBev SA’s global compliance chief — who is well known for his work in leveraging analytics to identify and proactively mitigate non-compliant activity — will advise prosecutors on the characteristics and execution of robust proactive compliance programs. Glenn Leon, former chief ethics and compliance officer for Hewlett Packard, was also recently installed as the new fraud section chief. Data analytics and compliance expertise are significant factors of these strategic hires.

This revised guidance and the coinciding staffing trends will likely influence numerous aspects of regulatory enforcement going forward, but there is at least one critical implication organizations need to be aware of now: The importance of data and the use of data analytics in effective compliance and cooperation has become an irrefutable focal point in the DOJ’s strategy. 

Moreover, with leading data and compliance experts now dedicated to advising DOJ prosecutors, organizations should be prepared for an emphasis on the rigor and sophistication applied to how they govern their data, as well as whether their proactive compliance programs include sufficient access to and analysis of relevant sources of data.

Emerging data sources and personal devices

Under the new guidance, it will no longer be enough for compliance programs to address traditional information sources and communications channels. The new guidance is clear that data preservation and monitoring must also address the “use of personal devices and third-party messaging platforms,” including policies and training on appropriate use of personal devices and collaboration apps for business. The guidance also requires prosecutors to evaluate whether organizations have instituted policies to facilitate production of all relevant information, including from employee devices, when providing cooperation credit.

These directives carry significant information governance implications. To date, most organizations have believed that they are only required to collect data from personal devices or chat and collaboration applications if the DOJ expressly requests that information as part of investigation. The DOJ is now saying that enforcement of policies governing emerging data and personal devices must be effective and part and parcel of a cooperation. 

To meet such requirements must first have their data house in order. This means developing policies and employee training for the approved uses of third-party messaging and collaboration tools. Compliance teams should collaborate with their information governance or IT counterparts to understand the types of tools commonly used across the organization, as well as how the information within these platforms is accessed, shared and preserved. Likewise, organizations must set clear guidelines on the use of mobile devices for business, including installation of mobile device management systems to support and integrate mobile data with information governance procedures. Only once the corpus of business data is identified can compliance departments adequately monitor such data to detect and prevent misconduct in the future.

Responsiveness 

The new guidance also introduces time pressure for corporations to disclose evidence, especially evidence and communications relating to individual misconduct. So much so that delays will impact cooperation credit due to the fact that such delays “reduce the likelihood that the government may be able to adequately investigate the matter in time to seek appropriate criminal charges.” 

The ability to produce relevant documents and data “swiftly and without delay” is a hallmark challenge in regulatory investigations. As the number of relevant data sources grows, and the time to collect this data shrinks, organizations must improve preparedness. Without visibility into where this type of information may exist within the organization, counsel may not even know the extent of the organization’s exposure. Further, if the organization lacks a well-maintained information governance program, the sheer volume of data that may need to be evaluated could create costly delays. 

Proactive compliance 

Again, these developments are consistent with a larger trend that’s been forming within the DOJ and other regulatory bodies over the past several years. In 2020, the DOJ issued updated guidance that gave “Data more prominence as a critical factor in maintaining compliance programs,” given its role in ensuring visibility into all corporate activity and communications. Various groups within regulatory agencies, including the fraud division, are increasing their emphasis on the role of analytics in “identifying crime and building cases,” and are also demonstrating growing interest in hiring experts in analytics and compliance monitoring. In short, regulators are becoming more aware of what compliance programs should include, as well as what they are capable of when supported by data and analytics. 

This broader view of regulatory activity underscores just how valuable and risky data has become in the current business environment. Proactive compliance programs, supported by data experts and robust information governance practices that enable compliance teams to access emerging data platforms, are imperative under the latest guidance. It is clear that policies and training, and even culture of compliance, will no longer be sufficient to receive credit for cooperation or compliance programs should an organization come under suspicion or be flagged by a whistleblower or other investigatory activity. 

Andrea Levine is a managing director within the technology practice of FTI Consulting. She is a qualified antitrust attorney, expert in merger and cartel investigations and trusted compliance adviser. She specializes in creating, implementing and managing novel, technology and data driven solutions that help global corporations and firms mitigate risk, strengthen long-term compliance and improve response to high stakes matters. 

Jake Frazier is a senior managing director and serves as the global head for the Information Governance, Privacy & Security practice within FTI Consulting’s technology segment. He helps clients identify, develop, evaluate and implement governance processes, programs and solutions that produce the largest return on investment while reducing risk.