Resources

Federal Government Websites
Dept. of Health and Human Services (HHS)
Dept. of Justice (DOJ)
Dept. of the Treasury
Environmental Protection Agency (EPA)
Federal Trade Commission (FTC)
Financial Crimes Enforcement Network (FinCEN)
Occupational Health and Safety Administration (OSHA)
Public Company Accounting Oversight Board (PCAOB)
Securities and Exchange Commission (SEC)
United States Sentencing Commission (USSC)
United States Supreme Court

Federal Agency Resources
EPA: Environmental Audit Policy
FinCEN: Bank Secrecy Act Regs
FTC: Financial Privacy: Gramm-Leach-Bliley Act
HHS: Health Care Compliance Guidance
HHS: HIPAA Compliance
OSHA: Workplace Self-Audit Policy
PCAOB: Audit Standard No. 2
USSC: Organizational Sentencing Guidelines
USSC: Advisory Group on the Organizational Sentencing Guidelines
USSC: Post-Booker Developments

Federal Prosecutorial Resources
Antitrust Leniency Policy (DOJ)
Seaboard Report (SEC)
Thompson Memorandum (DOJ)

Private Organizations
ABA Business Law Section, Corporate Compliance Committee
Association of Corporate Counsel: America
Business Roundtable
The Conference Board
Corporate Compliance Center (South Texas College of Law)
Ethics Officers Association
Ethics Resource Center
Greater Houston Business Ethics Roundtable
Open Compliance and Ethics Group
Texas General Counsel Forum

Private Resources
Industry Specific
Defense Industry Initiative on Business Ethics and Conduct
Health Care Compliance Association
Risk Specific
Association of Certified Anti-Money Laundering Specialists
International Compliance Association (anti-money laundering)
NASD Rule 4350 (Corporate Governance)
NASD Rule 3011 (Anti-Money Laundering)
NYSE Listed Company Manual Section 303A (Corporate Governance)
Aspen
Transparency International (foreign bribery)
Transparency International: USA Anti-Bribery Toolkit

Case Law
Burlington Industries v. Ellerth
Faragher v. City of Boca Raton
Kolstad v. American Dental Association
United States v. Booker
Sentencing Law & Practice

Compliance and Ethics Publications
BNA/ACCA Compliance Manual
ethikos

Related Blogs
White Collar Crime Prof Blog
Sentencing Law & Practice

Free Legal Web Sites
Findlaw
JURIST

Blogware

Powered by TypePad

Notices

© Copyright 2005 by Law Professor Blogs, LLC. All rights reserved.

September 08, 2005

Thompson Memorandum -- MCI Enters Non-Prosecution Agreement

The White Collar Crime Prof Blog posted last week on the non-prosecution agreement between MCI and the US Attorney for the Southern District of New York regarding the WorldCom accounting problems.  (MCI being the successor to WorldCom.)  That post provided a great discussion of the government’s likely enforcement priorities.  Here, I’ll highlight the portion of the USA’s release that discusses the Thompson Memorandum in explaining why MCI was not prosecuted.  Prior posts explain the origins and content of the Thompson Memorandum, which sets forth the factors federal prosecutors are to consider in deciding whether to bring charges against an organization.  The USA’s release offers the following discussion of MCI’s behavior in relation to the Thompson Memorandum:

The decision by the United States Attorney not to pursue criminal charges against the company was based on the factors set forth in former Deputy Attorney General Larry Thompson’s memorandum entitled Principles of Federal Prosecution of Business Organizations. The decision was based on, among others, the following significant factors: (1) MCI’s full and complete cooperation with the Government’s investigation; (2) MCI’s prompt settlement of an enforcement action by the United States Securities and Exchange Commission (“SEC”), a settlement which included the payment of a $750 million civil monetary penalty, which provided restitution to victimized shareholders; (3) MCI’s substantial remedial actions since disclosure of the fraud, including the implementation of entirely new management and a new Board of Directors; and (4) the negative effect that charges against MCI would have on the company’s innocent employees and legitimate activities.

MCI self-reported its discovery of the fraudulent accounting entries that were at the heart of the WorldCom fraud in June 2002. Since that time, MCI has fully cooperated with the Government’s investigation, by, among other things, providing the Government with requested documents, making employees available for interviews with Government investigators in the United States, and making appropriate waivers of applicable privileges in order to make certain requested information promptly available to the Government. The Company identified for the Government early in the investigation the documents that it believed to be most relevant to the investigation and produced those and other documents to the Government in a format to permit efficient investigation by the Government.

