Anyone looking for a step-by-step approach to conducting lawful corporate investigations can steal some ideas from the Association of Corporate Counsel.
The ACC presented a panel discussion on internal investigations during its annual conference in Boston last week, and posed the following hypothetical: One of the company’s office managers has received an anonymous e-mail, where the writer claims to have compromised the salary and bonus information of several executives. The writer also claims to have stolen proprietary software from the company, whose customers are mostly manufacturers, and plans to give it to a competitor.
You, the general counsel, must investigate. How do you proceed?
Narine
First, said Marcia Narine, deputy general counsel and vice president of global compliance and business standards of Ryder System, is to confirm whether the information—in this case, the salary data or the software the writer mentioned—is accurate. Once you confirm that the threat appears real, the next step is to assemble a small team to help the investigation. Your first call should be to outside counsel, the second to the chair of the audit committee, Narine advised.
As to bringing other internal employees into the investigation, proceed with caution. John Lewis, senior managing litigation counsel for Coca-Cola Co., said general counsels must consider “the architecture of the case” before deciding who can be trusted for help.
For example, who would have had access to that salary data in the first place? It could be anybody from the IT, payroll, or human resources departments, Narine said. “You have to be relatively suspicious.”
“The company owns the information inside the employee’s head and has a right to know it and to impose consequences if the employee doesn’t comply.”
—John Lewis,
Senior Managing Litigation Counsel,
Coca-Cola Co.
In addition, be prepared to answer questions employees might ask (such as how the perpetrator obtained the data) before alerting them to the existence of the investigation—because once they know about it, Narine warned, the company is taking the risk that one of them will report it to regulators.
Martin
Ralph Martin, a former district attorney in Massachusetts and now managing partner at the Bingham Consulting Group, did quip that regulators aren’t “twiddling their thumbs” looking for investigations to launch; they already have much to do and generally want to take a case only when others have done the preliminary work. In this particular case, he said, the e-mail alone did not contain enough information to spark a regulatory probe.
Maintaining Control
Handling investigations internally, rather than notifying regulators, has other advantages. Foremost, since you already know the organization, you can identify where to start gathering evidence much more discreetly, determine the true severity of the threat, and pinpoint where the risk exposure exists, Martin said.
Contrast that efficiency to the time regulators would spend simply getting acquainted with your enterprise—“and that is purely advisory on your part, because you don’t control it,” Martin said. “Once you go to the authorities, you give up control.”
Also remember that some situations do call for immediate regulatory attention: if someone’s life is in danger; if valuable assets are lost; if certain laws or regulation, or even internal corporate policies, require immediate reporting.
Lewis
Lewis noted that the Sarbanes-Oxley Act does give companies the ability to launch investigations quietly, by using SOX audits as an excuse to check internal controls. For example, a SOX audit can review how shared financial resources work, who codes them, and who has access to that data. This act of “sleuthing” can eventually lead to those individuals, resources, and geographies that will narrow your investigative search, he said.
WHEN TO INVESTIGATE
The following excerpt from the ACC’s “The Use of Lawful and Ethical Strategies” discusses pursuing investigations and gathering evidence:
I. What Kind of Cases Call for an Investigation?
Internal investigations: Contract/Purchasing Fraud. Examples:
- Kickbacks paid by vendors
- An employee has an undisclosed ownership interest in a vendor
- Fictitious vendor scheme—(An employee sets up a company; the employee bills the corporation
for fictitious services and causes payments to be made to the fictitious company.)
