By the time this article goes to press, the former Chair of Hewlett Packard's Board of Directors, Patricia Dunn, will likely have received her trial date for charges filed against her last fall by California's Attorney General, Bill Lockyer. Lockyer has charged Dunn and four others with conspiracy, wire fraud, unauthorized computer access, and the unauthorized use of phone records for an unlawful purpose. The charges stem from an internal investigation of board-level leaks at HP between 2005 and 2006. Dunn commissioned an investigation of the leaks in February 2005, which ultimately identified a board member as the source, but at a huge cost. One of the methods used by the investigators - the impersonation of directors and news reporters to obtain revealing phone bills - violated California law as interpreted by the State's Attorney General.
What lessons have been learned from this debacle, and how can you, as General Counsel, advise your corporate boards and CEOs on how best to avoid Dunn's fate?
Lesson 1: GCs should normally insist that outside counsel represent directors and senior executives who are the subjects of internal investigations.
The State's best evidence regarding Dunn's knowledge of the allegedly unlawful investigative technique consists of statements she made after the fact during an "investigation of the investigation." Attorneys from the law firm of Wilson, Sonsini, Goodrich & Rosati, who used to represent HP's board but no longer do, interviewed Dunn in August 2006. Well before any of the interviews took place, Ann Baskins, HP's General Counsel, learned that a disgruntled HP director had complained to the board that the leak investigation had violated criminal laws. Baskins also knew, at least before Dunn's last interview, that the disgruntled director had filed a criminal complaint with the California AG.
Within this context, the Sonsini firm proceeded to interview Dunn in a manner designed to assess culpability. Typically, companies advise senior executives and directors to obtain their own counsel in this situation. Indeed, most companies, including HP, indemnify their board members and executives for this expense beginning at the point when any investigative, civil, or criminal action is "threatened." Not here. Baskins permitted the Sonsini firm to interview Dunn without counsel on three occasions. Each time, the outside lawyers pressed Dunn harder to remember the past in a manner no lawyer with her interests in mind would have permitted. The damage is irrevocable: the California AG could not have brought charges against Dunn without these statements.
Baskin's own interviews with the Sonsini firm - peppered with qualifications about her lack of memory, knowledge, and involvement - demonstrate that she likely knew the perils of "culpability" interviews. At a minimum, she should have been aware that her knowledge and that of others was the only issue, that their statements could later be admitted against them at a trial under an exception to the hearsay rule for "admissions," that (misplaced) reliance on legal counsel would not protect them, and that every word they uttered would later be taken out of context through the distorted lens of hindsight. General counsel have a duty to advise board members and senior executives regarding legal risks stemming from the performance of their duties and should in most cases insist that they retain counsel before submitting to "culpability" interviews.
Lesson 2: GCs should guard against any comfort they derive from simply "hiring the best."
In early February 2006, Baskins called Brian Jenkins, a nationally recognized expert in corporate emergency responses, to ensure that HP's investigative team had deployed the best process for identifying the source of the board leaks. Baskins and an HP staff attorney she had assigned to supervise the investigation, Kevin Hunsaker (who has been charged with Dunn), met jointly with Jenkins in early February 2006. According to both Baskins and Hunsaker, Jenkins encouraged HP to use a "pretext" to obtain phone records of calls placed by the news reporters and directors they suspected. Jenkins assured Baskins that first-tier investigators commonly used the technique.
Baskins arguably received comparable third-party sign-off on the question of whether the technique was legal. She shared the internal report on HP's investigation with Larry Sonsini before Dunn took the matter to the HP board on May 18, 2006. Sonsini had served as outside counsel to the board for years and enjoyed a wonderful reputation. Sonsini concluded - both before the fateful board meeting on May 18th and after his firm's "investigation of the investigation" in August 2006 - that the "pretext" method of obtaining phone records did not violate the law. Unfortunately for Dunn, he may have been wrong.
This disconnect between arguably first-rate, third-party endorsement, on the one hand, and the Attorney General's charges on the other, coupled with the unavailability in a criminal trial of the "reliance on counsel" defense for so-called "general intent" crimes, highlights the need for every company to re-evaluate its internal investigation playbook.
