Tag: internal investigations

Categories
Blog

Day 17 of One Month to Better Investigations and Reporting – Whom to Suspend During an Internal Investigation and De-confliction

Scope of VW Suspensions Grows”, William Boston reported on the ongoing internal investigation by the company’s outside counsel Jones Day. Boston noted that VW had “suspended a larger number of engineers than previously acknowledged, following a recommendation from the law firm conducting” the investigation. The article went on to state, “Jones Day urged suspension of anyone who could have been involved in the scam – from high-level decision makers to ordinary engineers – to prevent possible perpetrators from tampering with the evidence.” This final statement emphasizes a key consideration in an FCPA investigation, which is to tie down the evidence. Former Arnold & White partner Mara Senn has said that “probably from the government’s perspective, the most important aspect of setting up an investigation in a way that makes them feel comfortable, is ensuring that all data is locked down.” However, if you are worried about evidence tampering, you may have a bigger problem. Pointing up the difficulties in making such a blanket sweep, an unnamed source, who provided this information to Boston, quoted the WSJ piece as saying, “We had to suspend everyone in this area to get them out of the way of this process. This is necessary for the investigation, but it’s tough because we are now missing their professional knowledge and experience.” This issue brings up another point that Senn has discussed: when to suspend or discipline an employee during an internal investigation. Senn said, “That is a very case-by-case difficult question to answer, but in general, I think it’s better to keep them around for as long as you need them. Once they’ve been fired or otherwise disciplined, even if you keep them around, they will be less cooperative with you and possibly, if you fire them, not cooperative. You can require them to cooperate in the termination agreement, but, in practice, cooperation can mean many different things.” Given the Schrems decision by the European Court of Justice (ECJ), I wonder how the investigation will be fair with the German-based employees. Data in the US would be deemed company-owned, but in Europe, it may be private to the investigated employee. This problem became even greater with the recent decision by Privacy Regulators from 28 EU nations that backed the EC J’s Schrems decision that invalidated the Safe Harbor regime. As reported by Jo Sherman in the FCPA Blog, “that closed the legal pipeline by which data has flowed freely from the EU to the U.S. for the last 15 years. The rationale for the court decision and the subsequent backing of the EU Data Protection Authorities is that the U.S. government’s surveillance powers are considered too excessive and disproportionate and can override the data protections for EU citizens under the Safe Harbor framework.” Lanny Breuer, the former number two at the Department of Justice (DOJ) and now a partner at Covington and Burling LLP raised an interesting concern in the Justice Department’s FCPA Pilot Program context. It is around what Breuer terms “de-confliction.” This involves the government asking a company to halt its investigation for the government to be the first to interview witnesses. At the FCPA Blog Conference, Breuer said that if “de-confliction” is required as cooperation to gain the benefits of the pilot program, such a request from the DOJ would be “an extraordinary request, in my view” because it “could lead companies to be unable to disclose to other agencies or shareholders, and it could keep a board in the dark about the alleged wrongdoing.” Breuer added, “In general, publicly traded companies can’t just stand down from doing an investigation when such an allegation comes in.” He also commented that “he’d been asked to do so a couple of times.” Breuer raised four questions during his presentation, which every investigator must consider in de-confliction. 

(1) Would complying with the request be consistent with directors’ and corporate officers’ fiduciary duty of oversight?; 

(2) How can a company make decisions without speaking with its employees?; 

(3) How will a delay affect the company’s other regulatory obligations?;

(4) How can external counsel advise a company without knowing the facts? Companies hire external counsel to conduct thorough investigations, evaluate their clients’ conduct, and provide informed legal advice. These tasks can be difficult, if not impossible, to accomplish where external counselors have their hands tied behind their backs. The DOJ could have a broader remit or be involved with other ongoing investigations where they might make such requests. However, such ‘de-confliction’ could stop a company from engaging in a root cause analysis or even a robust investigation. At the same conference, an earlier panelist, Gerald Kral, the Chief Ethics and & Compliance Officer (CECO) of Brown-Forman, said on his panel that his company did an extensive root cause analysis of every claim or incident so it can not only understand what happened but put sufficient risk management protections in place to try and make sure it does not happen again. 

Three Key Takeaways:

  1. Decisions on whom to discipline and when are critical decisions during any investigation.
  2. Take a case-by-case approach.
  3. The de-confliction question can be quite troubling during an internal investigation.

