Preparing Your Client For Internal Investigations

Editor: Please tell our readers about your practice.

Christie: I am a former federal prosecutor in New Jersey where I headed the Computer Hacking and Intellectual Property section of the U.S. Attorney's Office. Now that I'm in private practice, I am often called upon to handle internal corporate investigations in a number of areas, including potential Foreign Corrupt Practices Act (FCPA) violations. I also frequently represent companies under investigation for and accused of white collar criminal conduct, some of which is discovered during the course of internal investigations. On the civil side, I focus my practice on intellectual property litigation. This includes a wide variety of patent, trademark and copyright infringement and theft of trade secret matters, including cases involving Internet and information technology issues. Moreover, I do a significant amount of litigation and client counseling in the data privacy area.

Editor: One theme of a recent ABA seminar you participated in had to do with how the regulatory framework and environment have affected the management of internal investigations. Would you give us a snapshot of your views on this subject?

Christie: Internal investigations have reached a new plateau, largely because the government is devoting substantial time, energy and resources to investigating corporate malfeasance. As a result, both inside and outside counsel of companies that formerly minimized or disregarded internal problems are taking these matters more seriously. In particular, the Department of Justice (DOJ) is going after companies and corporate officers for FCPA violations. Because enforcement involves not only fines but significant prison sentences, corporate officers increasingly realize that these issues must be addressed in an effective manner.

Historically, the FCPA was an underutilized statute, devoted in large part to the oil and gas industry; however, within the past five years, the government has taken a more aggressive stance, making no secret of its intention to focus on these activities in a number of targeted industries, especially the branded pharmaceutical industry.

For example, the government's target may be sales representatives who are making illegal payments in order to accomplish their sales targets. There is a whole additional layer of risk for multinational companies because they have to be cognizant not only of their U.S. sales force and domestic activities but also of activities by foreign agents and representatives. International companies need to be very careful to avoid inadvertently violating the FCPA, especially in countries where they don't have a large hands-on presence and are dealing primarily through intermediaries.

Editor: Has the DOJ also gone after foreign companies or foreign personnel of U.S. companies?

Christie: Yes, not only foreign companies but also foreign nationals. Jeffrey Tesler, a U.K. solicitor, was charged with FCPA violations for paying bribes to Nigerian government officials to obtain contracts from the Nigerian National Petroleum Corporation. The U.S. government pursued his extradition aggressively. When it was clear that the U.K courts were not going to protect Mr. Tesler, he pleaded guilty to FCPA violations. This case highlights that not only foreign companies but also foreign nationals are getting caught in the enforcement net and are suffering the consequences.

Editor: I suppose the Siemens case is a classic example.

Christie: Right. That case involved widespread problems with Siemens and a number of its international subsidiaries paying gratuities and bribes totaling more than $1 billion. Such conduct resulted in fines and penalties to Siemens in the hundreds of millions of dollars, not to mention significant damage to the company's reputation.

Editor: Has the SEC tightened its standards so that companies need to take further steps regarding internal controls and reporting systems?

Christie: Yes, frequently the DOJ and the SEC take a tag-team approach; they cooperate so that each of them gets credit for the investigation of the same target. Companies can get blind-sided if they don't focus on both governmental entities because the SEC certainly will want to extract penalties separate and apart from those of the DOJ. Given the Sarbanes-Oxley obligations, corporate officers who are signing off on behalf of their companies must be careful to ensure compliance with FCPA requirements and SEC regulations.

Editor: Please give us one or two examples of the types of investigations you plan to discuss at the seminar.

Christie: We plan to address a variety of different experiences and factual scenarios. This certainly will include instances where a U.S-based company is trying to expand its sales internationally with sales representatives about whom they have very little information or knowledge and with whom they have not conducted an appropriate training program. In one instance, I had a similar experience with a multinational company dealing with representatives in a foreign country who had inappropriate ties to and relationships with government officials that should have been relatively clear to management. Because of this neglect, the company drew the attention of the government and was investigated for FCPA violations. Vetting and monitoring of foreign representatives is a key issue.

Another critical issue is self-reporting violations to the government. Under some circumstances, it can work to the company's benefit. However, there are significant risks that must be considered before going down that road.

Editor: In seeking to ensure compliance with respect to foreign representatives and due diligence, how can companies manage privacy laws abroad? How can companies show that they've done all that they can?

