Mobile devices have transformed business communications. They’re an essential tool in both our professional and personal lives, representing the ultimate unified communications solution. The issue is, mobile phones are not natively compliance.
The business use of mobile devices creates regulatory and reputational risks teams must address when building data governance procedures for healthcare and life sciences companies. They increase the risk for off-channel communications around off-label promotions, insider trading, kickbacks, and other conflicts of interest. Whether corporate or personal, mobile devices also make it more difficult to monitor communications across ephemeral messaging, social media platforms, and increase the chances of data breaches.
1. Rising to new regulations
Government agencies such as the U.S. Department of Justice (DOJ), Food and Drug Administration (FDA), Securities and Exchange Commission (SEC), and the European Data Protection Board (EDPB) are paying close attention to the risks posed by mobile devices in life sciences.
Marketing and promotional practices, and the ways manufacturers interact with external players such as purchasers, prescribers, and patients, have all come under increased scrutiny. Several investigations have resulted in substantial fines, direct material harm, and associated to reputational damages to companies.
The Department of Justice (DOJ) and Federal Trade Commission (FTC) recently doubled down on amendments to its Evaluation of Corporate Compliance Programs (EPPC), instructing companies to capture and store all communications data – no excuses. It’s important to keep expectations from these agencies front and center when developing compliant mobile communications policies, so you know where to prioritize your time and money as guidelines are changed or new ones are established.
2. Constructing corporate device solutions
Corporate issued devices are often preferred by compliance teams as opposed to allowing personal devices under bring-your-own-device (BYOD) policies. They are easier to monitor than BYOD to meet DOJ expectations around preservation of all relevant business communications and metadata. It also gives teams greater control in the event of a data breach or other security concern, particularly relevant for high-risk employees with access to valuable intellectual property.
Yet corporate devices can also lull compliance teams into a false sense of security, as blocking certain communication channels doesn’t mean employees won’t still use those channels to conduct business on other, unmonitored devices.
Ensuring employees keep business communications on corporate devices necessitates compliance teams work to monitor all channels, rather than just prohibiting or restricting them. Many public-facing life sciences employees, like pharmaceutical sales reps, feel pressure to meet clients on the channels they’re comfortable with, such as WhatsApp, Signal, and Apple Messages.
Data connectors that capture these communications channels and collaboration tools will grant employees the freedom to meet external contacts where they’re at while also meeting data capture and retention requirements. Working with employees throughout your organization to create mobile communications policies that fit their needs, as opposed to constricting them, allows you to work with your organization rather than against. This helps all employees understand their company compliance policies and be more enthusiastic about following the rules, increasing compliance buy-in and helping your policies to stick.
3. Capturing ephemeral messages
Allowing access to a wider range of communication channels does bring additional risk, including those associated with ephemeral messaging. Apple Messages, Signal, and WhatsApp all allow users to send disappearing messages or delete messages at will. In recent years, the DOJ and FTC have updated guidelines on ephemeral messaging, “[reinforcing] parties’ preservation obligations for collaboration tools and ephemeral messaging.”
Ephemeral messaging is risky for three reasons: bad actors might attempt to conceal misconduct like off-label communication, organizations might fall outside of regulatory recordkeeping requirements if they are unable to capture and archive ephemeral messages, and lost messages might break consistency in an audit trail during a regulatory or criminal investigation.
While clear policies on the use of ephemeral messaging and thorough training move the responsibility from the company to the individual, there are also technological solutions organizations can employ:
- Migrating to a compliant communications app like the Global Relay App allows employees to communicate with external parties via WhatsApp or Apple Messages, but it removes the ability for ephemeral messaging to be sent via these channels.
- Data connectors that can capture and transfer all data from a source into a compliant archive are the least-obstructive solution. Employees can still send or receive ephemeral messages while permanently maintaining them in the archive.
4. Monitoring social media platforms
Another area presenting significant compliance risk is social media. Platforms like LinkedIn and X have become nearly as crucial to business as mobile devices themselves, with many high-risk employees using these platforms to network or broadcast company initiatives.
Social media can feel more casual, but rules still apply to what employees post when it comes to off-label promotions and kickbacks. Beyond posts, public conversations can quickly become private when moved to direct messages.
As with all channels, companies should build clear policies around social media use and effectively communicate them to employees. Technological solutions like data connectors and APIs can be effective here, allowing communications data to be captured, archived, and monitored. You should also update compliance workflows around social media routinely; regulators commonly update policy regarding these platforms and the language bad actors use to avoid detection also evolves over time.
Ultimately, developing a successful compliant mobile communications policy requires teams to address numerous pain points and really understand the needs — and habits — of their employees. High-risk individuals in regular communication with external contacts want to communicate on the channels their customers or prospects are using, and they are more likely to comply with policies if those policies are permissive rather than prohibitive.
