Corporate investigations—both those initiated internally and those resulting from government regulatory enforcement activity—are a growing part of legal practice. These investigations often seem to take on a life of their own, lasting for years, costing millions (or tens of millions) of dollars, and significantly disrupting day-to-day business activities. With increasing frequency, these investigations also lead to various types of civil actions, resulting in yet more cost and business disruption.
While there is no single right way to handle corporate investigations, several significant issues recur and can be considered and addressed in ways that bolster the odds of a better outcome. This article examines five such issues: the structure of the investigation, privilege concerns, managing data, public disclosures and investigation resolution papers, and follow-on civil litigation.
First, corporate investigations pose thorny structural issues—including questions about who should do what and who will be responsible for what. Who at the company is going to manage the investigation? Who is going to facilitate the investigation and be “in the room” when reports about the investigation are made? Will outside counsel be retained? What individuals (if any) need separate counsel? Do the company’s outside auditors need to be informed? If so, how and when?
Unhappily, many of these issues arise at the outset of the investigation when the facts are likely still unclear or even entirely unknown. Thinking through these decisions in a limited amount of time and with poor information is frequently a challenge.
Consider first the question of who manages the investigation. One default option is to escalate management of the investigation to “independent” decision makers. This will almost always mean that the board, or some subset of it, manages the investigation. However, such escalation may be unnecessary or ill-advised. Investigations can distract the board from core functions, and a board may not, in fact, be best suited to evaluate certain kinds of alleged corporate misconduct. Furthermore, management runs the company and therefore has a keen and legitimate interest in evaluating and remediating potential misconduct. Removing the investigation from management’s oversight makes its job harder. In short, the value of independence can be in tension with the value of efficient and effective corporate management.
Navigating the Issues
A few guideposts can assist in navigating these issues. If senior management is itself implicated in the alleged misconduct, an investigation almost by definition should default to the board level. If the misconduct is clearly below the level of senior management, then it will usually be appropriate for management to run the investigation. The difficulty is, of course, in the gray areas where the scope of the investigation, and thus those potentially implicated, is unclear. In that situation, it is important to recognize the implications of different choices. If management is allowed to run the investigation and it later turns out to be implicated, there may be questions from outside interests—regulators, auditors, shareholders, and the like—about whether work conducted under the direction of tainted management must be redone. Thus, if there is a credible reason to worry that senior management could be implicated, moving control of the investigation to the board is warranted.
For example, say a company is organized by regions with the senior operational and financial management of each region reporting directly to senior management. If initial reports suggest senior regional management is involved in misconduct, then it is reasonably likely that senior headquarters management received information from direct reports that will at least raise concerns. In that setting, a board-directed investigation is likely prudent. If, however, in the same setting, the alleged misconduct sits well below the level of senior regional management, implicating headquarters management seems less likely, and a management-led investigation is probably more sensible.
It is also worth remembering that even if the investigation is moved to the board level, the board will not, in all contexts, be deemed independent merely because its directors meet the independence standards of, for example, the New York Stock Exchange. Rather, each board member potentially overseeing the review should be evaluated to determine his or her independence in the context of the specific investigation. The factors to evaluate may vary but can include the following:
- whether the board member was on the board at the time of the conduct at issue and, if so, whether he or she authorized or in some way directly oversaw the events in question;
- whether the board member has connections with or relationships to any of the persons potentially involved (e.g., other business interests or shared boards, or familial or personal relationships);
- whether the board member (or his or her employer) has a significant business relationship with the company, including whether the board member is appointed or employed by a major shareholder of the company that itself has an interest in the investigation; and
- whether the board member personally owns a significant amount of stock in the company and whether the board compensation is material to that member.
This analysis is not formulaic; rather, it seeks to identify connections or incentives that might undercut the individual’s ability to approach the investigation independently.
Finally, ensure that the entity managing the investigation is appropriately authorized and has the full power to conduct the investigation and that each of the relevant decision makers understands his or her authority and responsibilities. These issues most often arise when a committee of the board is established to oversee an investigation. The committee must be duly authorized, it should be given the power to take the steps likely necessary (such as hiring outside counsel and experts), and the committee’s responsibility as either a recommending or deciding body should be defined.
Who Should Be Involved?