Also, MCI has undertaken significant remedial measures over the last three years. Since the disclosure of the fraud, MCI has terminated virtually every employee who played even a tangential role in any aspect of the fraud involving WorldCom’s revenue or line cost accounting. MCI has completely new senior management. In addition, MCI’s Board of Directors has been completely replaced.  On November 26, 2002, the SEC obtained a judgment against MCI through which it obtained the full injunctive relief it sought against WorldCom. In addition, the judgment ordered WorldCom to undertake extensive reviews of its corporate governance and internal controls, and required WorldCom to establish a training and education program for WorldCom officers and employees to minimize the possibility of future violations of the federal securities laws. On July 7, 2003, the monetary settlement between MCI and the SEC was approved, thereby requiring MCI to pay $500 million in cash and approximately $250 in common stock to victims of the fraud.

In July 2005, MCI entered into an agreement with the Class and Ebbers. As part of that agreement, Ebbers agreed to turn over virtually all of his assets to a trust. Those assets will be sold in the coming months, with the proceeds being split between the Class and MCI. The Class will receive 75% of the proceeds of these sales, and MCI will receive 25% of the proceeds, except in the case of the Joshua Timberlands property, as to which MCI currently has a lien and for which the proceeds of any sale will be split 2/3 for the Class and 1/3 for MCI.

Because MCI has cooperated fully with the Government’s investigation, has implemented substantial remedial efforts, and has paid $750 million in restitution through the SEC, the public interest has been sufficiently vindicated by the successful criminal prosecution of the principal individual wrongdoers – Bernard Ebbers and Scott Sullivan. Moreover, criminal prosecution of the company would likely have a severe and unintended economic impact upon thousands of innocent MCI employees and could harm the impending merger between MCI and Verizon Communications Inc. Accordingly, the Office has determined, after carefully balancing all of the factors set forth in the Thompson Memorandum, that criminal prosecution of MCI would not serve the public interest, so long as MCI fully complies with the terms of the Non-Prosecution Agreement.

I have not been able to find a copy of the Non-Prosecution Agreement, but I will post a link if it becomes available.

Two observations.  First, as discussed in prior posts, the government gave great weight to MCI’s self-reporting and cooperation with the government.  Indeed, that is the first factor the government mentioned.  Also, the release explains what MCI’s cooperation entailed:

The last factor – waiving the privilege – is one that I have blogged on repeatedly before.  Also, this is an issue on which I respectfully disagree with one of my colleagues at White Collar Crime Prof Blog.  I am not troubled by the government seeking waiver of the attorney client privilege based on its assessment, on a case-by-case basis, that waiver is necessary to disclose all relevant facts.  Organization’s are not legally required to make such a waiver – it is part of the organization’s attempt to seek leniency from the government.  To get leniency, the organization needs to give something, and that might be waiver in the proper case.

Also, note that self-reporting is important.  In a prior post, I explained one federal prosecutor’s view of why self-reporting is important.

Second, MCI was not given a pass by the federal government.  As the release describes, the SEC extracted a pound of flesh – to the tune of $750 million in restitution.  Also, individual wrongdoers have been successfully prosecuted, most notably Bernie Ebbers.  The DOJ concluded that anything more would just be piling on.

September 8, 2005 in Compliance Developments, Enforcement Actions | Permalink | TrackBack

August 29, 2005

Sentencing Commission to Study Privilege Waiver Issue

A recent Federal Register publication from the United States Sentencing Commission sets forth gives Notice of Final Priorities for the Commission through the amendment cycle that ends in May 2006.  One of the priorities listed is on a subject blogged on here and at the White Collar Crime Prof Blog:

(6) review, and possible amendment, of commentary in Chapter Eight (Organizations) regarding waiver of the attorney-client privilege and work product protections . . . .

To understand the significance of this item, you need to have some background on the sentencing guidelines as they apply to organizations.  As for individual defendants, the guidelines establish a formula for calculating the applicable punishment – for organizations, that is primarily a monetary fine.  The formula has several steps.  Bear with me for a brief review of the steps – it will pay off in understanding what the Commission proposes.