 Whom to suspend and when coupled with de-confliction are bedeviling issues in any internal investigation. 

Categories
Blog

Day 16 of One Month to Better Investigations and Reporting – Privacy Concerns in Internal Investigations

Schrems’ decision by the European Court of Justice, US-based law firms could rely on Safe Harbor to use and analyze information from investigations conducted in Europe. However, the Schrems decision and subsequent EU privacy rulings and regulations have brought the entire issue around internal investigations into question. In a podcast interview with UK solicitor and data privacy expert Jonathan Armstrong about the decision, Armstrong noted that the decision puts real roadblocks in the path of a US company that could be investigating potential anti-corruption allegations in the UK or EU member country. The biggest issue would be personal privacy and information. Unlike the US, work emails are covered by the privacy rights afforded to individuals and are not the company’s property. The same is true of other information. Under the Schrems decision, the ability of a US corporation to access that information and then take it back to the US under the safe harbor provision is no longer available. I asked Armstrong how a company might be able to move forward and internally investigate potential FCPA violations. Armstrong suggested that the only way at this point was to obtain the consent of the investigated person. However, obtaining such consent raises a host of other problems. He said, “Can I get consent for an internal investigation? Can I speak to my Austrian agent and say, “Peter, I just need you to sign this form to transfer your data to the US”? Now, for consent to be valid, the European legislation has to be fully explained, it has to be honest, and it can’t be deceptive. I’ve got to say to him, “I want you to sign this form because I want to investigate you. I want to run a full FCPA investigation; you’re the prime suspect. I want to take a look at your emails, and I have to inform you that you have the right not to consent, and if you don’t consent, there’s no way I can investigate you. Could you sign the form, please?” As Armstrong went on to note, “What answer is he likely to give in an internal investigation, and how would the US authorities feel if I go and tip off the main suspect that he’s under investigation?” With these two key components of any best practices compliance program, hotlines, and internal investigations, seemingly now unavailable to CCOs or compliance practitioners for EU-sourced information, I believe additional pressure will be put on the compliance function. Any US company with EU-based operations will have to take steps immediately to ring-fence such data originating in Europe. It may also mean locally based-compliance practitioners must head any inquiries. Moreover, if you couple this ruling in the Schrems decision with the Yates Memo, you immediately see the issue involved for any company seeking cooperation credit because such a company is required to turn over any information to the Department of Justice (DOJ) as soon as possible. But now, even if companies can still develop facts and data through internal investigations, in the manner suggested by Pirrotta in using local law firms, you might not be able to get the information back to the US to use. Worse yet, is the option laid out by Armstrong to obtain consent from an investigation target? Not only do I find it improbable that anyone, European or otherwise, would give such consent, but in the unlikely event such consent is given, you have told the target they are the target, and other data sources might well begin to disappear. Armstrong put it starkly when he said, “you’re going to get no sympathy from the bribery prosecutors, bribery regulators if you mess this up. The SFO [Serious Fraud Office] allegedly lost the case on how the US firm involved conducted the investigation. They will have, rightly, I think, no sympathy at all for people whose investigations are themselves conducted unlawfully. It will need much careful thought to structure data transfers and interviews. How do you move those interview notes? How do you look at emails? All this stuff will be critical so that you don’t break data privacy data protection laws and tip off witnesses, you know, interfering with the scene of an investigation, et cetera, et cetera. All of these things are critical.” How does the Schrems decision contribute to compliance at the tipping point? If you can use two of the key components in a best practices compliance program; based upon the DOJ/Securities and Exchange Commission (SEC) Ten Hallmarks of an Effective Compliance Program or another standard, it will put significant pressure on other parts of the program. A compliance program will have to be structured more rigorously to prevent FCPA violations through internal controls and transaction monitoring tools. CCOs and compliance practitioners will also have to be more involved and have more visibility into the entire lifecycle of transactions so they can determine how to begin to move from even prevention to prescription of any FCPA violations. Just as the compliance world changed with the announcement of the Yates Memo, the DOJ Compliance Counsel, and the VW emissions-testing scandal, the Schrems decision will change the need for a more robust compliance program from now on to help protect a company. 

Three Key Takeaways:

  1. The Schrems decision significantly impacted US-based internal investigations.
  2. Study the privacy laws of the country where you are performing your investigation.
  3. Informed consent is difficult to obtain, but it may be critical for your investigation.

 Take care to protect privacy concerns when performing investigations outside the US.