Next, there is the question of who will “be in the room”—that is, who will receive updates and work product and be involved in discussions relating to the matter. All too often a board committee is technically managing an investigation, but many others also receive updates on the matter’s progress. This additional participation may be appropriate but should be carefully considered in advance, with the costs and benefits of such participation weighed carefully. The failure to do so can lead to serious problems with the integrity of the investigation and even lead to a loss of privilege.
For example, some courts have held that, when a potentially implicated person receives reports regarding the investigation, not only is the independence of the investigation in question, but privilege is waived because the implicated person cannot be in privity with the investigation. Similarly, outside interests such as auditors and bankers may receive updates that can later be argued as privilege waivers. These updates may be required in order to allow auditors and bankers to do their jobs, but the implications of those updates need to be evaluated before the updates are given. Finally, some courts, although outliers, have strictly enforced privilege rules by finding waiver when the entity retaining counsel is a board committee and a non-committee member—even another board member—receives updates. While these holdings are suspect, it is important to recognize that they do exist.
Another set of questions confronted at the outset of an investigation is whether outside counsel should be retained and whether any individuals require separate counsel. The increase in sophisticated internal legal, accounting, compliance, and forensic resources makes deciding whether to retain outside counsel more difficult.
As before, evaluating the particular allegations and the likely course and scope of the investigation helps to resolve the dilemma. Are internal resources sufficient as to both subject matter expertise and availability? Are these resources connected to any potentially implicated persons in such a way that conflict concerns arise? Were these internal resources also gatekeepers who themselves missed the issue? Similar questions may be asked about outside counsel if they regularly serve the company, have ties to implicated individuals, or performed some sort of gatekeeping function in the past, such as evaluating prior similar issues. Again, the situation to avoid is one where the people actually doing the “leg work” of the investigation lack the necessary skills or are otherwise compromised such that outsiders could later call the integrity of the investigation into question.
In addition, think through who, if anyone, needs separate counsel. Unlike some of the other issues discussed here, questions about separate counsel may not arise at an investigation’s outset and should be periodically evaluated as events dictate. Adding additional layers of outside counsel can be costly and cumbersome and may be viewed as signaling serious concerns about the people who have separate representation. For these reasons, the issue of counsel for individuals should be approached with care. Nonetheless, where it will be difficult for the company to protect both its own interests and the interests of the individual, separate counsel should likely be retained. One important issue to remember is that individuals below the top of the company’s organizational chart also may need counsel. Indeed, where separate counsel is belatedly provided, it is often the case that the individual involved is a mid- or lower-level employee and the issue was simply overlooked as the investigation progressed.
Finally, consider the interests of the company’s external auditors. Where the inquiry implicates matters such as the efficacy of the company’s financial controls or the accuracy of financial statements and management representation letters, a company’s auditor often expects to be both informed of the investigation and kept abreast of its progress. Under Sarbanes-Oxley, auditors have independent responsibility to verify that concerns of this nature are being appropriately evaluated and remediated by the company. Securities Exchange Act of 1934 § 10A, 15 U.S.C. § 78j-1 (1995). An auditor who is uncomfortable with an issue or the company’s response to it can significantly complicate an investigation.
Accordingly, consider whether the investigation involves issues of importance to the auditors and keep that possibility in mind as the investigation unfolds. If necessary, develop a plan for communicating with the auditors, but remember that such communications may not be privileged.
These issues of structure are hard and, in view of the timing, generally require resolution without the benefit of a meaningful understanding of the facts, although some initial information gathering can provide a more informed basis for these key considerations. The risk, of course, is that work done before counsel is engaged may not be protected by privilege, and early factual sources may turn out to be implicated themselves. The best that can be done is to make the necessary decisions mindful of the known facts and then manage the investigation consistent with those decisions.
Privilege represents a second minefield. Murky privilege issues can shroud any investigation from its inception and, in many cases, far outlive the investigation itself. The attorney-client privilege can be secured as to any investigative efforts made by or at the direction of counsel for the purpose of facilitating legal advice. This is true even if the advice is a—but not necessarily the—primary purpose of the investigation. To enhance the prospects of retaining privilege, consider the following.
When interviewing witnesses, give a clear “Upjohn warning”—known at times as the “corporate Miranda warning.” Upjohn Co. v. United States, 449 U.S. 383, 394 (1981). While there is no magic wording, the interviewer should clearly communicate at the outset of an interview that (1) the interview is being conducted as part of an investigation by the company (or its board, as appropriate) and that the attorney is there to investigate and report findings to the company; (2) counsel represents the company and not the individual; and (3) the communications are privileged, but the privilege belongs to the company, which may elect to waive it and provide the contents of the communication to third parties, including the government. Interviewees should be asked to maintain the confidentiality of the interview and the issues discussed. Where the interview is memorialized, it is helpful to document both the warning and the interviewee’s understanding of it.