The first step is to identify the "offense level" for the charged crime.  A chapter of the guidelines assigns each crime an offense level based on its seriousness: offense levels range from one to forty-three, with crimes ranked from least to most severe.  For example, tampering with an odometer is a relatively low offense level six, while treason and first degree murder top off the list at offense level forty-three.

The second step is to identify the base fine associated with an offense level by consulting a chart that assigns each offense level a corresponding base fine.  Not surprisingly, the base fine increases along with the offense level.  Again, consider odometer tampering and treason.  Odometer tampering, an offense level six, carries a base fine of $5,000, while treason, an offense level forty-three, carries a base fine of $72.5 million.

The third step is to calculate the organization's "culpability score."  Each organization starts with a score of five that is adjusted downward for mitigating factors and upward for aggravating factors.  For example, the guidelines subtract two points if the organization fully cooperated with the government, but add two points if the organization committed a similar violation in the last five years.  For our purposes, the most relevant adjustment is a three-point reduction "[i]f the offense occurred despite an effective program to prevent and detect violations of law."  The amended guidelines now refer to this mitigating factor as an "effective compliance and ethics program."

The fourth step is to identify the fine multipliers that correspond to the defendant's culpability score.  For example, consider once again a defendant convicted of tampering with an odometer, and assume that we make no adjustments for aggravating or mitigating factors, leaving a culpability score of five.  The guidelines assign two multipliers to a culpability score of five: one and two.  Recall that the base fine for odometer tampering, a level six offense, is $5,000.  Now, multiply the base fine by the lower multiplier (here, 1 x $5,000), and this gives you the minimum fine of $5,000.  Next, multiply the base fine by the higher multiplier (here, 2 x $5,000), and this gives you the maximum fine of $10,000.  So, our odometer tamperer faces a fine range of $5,000 to $10,000.

The final step is for the judge to set the ultimate fine within the fine range.  In doing so, the court will consider factors such as "the need for the sentence to reflect the seriousness of the offense," "the organization's role in the offense," and "any nonpecuniary loss caused or threatened by the offense."  Further, the court must increase the fine to include "any gain to the organization from the offense that has not and will not be paid as restitution or by way of other remedial measures."  The court may also depart from the fine range for listed reasons.  For example, a judge may reduce the fine below the guideline minimum if the defendant provided "substantial assistance in the investigation or prosecution of another organization that has committed an offense."  Or, a judge may impose a fine greater than the fine-range maximum if the defendant's crime "involved a foreseeable risk of death or bodily injury" or "constituted a threat to national security."

Now, go back to the culpability score.  The sentencing guidelines give a substantial reduction in that score for organizations that cooperate with the government:

(g)    Self-Reporting, Cooperation, and Acceptance of Responsibility

If more than one applies, use the greatest:

    (1)    If the organization (A) prior to an imminent threat of disclosure or government investigation; and (B) within a reasonably prompt time after becoming aware of the offense, reported the offense to appropriate governmental authorities, fully cooperated in the investigation, and clearly demonstrated recognition and affirmative acceptance of responsibility for its criminal conduct, subtract 5 points; or

    (2)    If the organization fully cooperated in the investigation and clearly demonstrated recognition and affirmative acceptance of responsibility for its criminal conduct, subtract 2 points; or

    (3)    If the organization clearly demonstrated recognition and affirmative acceptance of responsibility for its criminal conduct, subtract 1 point.

A pretty good upside here: A cooperating organization gets 5 points off its culpability score.  As explained above, this reduction will (in turn) reduce the multipliers applied to the base fine.  For example, a culpability score of 5 has multipliers of 1 and 2, whereas a score of 0 has multipliers of .05 and .2.  So, if conduct carried a base fine of $10 million, an organization would face the following fine ranges based on these two different culpability scores:

Score = 5

Max = $20 million
Min = $10 million

Score = 0

Max = $2 million
Min = $500,000

How about that!  Cooperation certainly pays.

