Because a an organization is liable for acts of its agents within the scope of their employment, when malfeasance is uncovered or even suspected, organizations will often wish to conduct an internal investigation to gauge its potential liability. Among the investigative goals are to learn whether there is exposure, to gauge the potential liability, to effectively deal with the wrongdoers, to effectively inform corporate management, the board of directors and shareholders and to implement changes that reduce the potential that the wrongdoing will recur.
An equally important goal is to conduct the investigation in a manner that does not increase the likelihood of exposure. The investigation should be protected under attorney-client privilege and the investigation itself should have as a subsidiary goal determining what, if anything, the government knows about the conduct. Once a thorough investigation has been conducted and remedial action taken, or sooner if the conduct is likely to be exposed otherwise, there should be serious consideration of self-disclosure to the government and, in the event, such a course is followed, the disclosure should be clear, concise and controlled — and made only after you have a clear understanding of the consequences disclosure. Enforcement agencies provide significant incentives to self-disclose. These incentives are infused in the sentencing guidelines, civil penalties and administrative remedies, such as debarment, which may be mandatory, or virtually so, absent self-disclosure.
When an organization fails to achieve its internal investigative goals, the origins of failure can often be traced back to the very beginning of the relationship with the firm or entity conducting the internal investigation. Preserving the protections of the attorney-client privilege requires proper documentation. This cannot be done effectively until an investigative plan is in place. Who will be interviewed and in what order? How will these interviews be timed? Is time of the essence? If so, documents and applicable records must be gathered, or recovered forensically, so that they may be reviewed and integrated into the investigative strategy and tactics.
Will there be a forensic audit done prior to or contemporaneously with the tactical interview plan? This plan will be extensively updated and revised as new information is developed and the scope of the threat is understood. Obviously, the attorney-client privilege is typically formed with the organization and this needs to be artfully handled with anyone who is being interviewed. Particularly important is the notion that the attorney-client protection belongs to and can be waived by the corporation. This should be documented appropriately in the “warnings” given to employees in advance of their being interviewed. Here again, there are extensive strategies for protecting communications among members of the investigative team.
Issues related to eDiscovery can be extraordinarily thorny. The temptation is to use in-house personnel to defray costs, but doing so may jeopardize the company’s ability to maintain the confidentiality of the communications, resulting in a loss of the privilege. The better course is to outsource eDiscovery and document handling to a trusted outside firm that has competed for the business under a strict confidentiality agreement.
In situations where a dedicated compliance official has uncovered a problem, that compliance official should immediately inform general counsel and no one else. Ideally, the organization will have a foundational document in place that creates a framework of rules and procedures to follow when faced with this situation.
Currently over 70 countries have data privacy laws and this can create significant impediments to international investigations. Prior to significantly impacting a host country’s laws, we always consult with a data privacy expert with familiarity regarding affected host country sensitivities. Keep in mind that problems can be created when identifiable information is released or disclosed. This includes information regarding the senders or recipients of email, addresses, compensation, or health care.
Not following data privacy rules from a host country can significantly complicate firing someone when the basis for the firing is the tainted information. To preserve flexibility a company should secure consent through employment agreements and this should flow through to corporate policies found in handbooks and compliance programs as well as in data preservation notices. This does not work in every country. Consent has to be informed and freely given and must describe the uses to which the data can be put.