Former employees raise slightly different issues. While memoranda reflecting interactions with or interviews of former employees may be protected on other grounds, such as work product, some courts have held that the underlying communication itself—unlike that with current employees—is not protected by the attorney-client privilege, reasoning that there is no material difference between former employees and other third parties. Be aware of this potential risk when making interview decisions, and consider the privilege implications of those decisions. With both employees and former employees, be aware that privilege will likely extend only to matters within the scope of the individual’s employment.
Managing outside experts is also important. Professionals such as accountants, information technology and computer forensics specialists, and subject matter experts are routinely utilized in investigations. As non-lawyers, these professionals do not and cannot render the legal advice that creates privilege. However, courts have regularly acknowledged that the work of non-lawyers acting at the direction of attorneys for the purpose of facilitating legal advice can be covered by the attorney-client privilege. Some documentation, such as an engagement letter, is helpful to make the point that the retention was to facilitate legal advice.
Further, be mindful that privilege in these settings is not absolute and can be compromised—either deliberately or inadvertently. For example, in ongoing civil litigation against Wal-Mart regarding the company’s investigation into allegations that it violated the Foreign Corrupt Practices Act (FCPA), shareholders requested a variety of documents related to the investigation for the purpose of considering claims that the company’s directors and officers violated their fiduciary duties. Wal-Mart Stores, Inc. v. Ind. Elec. Workers Pension Trust Fund, 95 A.3d 1264 (Del. 2014). Wal-Mart asserted privilege objections to a number of these requests. Rejecting the company’s position, the Delaware Supreme Court applied the Garner doctrine, also known as the “fiduciary duty exception,” explaining that shareholders of a corporation may be entitled to privileged documents upon a showing of good cause in order to prove fiduciary breaches by those controlling an investigation. Id. at 1275–80 (citing Garner v. Wolfinbarger, 430 F.2d 1093 (5th Cir. 1970)). As the court in Wal-Mart explained, once plaintiffs made the substantive showing that the documents were “necessary and proper” to their potential claims and demonstrated that the Garner doctrine should apply to obviate privilege, they were allowed access to a broad range of documents including investigatory materials and reports (even those not provided to the board), board and committee minutes relating both to the investigation and to Wal-Mart’s FCPA compliance program, and any other documents responsive to the plaintiffs’ requests that were “known to exist” by Wal-Mart’s Office of the General Counsel. Id. at 1274–75.
Whistleblowers create similar risks. Dodd-Frank incentivizes whistleblowers, who may feel free to disclose privileged documents in their possession, as several recent matters including the Wal-Mart case demonstrate.
While the Garner doctrine and whistleblower activities involve involuntary risks of privilege waiver, a company may also decide during the course of an investigation that the provision of privileged documents can assist its presentations to government regulators. These voluntary waivers create issues of their own. Whether disclosures are made through the formal amnesty program under U.S. antitrust law or more informal rubrics such as the guidance surrounding the FCPA, it is often argued that these disclosures waive privilege. Courts have been reluctant to embrace the “selective waiver” doctrine, which allows privileged documents produced to a regulator to remain privileged as to others. Therefore, whatever benefits the waiver provides in the investigation should be weighed against the fact that the documents are now likely available to others, including civil litigants pursuing the company (and perhaps its directors and officers) in related actions.
Moreover, the waiver may extend beyond the actual documents produced. Under the “fairness doctrine” or “subject matter waiver rule,” a litigant may be able to reach all privileged materials relating to a particular subject matter or communication once sufficiently related privileged materials have been disclosed. Often discussed using a “sword and shield” analogy, this concept prevents a party from using privilege waiver to its benefit while defensively withholding portions of the produced communications or subject matter documentation.
As a result, privilege waivers need to be evaluated—not just in terms of the documents actually being made available but also in view of whether that action can be considered a subject matter waiver exposing still more material. One backstop to consider is that some courts have held that while disclosure in a litigation context can support a subject matter waiver, “extrajudicial” disclosure does not; thus an extrajudicial waiver is limited to what is actually disclosed. See In re von Bulow, 828 F.2d 94, 103 (2d Cir. 1987). Applied in the civil and criminal proceedings involving Claus von Bulow, this doctrine is not regularly utilized. Nor is it clear that an investigation will be deemed extrajudicial. Thus, care should be taken in relying on this limitation on privilege waiver.