Well, given the potentially large benefit from cooperation, the commentary explains that an organization must be forthcoming with the government:

To qualify for a reduction under subsection (g)(1) or (g)(2), cooperation must be both timely and thorough. To be timely, the cooperation must begin essentially at the same time as the organization is officially notified of a criminal investigation. To be thorough, the cooperation should include the disclosure of all pertinent information known by the organization. A prime test of whether the organization has disclosed all pertinent information is whether the information is sufficient for law enforcement personnel to identify the nature and extent of the offense and the individual(s) responsible for the criminal conduct. However, the cooperation to be measured is the cooperation of the organization itself, not the cooperation of individuals within the organization. If, because of the lack of cooperation of particular individual(s), neither the organization nor law enforcement personnel are able to identify the culpable individual(s) within the organization despite the organization’s efforts to cooperate fully, the organization may still be given credit for full cooperation. Waiver of attorney-client privilege and of work product protections is not a prerequisite to a reduction in culpability score under subdivisions (1) and (2) of subsection (g) unless such waiver is necessary in order to provide timely and thorough disclosure of all pertinent information known to the organization.

It is in the last sentence of this commentary (in bold) that the Commission stepped (quite gingerly) on the third rail that is white collar privilege waiver.  Frankly, the commentary takes a quite mild position: (1) waiver is NOT required to get credit, unless (2) the government cannot get all pertinent facts without waiver.  Remember – if we are applying the sentencing guidelines, there has already been a conviction or a plea.  So, the organization is either a convicted or admitted law breaker.  The court is simply trying to figure out whether the organization deserves leniency in sentencing.  Using the privilege to block the government from the ONLY means of accessing needed information seems the opposite of cooperation.

For those interested in criticisms of the above guidelines commentary, the National Association of Criminal Defense Lawyers has collected letters from various lawyer and other groups urging the Commission to reconsider.  As the issue of privilege waiver has received increasing attention in compliance circles, this is an issue I will try to keep on top of.

August 29, 2005 in Compliance Developments, Enforcement Actions, Regulatory Actions, Sentencing Guidelines | Permalink | TrackBack

August 08, 2005

Upping the Stakes (Criminally) of the Internal Investigation

This post follows up on the Computer Associates (CA) issue mentioned in a prior post.  There, I
mentioned that one of the counts in the Indictment against CA management claimed that it was obstruction of justice to lie to a private attorney conducting an internal investigation if he “knew, and in fact intended, that the [private lawyer] would present these false [statements] to the United States Attorney’s Office, the SEC and the FBI so as to obstruct and impeded the Government Investigations.”  In such cases, the witness is effectively lying to the government.

At an ABA Annual Meeting session jointly sponsored by the Criminal Justice and Corporate
Compliance Committees of the Business Law Section, a panel discussed (among other things)
what the government’s CA obstruction theory means for lawyers conducting internal
investigations.  One panelist suggested that it creates a problem for lawyers given the Supreme
Court’s prior attorney-client privilege decision in Upjohn Co. v. United States.  There, the
Court held that the privilege covers interviews with lower level employees conducted during an
internal investigation, but only if (among other things) the “the employees themselves were
sufficiently aware that they were being questioned in order that the corporation could obtain legal
advice” and the company “clearly indicated the legal implications of the investigation.”  So, to
preserve the privilege, Upjohn requires lawyers conducting an internal investigation to explain
WHY the investigation is being conducted.  This might include mention of an existing or
anticipated government investigation.  Further, the ethics rules (see ABA Model Rule 1.13(f)) require the lawyer to explain that her client is the organization (and not the employee being interviewed), and that the organization controls any attorney-client privilege.  And the organization could waive the privilege and give the employee’s statement to others, including the government.

The bottom line is that a proper internal investigation will likely leave the witness aware that her
statement may end up in the government’s hands.  Under the government’s CA theory, this means
that a proper internal investigation exposes the witnesses to potential obstruction of justice
charges FOR LYING TO THE PRIVATE LAWYER CONDUCTING THE INTERNAL
INVESTIGATION.  This raised three questions: First, will the government carry the CA theory
this far, or was the CA case itself an extreme case?  Second, if the government carries the CA
theory that far, would that be an unjustified extension of the obstruction of justice statute?  And
third, does a lawyer conducting an internal investigation have a duty to inform her the witness of
obstruction of justice liability for false statements during the interview?  If the answer to question
three is “yes,” one can expect less cooperation with internal investigations.

