DOJ’s ECCP Updates: Managing AI and Emerging Tech Risks in Compliance

In September 2024, the Department of Justice (DOJ) released an updated version of its Evaluation of Corporate Compliance Programs (ECCP) Guidance. The ECCP serves as a framework for DOJ prosecutors to evaluate a company’s compliance program when considering the appropriate enforcement actions. While updates were made across multiple topics, the most notable changes focus on how companies manage corporate whistleblower programs and address risks associated with Artificial Intelligence (AI) and other emerging technologies.

In Part 1 of this blog series, we examine the DOJ’s updated ECCP guidance, highlighting the risks tied to emerging technologies like AI. Part 2 will delve into the management of corporate whistleblower programs and the DOJ’s guidance on M&A integration, policies and procedures, and tailoring training programs to strengthen compliance.

Use of Data and Emerging Technology
To define AI, the DOJ guidance references the definition found in Section 238(g) of the John S. McCain National Defense Authorization Act of 2019. Acknowledging the inherent risks posed by new technologies like AI, the DOJ emphasizes the importance of evaluating their use in business operations. Companies are encouraged to conduct risk assessments related to emerging technologies, identify mitigation steps, and continuously audit and monitor these technologies to ensure they function as intended. Additionally, companies should focus on detecting and correcting AI-driven decisions that conflict with their values.

Key themes addressed in the DOJ’s guidance include:

Establishing processes to identify and manage internal and external risks associated with emerging technologies
Assessing the potential impact of these technologies on the company’s compliance with criminal laws
Integrating emerging technologies’ risks into broader Enterprise Risk Management (ERM) strategies
Evaluating governance approaches for using new technologies in commercial business operations and compliance programs
Addressing potential negative or unintended consequences resulting from the use of these technologies
Mitigating risks of deliberate or reckless misuse of technology
Implementing controls to monitor and ensure AI’s trustworthiness, reliability, and alignment with applicable laws and the company’s code of conduct, ensuring technologies are used only for their intended purposes
Defining a baseline for human decision-making to assess AI outcomes
Establishing clear responsibilities and accountability for monitoring and enforcing AI use
Providing proper employee training on the use of emerging technologies

By following these guidelines, life science companies can better align the adoption of new technologies with their compliance frameworks and operational goals.

Risk Management
An evaluation of a company’s risk profile should account for specific factors that mitigate risk, including emerging threats as internal and external circumstances evolve. Life science companies should assess which aspects of their operations reduce their risk exposure and whether their approach to risk management is proactive or reactive. Additionally, compliance programs should consider how they allocate compliance resources in a risk-based manner; companies should periodically review vendors and leverage available data to assess risks associated with third-party relationships.

As life science companies navigate the complexities of compliance in an era defined by rapid technological advancement, the DOJ’s updated ECCP guidance serves as a critical resource. By proactively addressing risks tied to emerging technologies, corporate whistleblower programs and overall risk management, organizations can align their compliance frameworks with evolving expectations.

Stay tuned for Part 2 of this blog series, where we’ll dive into the DOJ’s guidance on whistleblower programs, M&A integration, policies and procedures, and tailoring training programs to strengthen compliance.

For the full text of the DOJ Guidance and a redline version that reflects all changes made in the new update, please go to:

Redline Version – ECCP_September 2024 Redline Updates_v3

Clean Version – https://www.justice.gov/criminal/criminal-fraud/page/file/937501/dl

February 5, 2025

Jay Ward
Director, Life Science Solutions

Cookie	Description
cookielawinfo-checkbox-advertisement	This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given their consent to the usage of cookies under the category 'Advertisement'.
cookielawinfo-checkbox-necessary	This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given the consent to the usage of cookies under the category 'Necessary'.
cookielawinfo-checkbox-non-necessary	This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given their consent to the usage of cookies under the category 'Non-Necessary'.
cookielawinfo-checkbox-preferences	This cookie is set by GDPR Cookie Consent plugin. The purpose of this cookie is to check whether or not the user has given the consent to the usage of cookies under the category 'Preferences'.
viewed_cookie_policy	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Description
GPS	This cookie is set by Youtube and registers a unique ID for tracking users based on their geographical location
IDE	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
test_cookie	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the users' browser supports cookies.
_ga	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, camapign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assigns a randoly generated number to identify unique visitors.
_gat	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.
_gid	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.

Cookie	Description
IDE	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
Marketo	This allows a website to track visitor behaviour on the sites on which the cookie is installed and to link a visitor to the recipient of an email marketing campaign, to measure campaign effectiveness. Tracking is performed anonymously until a user identifies himself by submitting a form.
test_cookie	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the users' browser supports cookies.
VISITOR_INFO1_LIVE	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	This cookies is set by Youtube and is used to track the views of embedded videos.

Share This Story, Choose Your Platform!