Indeed, it is worth noting that courts do not regularly deal with privilege issues in the context of investigations and that, as a result, the applicable law is not always well developed. Conflicting decisions, and decisions that are tightly tied to the particular facts, are prevalent. For that reason, where a privilege waiver is contemplated, it is worth taking the steps available to limit the waiver and guard both privilege and confidentiality.
Attempt to negotiate the scope of any privilege waiver and production with the relevant regulator. Regulators increasingly understand the complexities of these issues and their potential collateral effect. Negotiating a phased or limited review of materials relating to targeted allegations, geographies, business lines, or date ranges may be palatable to the government and may facilitate waiver limitation. In addition, secure a confidentiality agreement that expressly places meaningful restrictions on the government’s use of the privileged information in advance of any production, as some courts have suggested that these agreements may protect documents revealed to regulators from later disclosure.
Finally, do not blithely assume that the work you are doing will always be protected. Think before you write. Although there are times when a PowerPoint presentation or written report is appropriate, do not be afraid to pick up the phone or provide an oral briefing. Balance the advantages of documentation against the risks that what is on paper may ultimately be available to outsiders. When documents are created, ensure language is accurate and measured, give appropriate context, make sure the document can stand alone, and mention the good and the bad.
Above all, when dealing with privilege, know the landscape, understand the core principles and pitfalls, and proceed with caution.
Third, internal investigations often call for important decisions about managing data. While not a part of every investigation, email and forensic review can provide a wealth of critical information. At the same time, dealing with data—preserving, collecting, storing, reviewing, and testing—can create significant cost in the course of an investigation. A few key steps can make the process somewhat less painful.
Do your homework ahead of time. Know the basics of data—how data are generally stored and preserved; how they can be collected; the most common software systems for financial data, email, and reporting; and the universe of reliable vendors, products, and capabilities. Advance preparation will ensure you ask the right questions and will facilitate better and faster decisions in the heat of the investigation. Likewise, review tool features vary enormously; some offer language recognition and translation, some offer foreign data hosting, some charge per user, while others offer unlimited access. Understanding the options and trade-offs allows you to make an informed and project-specific tool selection.
Next, avoid panic. Do not rush to pull—or worse produce—data before developing an action plan. Even under the most extreme time constraints, take time to ask critical questions. Who are the key players? What do you really need, where is it most likely to exist, and in what form? Do you need to conduct any preliminary interviews to answer these questions? If so, who needs to be interviewed? On the technical side, consider where and how potentially relevant data are stored. Are the data in the United States or abroad? If relevant data are difficult to access, are there other ways to obtain the same information or limit what needs to be collected? Who uses shared drives and in what ways? How do the various relevant systems interface?
Similarly, preserving data early on is critical. Consider whether there are auto-deletes for relevant systems or backup tape recycling programs that should be suspended. Issue a document hold notice in a timely manner and make sure it covers all relevant data and is distributed to the necessary people. But be careful in crafting and distributing the hold. Data should be preserved without prematurely tipping off potential suspects or otherwise inappropriately spreading information about the investigation. Certain information may need to be forensically preserved through imaging or other mechanisms to avoid these concerns.
Throughout the data process, be aware of data privacy and state secrecy issues. Often more of an issue in Europe and Asia than the United States, data privacy and state secrecy restrictions can significantly affect access to and movement of data, and the applicable rules must be assessed. Where data privacy or state secrecy poses a significant road block, consider alternative sources of the information or alternative mechanisms for retrieval, such as self-collection. Keep in mind that some jurisdictions have additional limitations, such as restricting removal of interview notes or other work product generated in that jurisdiction. Again, know the playing field and develop a plan before taking action.
Be strategic in controlling and managing the process for reviewing and analyzing data. As a threshold matter, consider whether to conduct certain interviews before collecting or reviewing data. Early interviews may focus the collection and review by, for example, identifying custodians, facilitating better search terms, establishing appropriate date ranges, and identifying certain systems or controls for forensic review. Once document collection and review begin, a targeted approach can help too. Initial review may assist in limiting the employees involved, the markets at issue, or the time periods of focus.
