Department of Justice (DOJ)

Data Retention, Self-Disclosure and Controlling the Story

How to make sure your company doesn’t run afoul of the FCPA – and the best ways to navigate a government investigation if faced with one.

CCBJ: Lets talk about some of the current Department of Justice (DOJ) and Securities and Exchange Commission (SEC) enforcement priorities that general counsel should be aware of, and how organizations can best navigate them during an investigation.

Roscoe Howard: One enforcement priority where we’re seeing more activity is with the Foreign Corrupt Practices Act (FCPA). It is hard to be a corporation in this country these days and not operate across international borders, and I think you’re going to see the SEC and DOJ being much more inventive about what actually constitutes “operating abroad” for a company or an individual. These FCPA cases usually involve a significant amount of money, and ordinarily there are individuals that can be identified who are facilitating bribes, thus are exposed to personal criminal liability. Having a chance at holding an individual liable makes an attractive prosecutable case because it would, arguably, involve incarceration.

I think FCPA prosecutions will increasingly be a government priority in the coming years, and quite frankly, since the law was instituted back in the 1980s, it has done nothing but grow and grow in terms of cases brought by the government. Possible FCPA violations are one of those things that companies are just going to have to be diligent about seeking within their companies. Companies will have to ask: How are we handling our relationships with people overseas? How are we handling our foreign contracts? How were we getting these contracts? Just to make sure that what they’re doing follows the law.

Corporate compliance is top of mind for companies today. What does FCPA risk and enforcement activity look like?

Nobody commits a crime expecting or wanting to get caught. But as you get into a corporate structure, as you get into larger and larger amounts of money flowing through the corporate rolls, it can become harder and harder to detect. When you talk about FCPA activity, enforcement activity, and you look at the guidelines that the DOJ and the SEC are putting out; ordinarily, they adopt each other’s guidelines. The government incentivizes a corporation to disclose what they know, and what they find out about themselves. From a practical standpoint, the SEC and DOJ can’t go into every corporate boardroom or office and police these things as they don’t have the resources. So what they do is say, basically, if you come to us, we will give you a break. There’s a presumption that they will decline the case. Bring us the information, bring us what you have found – hand us the individuals who are committing wrongdoing, and we will give the company itself a break.

From a company standpoint, that’s not a bad deal. As soon as they find out that they have a problem – or may have a problem – a company can look for a meeting with the SEC or DOJ, depending on the nature of the FCPA violation. The government’s been giving some terrific incentives to get that done, and my guess is that in the future, as general counsel walk into corporate offices and boardrooms, that’s going to be one of the first things they’re going to bring up. “If we go in, we’re hoping that the government will give the company a walk.”

When should organizations be notifying their boards of directors or their investors of an impending investigation? What does that timeline look like?

Ordinarily, as counsel, if you sign on to represent a company that operates in, say, 45 or 50 different countries, your client is going to be the board. We've done investigations where sometimes we have to clarify who is hiring us, because there are going to be situations where the company is hiring you through the general counsel – and the board may have its own attorneys. That being said, if we’re talking about the board as your client, that’s going to be when you know. As counsel, you’re probably going to find out about an SEC investigation because they call you to set things up. But you will be working with the company hand in hand, on a regular basis, helping them set up a compliance program. They have to ask questions: How do we make sure that if there’s a problem, we find it? How do we vet the people who are put in these positions? How do we go behind our own people and make sure that they are not giving gifts or monies that are inappropriate to get a contract? What are the things we’re doing? And as those things are going on, presumably either the SEC or DOJ will send notice.

Their information will have come from a whistleblower. But as soon as you know, you need to sit down with the company and figure out – OK, from here on, what’s our strategy? We’ve got the SEC coming. You’ve got to sit down with the owners of the company or the directors of the company, the board, and say, “This is what I advise. What do you want to do?” Then you go from there. But those discussions have to happen as you go.

Lets talk about data retention policies and some of the implications there with General Data Protection Regulation (GDPR) and the upcoming California Consumer Protection Act (CCPA).

Let’s just start with the data retention policy. Make sure you have one. Almost every organization these days generates tons and tons of data. Sometimes it is purposeful because that’s your business. Think social media, Facebook. Sometimes it’s accidental. Think about a law firm. Think about your old business. Folks don’t make phone calls anymore. For the most part, when we communicate, we email. That’s data.