Foreign Corrupt Practices Act
- Bribes paid to government officials by employees
- Bribes paid to government officials through corporate agents or representatives
Theft of intellectual property/trade secrets
- Stealing private data
- Selling private data to competitors
- Laying the groundwork to quit and set up a competing firm, using company IP
Internet Torts and Crimes
- Defamation of company name, corporate officers, etc. through anonymous e-mails, blogs, bulletin
boards, chat rooms, and social networking sites
- Extortionate threats to do harm and damage
- Disclosure of confidential information
- Hacking into mainframes and e-mail to steal data or disrupt business
Other examples
- Sexual harassment; Age/race/discrimination allegations
- Expense account fraud
- Stealing inventory and other company property
- Misappropriation of confidential or proprietary information
II. The Search for Evidence: Where Supporting Evidence Can Be Found
Obtaining evidence under your control (subject to compliance with company policies, laws and
regulations)
- Image the subject’s company desktop and/or laptop computers, Blackberry/handheld device to
examine:
E-mail and Webmail
Word files, Spreadsheets
Calendars and Contacts files
Internet searches made by company employees
Search the unallocated space of the computer for deleted data
- Suspend the deletion of data from the company server
- Obtain:
(1) Company telephone dial-out records to trace the subscribers of called numbers
(2) Office card access records
(3) Building visitor logs
(4) Records of mailings from the company by the subject
(5) Company expense accounts
- Search the employee’s office (subject to company policy and applicable law)
- Audit vendor list for fictitious companies and undisclosed interests
Evidence publicly available
- Conduct a background investigation of the subject
Criminal and civil litigation
Judgments and Liens
Debt and bankruptcy
Business Registrations
- Internet research—Investigations of hackers, defamers, extortionists, and other abusers of the
Internet
Analyze metadata and internet service providers
Interview prospective witnesses: employees, former employees and employers, vendors, customers, and
litigation adversaries
Source
ACC: The Use of Lawful and Ethical Strategies (Oct. 20, 2009).
Expense reports are another lucrative area for investigation. Compare employees’ reports to records from vendors or customers to find any disparities, Martin said. Also watch for suspicious behavior, such as two employees expensing a company lunch when there is no business reason for it—those can be the sort of events where data is transferred from one computer to another, Narine said. “You never know how these things are going to work out.”
Companies can also search numerous public records, such as court judgments, debt and bankruptcy filings, and new business registrations. Personal credit reports are not on that list, Narine said, but they aren’t always helpful anyway; thieves can still have good credit.
Do be wary of the rules of electronic communication. If you’re going to conduct a search of employee data, the company must have a policy that clearly states the employee has no expectation of privacy in workplace communications, experts say.
Sooner or later, however, most serious internal investigations eventually are passed along to regulators; once that happens, the company has a new level of complexity to handle. Lewis’s advice: “When you notify regulators, you have to assume you’re going public.”
That means the small team that did the original investigation should be prepared for media scrutiny, so the company must, in turn, prepare that team. For example, Narine said, the corporate communications department should be able to supply the team with official statements.
Communication Techniques
Face-to-face communication is critical during an investigation, and legal officers should even put that into practice before any investigation comes along. Narine said she meets with multiple investigative firms from places where Ryder does business simply to build rapport. That way, she said, “If we ever had an issue like this, I’ve already met this person.”
That same level of personal communication is important when interviewing a witness. Narine said she goes so far as to tell outside counsel to dress casually when they are called, since some people won’t talk to them if they look intimidating.
If a witness does refuse to comply, the first thing an employee should know is that he does not have a right to remain silent. “The company owns the information inside the employee’s head and has a right to know it and to impose consequences if the employee doesn’t comply,” Lewis said.
Martin advised that legal or compliance officers should tell the witness that they represent the company rather than any employee (the so-called “Upjohn warning”), and that while they will try to keep information confidential, that cannot be guaranteed.
Martin said interrogating employees can be a question both of strategy and corporate culture. How important is this information to you? Do you have other ways of obtaining it from the employee? And if you never intend to go to court and just want to fire the employee, evidence may not matter anyway, he added.
One mistake you don’t want to do: fire the employee right away, because the company will most likely need this person for information, Narine said.
Serious investigations such as the hypothetical e-mailer do require an all-hands-on-deck attitude, Martin said; 20-hour days might not be uncommon. But if the team works effectively, the probe should reach its main conclusions quickly—ideally, he said, within a week.
No comments yet