If an in-depth forensic review is warranted, consider whether to use internal forensic resources (at the instruction of counsel to secure privilege) to design and conduct the needed analysis. Pulling resources unaffiliated with the departments or regions at issue and walling them off to assist with the investigation may be one of many ways to make effective use of internal resources. If used, ensure that any such resources are appropriately independent. Internal auditors who already missed the issue or who are regularly involved with the business units or persons at issue probably are not the best candidates to take part.
Fourth, investigations generate questions about how and when to disclose the results. Public disclosures and the resolution papers relating to an investigation should be drafted with more than just the investigation in mind. These items play a critical role in follow-on shareholder litigation and often are used as the basis for shareholder complaints.
To that end, evaluate public disclosures in at least three respects. Initially, consider providing meaningful—not boilerplate—disclosures of the risks faced by the enterprise even before issues arise or an investigation begins. The more specific a company’s disclosure of these risks, the harder it is for shareholders to later successfully claim they were misled if one of these risks comes to pass.
Next, consider regular disclosure of ongoing compliance efforts, particularly those designed to detect and mitigate the risks most likely to materialize. While granular detail is likely ill-advised, disclosure of the existence of and enhancements to relevant controls, programs, or policies can be useful in demonstrating that the issues reviewed in the investigation were outliers and contrary to corporate practices. Indeed, a lack of disclosure regarding compliance efforts may be asserted by enterprising plaintiffs as support for a claim that the company had no such controls or programs in place.
Finally, evaluate the need for progressive disclosures throughout the investigation. All too often, investigatory disclosures include only the fact of the investigation, a disclosure that is then repeated verbatim until the outcome of the probe is announced. Markets (and potential litigants) do not like surprises, and these repeated disclosures followed by a sudden announcement of the resolution may result in exaggerated stock price reactions. Granular detail is not the goal. Rather, consider general disclosure of topics such as the geographic scope of the investigation, the business units involved, the type of conduct at issue, the business relationships and activities potentially affected, and—as the matter moves toward resolution—some sense of the range of potential outcomes.
In addition to disclosures, when negotiating resolutions, think through whether there are facts that can be incorporated to better position the corporation to effectively respond to follow-on litigation. Consider including information related to (1) the existence, before the violation or investigation, of relevant programs, policies, and internal controls; (2) actions taken by the company to evaluate, improve, or enhance its compliance policies and controls both before discovery of the events at issue and the resolution of the investigation; (3) discovery of the problem by the corporation, if internal efforts or controls uncovered it; (4) the thoroughness of the investigation; and (5) the company’s difficulty in uncovering the problem, including evidence that wrongdoers succeeded in keeping management and the board in the dark concerning their activities.
Both public filings and, once filed, resolution papers are a matter of public record, and courts are often willing to take judicial notice of them as early in the litigation as the motion to dismiss. Including some of the information discussed above in public disclosures and resolution papers may render those facts available pre-discovery. This offers potentially valuable tools to address allegations that company directors and managers knowingly disregarded their duties of oversight, insufficiently responded to the issues at hand, failed to provide material information to shareholders in a timely manner, or otherwise violated their fiduciary duties.
Fifth, investigations are often only the opening act in subsequent civil litigation. Be aware of what may be coming. “Follow-on” civil suits commonly make use of the allegations, findings, remediation, oversight, expense, and disclosures relating to the investigation. Typical cases include shareholder derivative suits asserting breaches of fiduciary duty by the board or management or both, securities fraud actions claiming that the company misstated issues related to the investigation to inflate its share price, and employment claims ranging from wrongful termination to breach of contract.
Each type of follow-on litigation will have its own issues of strategy and privilege. Regardless, a corporation will be better positioned to resolve follow-on litigation where the above issues have been considered and addressed to the extent possible. For example, where independent board members conducted the investigation and determined the appropriate remediation, a corporation may more easily rebuff derivative actions, which require the shareholder as a threshold matter to demonstrate a lack of director independence. Similarly, as noted above, meaningful public disclosure can limit a shareholder’s ability to claim that material information was omitted from the company’s disclosures in later securities fraud actions.
All of these issues are complex and require an advanced level of coordination and analysis throughout the investigation. However, where an investigation is structured appropriately, privilege is protected and only strategically waived, forensics and data are thoughtfully tested and reviewed, and disclosures and resolutions are crafted as parts of a comprehensive strategy, the payoff—both in the efficacy and efficiency of the investigation and in the ability to respond quickly and favorably to follow-on litigation—will be significant.