DOJ’s Settlement Imposes Legal Process Compliance Monitor, Highlighting the Government’s Increased Focus on Data Preservation

Google will spend the next three years with an independent compliance monitor scrutinizing its process for responding to warrants and other government data requests. This and other requirements are part of a settlement agreement with Google, announced by the Department of Justice (“DOJ”) on October 25, 2022, to resolve a four-year long dispute over lost data responsive to a DOJ search warrant.

The dispute dates back to a warrant the DOJ obtained in 2016 in the U.S. District Court for the Northern District of California for data related to its criminal investigation of the cryptocurrency exchange BTC-e. Google began processing the warrant, but after a Second Circuit ruling that the Stored Communication Act (“SCA”) did not reach data outside the United States, Google paused its processing to challenge the warrant’s applicability to foreign data in light of this ruling. While the parties were litigating, Congress passed subsequent legislation clarifying that the SCA applies to foreign data and mooting the dispute regarding the scope of the search warrant.

In the intervening period, data responsive to a government search warrant was inadvertently lost despite Google’s preservation efforts. The agreed upon statement of facts, simultaneously filed with the Stipulation Agreement, details the extent of the data loss and explains that although Google had taken steps to preserve data responsive to the warrant, those efforts had not extended to certain files.

The settlement agreement in October marked an end to the dispute over the deleted data. In its press release, the DOJ touted the requirement in the agreement that the tech giant retain for a three-year period a “first-of-its-kind Independent Compliance Professional” similar in most respects to the compliance monitors that the DOJ routinely requires as a key component of corporate criminal resolutions in securities fraud and corruption cases. Monitors are also prevalent in civil settlements of corporate misconduct such as healthcare fraud, where the Department of Health and Human Services Office of Inspector General imposes similar requirements under a different name: Corporate Integrity Agreements (or “CIAs”).  Google’s independent compliance professional appears to be unique.  Unlike ordinary monitors, Google’s  will focus on the company’s data preservation by verifying the accuracy of reports describing its legal process compliance program and enhancements, which Google is required to present to its Compliance Steering Committee, the Audit and Compliance Committee of the Board of Directors of Alphabet (Google’s parent company), and the government.

This settlement is the latest in federal agencies’ increasingly aggressive efforts to seek penalties around flawed data preservation efforts.  In September the Securities and Exchange Commission and the Commodify Futures Trading Commission announced over $1.8 billion in settlements with financial institutions for violating record-keeping requirements (as we explained here). SEC Chair Gary Gensler has since stated that the agency continues to investigate off-channel business communications within SEC-regulated entities.[1]

A company’s data preservation obligations may arise because of a specific government investigation, a standing regulatory requirement, or litigation. The settlements and disputes described above show that the government is focused on data retention issues in multiple contexts, and that it will leverage its resources to pursue and publicize enforcement against companies it believes have fallen short of their obligations. Under government scrutiny, data retention is a high-stakes endeavor. As the government increases the stakes in this arena, companies should take stock of their data obligations arising from diverse sources. As both the data preservation requirements and the consequences for missteps in this arena evolve, companies would do well to invest in their compliance efforts and ensure that their preservation is sufficient under multiple obligations—be it a specific government investigation, a standing regulatory requirement, litigation or all of the above.

Leave a Reply

Your email address will not be published.