Lesson 3: General counsel should adopt controls for internal investigations that balance the need for active oversight by management against the risk of legal liability for knowledge of conduct later called into question.
A knee-jerk reaction might prompt companies to adopt investigation protocols which insulate senior executives, including the GC, from knowledge regarding the techniques they deploy. While this has superficial appeal, "willful blindness" represents legal folly. Judges routinely instruct juries that they may convict if they find a defendant "turned a blind eye." Society, moreover, has a vital interest in corporate accountability and clearly expects more from an ethical company.
The solution lies in the process by which companies supervise their operatives. In between the extremes of micro-management and gross negligence lies a middle ground. The controls outlined below free executives from the perils of supervising work outside their core competence while at the same time permitting them to control and supervise their agents without legal hazard.
The recommended protocol borrows heavily from corporate financial controls required by the Foreign Corrupt Practices Act (FCPA) and the Sarbanes-Oxley Act ("SOX"), and from model compliance protocols advocated by the U.S. Sentencing Guidelines (USSG). The proposal also borrows from the FBI's internal procedures governing covert electronic operations. In short, the controls contain the elements of managerial design, reports, enforcement, and assessment.
Managerial Design. In order to fulfill their responsibility to supervise corporate agents, senior executives must design, or oversee the design, of the controls that govern internal investigations. The controls need not be complex; they need only be clear: investigators should only deploy investigative techniques which have been approved for use in the jurisdiction in question by third-party legal counsel. For example, the laws on tape recording conversations of another party vary from state to state. The company need not fear excessive legal expense. Companies can maintain a register, or grid, of approved techniques by jurisdiction to avoid the cost of duplicative approvals. The register, however, must be updated periodically to capture evolving trends, and must describe approved techniques in sufficient detail to capture the nuances of privacy and property interests involved.
Reports. The controls should require two types of reports: departmental reports for use within the company's security component only, and summary reports for management.A. Security Department Reports. The company's security employees and/or outside consultants should prepare departmental reports as events unfold. They must record in writing their compliance with work-flow rules, including the third-party legal sign-off of all techniques deployed.
B. Management Reports. As Dunn's plight has made clear, managers who are aware of illegal conduct committed by their employees and agents can be held criminally liable. This principle applies in many jurisdictions, including California, even if the manager believes the conduct is lawful based on the advice of counsel. The theory behind this sometimes harsh rule is that everyone must know what the law forbids. Exceptions apply in only the rare instances where the criminal statute makes intent to violate the law an element of the offense, such as in the illegal structuring of financial transactions. The lesson from this for a general counsel is clear: detailed investigative reports provided to management may, after the fact, give the appearance that management understood and approved unlawful techniques deployed by the company's investigators and/or consultants. Managers do not need to review detailed reports, however, as long as they have previously put in place controls to ensure only lawful techniques are used. A summary report in that environment will suffice so long as it includes a certification by the investigators that they have complied with all work-flow requirements, including third-party legal sign-off. In the unlikely event that an illegal technique is in fact deployed, the principle of "constructive knowledge" - by which the law attributes knowledge to a person who should have known - will not apply because the company previously implemented controls fairly designed to ensure legal compliance.
Enforcement. The controls should require the individual with responsibility for corporate security to enforce compliance with the investigative controls through appropriate incentives and disciplinary measures. This individual should also be required to report periodically to senior management, and, as appropriate, to the audit committee of the board, on the effectiveness of the protocols.
Assessment. The final component of the proposed controls consists of periodic and regular assessments of the protocols themselves. This ensures that the company's employees and consultants are complying, and that the protocols work as planned. This final step may be performed either directly by senior management or under senior management's supervision. The assessment process should require senior management to report to the audit committee any material weaknesses or changes.
In sum, the internal controls required by the FCPA and more recently by the USSGs and SOX provide a useful framework by which general counsel can design and implement investigative controls. These protocols serve both to ensure compliance with the law and to protect senior executives from the perils of actual or constructive knowledge like that attributed to Patricia Dunn.
Published March 1, 2007.