That stuff, these are all points of terrific interest to law enforcement. So the whole idea is that whatever the policy is going to be, make it a smart one because many corporations think in terms of getting rid of stuff – thinking that if we don’t have the data anymore, we won’t get in as much trouble. But the government's going to come looking at you anyway, and presumably, some of that data would actually be exculpatory. It could prove that you haven't done anything wrong. So having that data, in many situations, actually helps the company – it lets the government know, for instance, that, no, we weren’t jacking up the price of medication. No, we were telling pharmacies in central Ohio that there’s no reason that you need 10,000 opioid pills. So you don’t necessarily want to just get rid of data. The whole idea, first and foremost, is to make sure you have a coherent data retention policy.

What self-disclosure does‚ especially if you think you have a problem‚ is let you show that you’re a good citizen.

What are some of the pros and cons of self-disclosure?

It goes both ways. What the government is trying to do is get you to do their work for them. It’s not a bad thing, but that’s essentially what they’re doing. The pros are that you get to demonstrate that you are a good citizen, if you manage your own story with self-disclosure. It’s difficult to do that if you come in after the government has already done a lot of discovery, talked to other people in the industry, perhaps to a whistleblower, and that person has already set the story.

Most government enforcement attorneys don’t build their case around a story they always believe – but they do usually build their case around the first story that they hear. If your client comes in after the government has already heard one timeline for a story, your client is trying to give a side of the story after the government already has set in their minds what happened. The government will say to you, as counsel, “Well, I don’t think that’s what happened. That’s not what we heard.” So it’s hard. It’s trying to extract yourself from a hole.

What self-disclosure does, especially if you think you have a problem, is let your client show that they are a good citizen, that your client is honestly trying to clean up the problem. This is how the company discovered it, and this is how the client is fixing it, or has already fixed it. Now that story is set, and if somebody comes in after the fact, for instance, in a government interview, now it’s that individual who says, “It’s not this, it’s not that." And the government will attack it with a bit of skepticism because you’ve shown them the documents that presumably support your client’s story. Hopefully, that’s the one the government will adopt, because it should be true. It is also the first one that's been provided to the government, so your client is operating from an advantage point.

The cons really are that the government is basically asking you, to some extent, to help them tie the rope with which they’re going to hang you. What you’d like to do is identify individuals, and you want to say that these former corporate employees are outliers. That this bad activity is not how we as a company operate. But as you walk up the chain of command in any company, that gets harder and harder to do, as the people get higher and higher in the company the more difficult it is to make a case that an executive should be the target of an investigation that will be shared with the government. It’s one thing if the wrongdoer is a salesman, and somebody says, “He should’ve known better. We told him not to do that.” But it’s another thing when they are the CEO. It gets harder and harder to distinguish the CEO’s activities from the company’s activities. Now the company is really tying its own noose, and the government is just going to stick your head in it.

You’re hoping that your client is the first one in the government’s door, like I said, but you really don't know. Let’s say the government does not buy your story, and they want to prosecute you. Now they’ve essentially got statements that the company has adopted, even if they came through counsel, and the company is married to those statements. It’s not so much that you can’t change your story, especially if you find new information and later do a more thorough internal investigation. But it just erodes the government’s confidence in your client’s story of how things at the corporation should operate, or how things were operating there. It’s just one of the dangers. It’s nothing you can really call back. There are ways to try to mitigate that as an attorney, but for the most part, it can make it harder to mount a defense. All of a sudden, you’ve got all these statements floating around, and perhaps not helpful ones, because you went in for a self-disclosure.

That’s one of the reasons that you try to have a very aggressive compliance policy. You have to have a compliance policy that fits your company, not one that you picked up on some blog. Quite frankly, no system is perfect. People can always game the system. You can develop any kind of compliance program you want. It’s always enforced by and applied to humans, and humans are your biggest problem. They just are. If we were a company that was nothing but machines, we'd be OK. But humans will always be capable of wrongdoing, and so the question is, if you find a problem and you go to the DOJ or the SEC, they’re going to look at you, and they’re going to say, “What did your client do to try to prevent this?" You need to have an answer, and the answer better be, “We tried everything we could. This guy was just hell-bent on the bonus for getting into Myanmar, and he was going to bribe somebody, because from his standpoint it was worth it. We fired him, and we’ve cleaned it up.”

Published .