Internal Investigations: Potential Pitfalls to Navigate in the First 30 Days
With the anticipated increase in enforcement activity by the SEC, CFTC, and DOJ, among other agencies, companies need to be prepared to conduct internal investigations in response to requests for information or subpoenas from those agencies. Conducting an investigation that will withstand scrutiny from regulators is critical if the company wishes to receive voluntary cooperation credit and resultant leniency on civil and criminal penalties. Indeed, a poorly run investigation could lead to a denial of such credit. The decisions made in the first 30 days of an internal investigation can often have an outsized effect on the course of the investigation and ultimate settlement. This post reviews some of the critical decisions about document collection and preservation that need to be made in the first 30 days of the investigation and the pitfalls for the unwary.
Scoping strategically. Neither companies nor the regulators want an internal investigation that sweeps in voluminous amounts of emails and documents that will mire down the search for relevant information and drive up costs. Having a basic working theory of the issues that may be driving a regulatory or DOJ criminal request for information can assist in scoping the investigation by helping identify files and custodians that may have relevant information. Early scoping interviews can be of assistance in helping to identify possible parameters of the document collection. However, understanding what is driving a document request is easier said than done. The SEC and DOJ, in particular, are disinclined to share their theories of investigation in the early stages of an investigation, although it never hurts to ask a regulator what types of documents they are really seeking. In some cases, events preceding a request for information, such as legal allegations filed against the company, may shed light on issues behind the request.
One often overlooked step that counsel can take early in the investigation is to work with the company’s compliance and legal departments to review internal and external allegations made through the company’s reporting channels. These allegations may shed light on issues that may have been reported to regulators by a potential whistleblower.
Other steps can also be taken to narrow the scope of an investigation. Regulators may be more willing to engage in a dialogue with the company on issues such as identifying relevant time periods for individual document requests and determining if document searches can be limited to certain business units or geographic locations. These narrowing decisions should, ideally, be made before collection begins.
Limiting custodians. Identifying custodians by selecting all personnel within certain business units or largely based off an organizational chart may be appropriate in certain limited cases, but most investigations require a more tailored approach. Failure to reasonably limit the number of initial custodians in the first instance to those who are likely to have the most relevant information will result in excessive documents identified for review and will slow the investigation’s ability to identify truly relevant materials. There is understandably some hesitancy about being too narrow in the selection of custodians, given the U.S. Justice Department’s requirement that companies “identify all individuals substantially involved” in the conduct at issue. Identifying custodians with decision making authority regarding the subject of the document request is usually a good place to start, as well as those custodians in relevant corporate functions, such as finance or investor relations. Custodians can always be added based on evolving information, but even the best de-duping technology is no match for the sheer volume of data that each additional custodian’s email inbox may add to the document review.
Understanding Retention Policies and Practices. Understanding a company’s retention policy–including informal practices not documented within the policy–is critical, since at some point, the company will be required to represent to regulators if it has been able to access all documents that fell within the scope of the request. In the case of younger companies, or companies that have recently completed several strategic acquisitions and have been operating from different technology platforms, counsel should look behind the formal policy to understand what practices have been in place for email, business records, and records on shared platforms. These may not all follow the same retention practice, and there may be a gap in retention for some records.
Preserving and Collecting Text Messages. Businesspeople have increasingly found that text messaging provides flexibility for communicating with colleagues. Companies, however, including established companies, often do not have established policies governing the use or retention of text messages. The failure to address the collection of relevant text messages early in the investigation can have significant effects later, if such messages have not been retained, particularly if a regulator has reason to believe that text messages contain pertinent communications. The SEC and DOJ include text messages in their document requests, and the DOJ has stated that cooperation credit may turn on whether a company has taken steps to preserve electronic communications that include SMS and text messages. The use of iMessaging presents a particular challenge, because unlike SMS messages, iMessages are not stored on the servers of a company’s cellular carrier. Thus, if a user’s phone is not set to store all iMessages onto the iCloud, it may be impossible to retrieve those messages. Counsel should prioritize working with the company to immediately ensure that the text messages of relevant custodians are collected and that their mobile phones are not set to automatically delete text messages periodically. Known gaps in available data as of the time the request for information was received should be fronted early with regulators.
Implementation of Litigation Holds. A litigation hold is only as effective as its implementation, and this can present challenges, particularly as non-email documents are often stored in multiple locations and a company’s legal and IT department may have difficulty in trying to identify relevant locations to ensure preservation. Similarly, as noted above, text messages present a host of issues related to retention, and counsel should ensure that the company’s legal and/or IT departments have given text message retention instructions to relevant custodians.
Addressing Privacy Laws in Non-U.S. Jurisdictions. Any collection effort that involves collecting emails, text messages, and other data from servers or personal devices in certain Western European or Latin American countries will implicate significant privacy laws, such as the EU’s GDPR. Counsel and the company’s in-house legal team should identify all potential custodians in such jurisdictions and work with the company’s privacy counsel to develop a legal plan to address such issues as soon as possible, as these issues can be protracted. In some cases, it may be necessary to engage with local works counsel in Europe, which can delay the ability to review documents. Moreover, fronting such issues with regulators early in the investigation should be considered, so that regulators are aware from the outset of the investigation that privacy laws are implicated. The company should also be prepared to demonstrate that it is making all good faith efforts to work through the data privacy issues to be able to produce relevant documents.
While not exhaustive, the preceding issues, if not proactively addressed, have the potential to evolve into larger problems that may call into question the integrity of the investigation and the company’s cooperation. The company and its counsel would thus be well-served by addressing these issues at the outset of an investigation.
 See U.S. Dep’t of Justice Manual (“Justice Manual”), Principles of Federal Prosecution of Business Organization, at §90-28.700; SEC Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 and Commission Statement on the Relationship of Cooperation to Agency Enforcement Decisions, Exchange Act Release No. 44969 (Oct. 23, 2001).
 See Justice Manual, Principles of Federal Prosecution of Business Organization, at §90-28.700.
 See Justice Manual, FCPA Corporate Enforcement Policy, §9-47.120 (identifying personal communications as potential business records that should be retained).
 GDPR Article 44 establishes a presumption that personal data will not be transferred to a country outside of the European Union unless certain conditions are satisfied.
 See Justice Manual, FCPA Corporate Enforcement Policy, §9-47.120 (stating that a cooperating company “bears the burden of establishing” the prohibition of production of documents due to overseas data privacy laws).