Christie: This can be a problem. For example, the EU has very strict data privacy laws and regulations which can hamper the ability to conduct comprehensive due diligence. I counsel my clients in many instances to hire a reputable, third-party service provider to conduct the due diligence on behalf of the company and produce a report. This way, if a compliance issue arises, the company may be shielded from problems with the enforcement agencies.

Editor: How can a company ward off government-inspired investigations by conducting strict internal investigations to determine wrongdoing or just lax controls?

Christie: Unfortunately, in the current environment, just one whistleblower can create a mountain of trouble. The key is to realize that while you can't ward off problems completely, you can ameliorate them somewhat by taking the process seriously. This involves putting compliance policies into effect that are appropriate for your industry and the size of your company, and regularly following up with and keeping track of employee compliance with these policies. If the government initiates an investigation and your conduct is being scrutinized, the situation can spiral out of control quickly.

Editor: It seems that the Dodd-Frank whistleblower provision is making it even more incumbent on companies to be careful.

Christie: That is true because it encourages whistleblowers to report directly not only to the DOJ, but also to the SEC. There are significant financial incentives for them to provide information on the companies for which they currently work or previously worked. Anyone who believes he or she has been slighted or is disgruntled can be a potential whistleblower, which increases the potential sources of information that can trigger a government investigation.

Editor: What are your suggestions to clients for protecting intellectual property by way of internal controls? Should they conduct internal investigations from time to time to ascertain that there is no leakage of sensitive information via the Internet?

Christie: IP protection is a critical problem, especially when dealing with foreign companies or agents in foreign countries where IP laws may not be as well drafted or enforced as in the U.S. I counsel my clients to avoid sharing IP outside the U.S. unless it's absolutely necessary for conducting business operations. Companies must ensure that their relevant contractual documents are crystal clear about forbidding transfers of IP rights and in specifying licensing terms so as to preserve control and use of IP.

Furthermore, companies should conduct periodic testing, through electronic and non-electronic means, to ensure that IP security measures are in place and functioning properly. Such security testing can involve hiring individuals like white-hat hackers to attempt to penetrate company computer systems. It also can involve hiring someone to attempt to physically gain unauthorized access to your premises through social engineering and a variety of ruses. Penetration testing as a means of protecting IP is something I counsel clients to seriously consider.

Editor: How has social media changed the landscape with respect to internal investigations and controls?

Christie: Social media has made the challenge of protecting company information all the more difficult because any individual within your organization can inappropriately publicize information which may be proprietary or embarrassing without your knowledge. Consequently, the ability of a whistleblower to gather information that may be of interest to the government is enhanced through social media avenues. I advise my clients to complement their FCPA counseling with a strong social media policy in which they inform employees as to the appropriate rules on the use of social media in the workplace. Part of the culture of compliance in the social media area is the broader issue of educating employees that electronic communications should be taken just as seriously as formal written memos, both as to content and to distribution.

Editor: How are companies balancing the need to limit document populations for purposes of e-discovery versus the need to preserve documents that may be helpful in internal investigations?

Christie: Large multinational companies generally have a pretty good handle on this issue with document preservation and destruction policies that are reasonable and defensible. On the other hand, I often have found that smaller companies do not destroy documents at all and keep them for years on end. I counsel my clients to implement and maintain a uniform policy for categories of both paper and electronic records, whether it's three years, five years or seven years. Regardless of whether the documents are helpful or harmful they are destroyed on a regular and consistent basis. When there are document demands, the company can credibly respond that certain classes of documents are kept for only a certain number of years.

Editor: What are the standards one should follow to conduct an effective and ethical internal investigation?

Christie: First and foremost, you must meet your ethical obligations as an attorney. You are an advocate for the interests of your client, the company, not any of the corporate officers or employees. The Upjohn warnings should make clear to officers and employees that they need separate counsel if they believe legal representation is warranted. In the internal interview process, it also is important to request that interviewees keep matters confidential to prevent the content of an interview from being disseminated outside the company to third parties, including to the government. Another challenge is maintaining the attorney-client and work product privileges. Trying to maintain control over and preserve these privileges requires constant vigilance, especially in an era when the government is encouraging and, in some instances, providing benefits to companies to self-report violations uncovered during internal investigations.

Published .