August 8, 2005 in Cases, Compliance Developments, Privilege | Permalink | TrackBack

August 02, 2005

Some Employee Hotlines Violate French Law

Here is something that has been floating around the web for a while.  Back in June, the French Data Protection Authority ruled that company ethics hotlines violate French law.  (The agency is Commission Nationale de L'informatique et des Libertés, which the agency’s web site translates as “National Commission for Data Protection and the Liberties.”)  Two companies – including the French division of McDonald's, sought clearance to implement an employee reporting hotline as part of the roll out of their codes of ethics.  An unofficial translation of the agency’s decision (the only text on the agency’s web site is in French) describes the McDonald’s hotline as follows:               

This system, which is in the “Code of Ethics” of the international McDonald’s Group, would allow the staff of the French subsidiaries to report to the American parent company (McDonald’s Corporation), either by mail or by fax, on the behaviour of their colleagues “deemed contrary to the French legal rules as well as the Code of Ethics.”

This project would target only a part of McDonald’s France’s employees, namely those of the head office and only those executives and managers of the one hundred seventy-five restaurants of the Group, i.e. around one thousand persons.

Although the use of this system is addressed in the Code of Ethics of the Group, staff members would not be obligated to use such system.  The staff would be clearly informed of such.

The contents of the reports sent via mail or fax to the Ethics Department of McDonald’s Corporation in the United States would be recorded in a central file under the responsibility of the Director of Ethics of this company.  Each case recorded in this file would be identified by a report number in order to assure the confidentiality of information.

The Ethics Director of the parent company would communicate to the General Counsel of McDonald’s France the contents of the mail or faxes received via e-mail protected with a password.  As defined by McDonald’s, the nature of the report would determine which appropriate service manager would then receive this data: Human Resources Director (for reports relating to Labour and Employment law: presumption of harassment, consumption of alcohol in the workplace, discrimination, incoherent timesheet breakdowns, other issues relating to behaviour in the workplace), Security Director (presumes behaviour likely to be considered as embezzlement, theft of company property, espionage or sabotage, corruption, diffusing or divulging confidential information), Financial and Accounting Director (audits of internal controls, financial irregularities, questionable methods concerning bookkeeping and accounting) or other persons (depending on the nature of the alleged violation).

The Department Director would decide whether or not to open an investigation and, if necessary, would send the report only to those persons who would be involved in the investigations.  He would then inform the General Counsel of McDonald’s France and consult with him/her to carry out the investigation.

In the event that a member of the management of McDonald’s France is investigated, the investigation would be led directly by the American parent company.

The report used for the investigation would need the following information: name (first and last) and city of residence of the sender (if the person refuses to give his/her identity), the name of the restaurant or offices, duties exercised by the sender, name (first and last) of the person alleged to have breached the Code of Ethics, or if possible the name (first and last) of another staff member who could have knowledge of the facts, the nature of the allegations, the conclusions of the investigation (dismissal of all charges, types of sanctions imposed, other corrective actions).

The staff members presumed guilty would be informed by the Human Resources Director that they have the right to access, rectify or contest within two business days, even if there has been no investigation.

The findings of the investigation and the “corrective measures” taken (modification of internal controls or of other rules in force within the French group, disciplinary sanctions, legal recourses) would be sent by the General Counsel to the Ethics Director of McDonald’s Corporation, without communicating the identity of the person concerned.

In the event the investigation reveals misconduct, the data of the computerized reports would be kept by McDonald’s France between one and five years depending on the nature of the fault committed.  The General Counsel, the Human Resources Director, the Director under which the person concerned works, and one member of management would have access to this information.

The reports which do not lead to investigations or which lead to negative results would be destroyed within two business days following the final decision.

Finally, the reports kept by the Ethics Department of McDonald’s Corporation would not be kept longer than three months after the end of the investigation and five years for those concerning the members of McDonald’s France management.

The agency’s decision appears to rest on a balancing analysis, finding that there were less intrusive measures to achieve the company’s objective (again, with the caution that I am offering a reading of an unofficial translation):

In this sense, the Commission observes that the possibility to establish an “ethics alert” in an anonymous manner could only re-enforce the risk of slanderous denunciations.

Moreover, the Commission considers that this system is disproportionate to the objectives sought and the risks of slanderous denunciations and the stigmatization of employees who were the subjects of an “ethics alert.”  The Commission notes that henceforth other legal means exist to guaranty compliance with legal provisions and company rules (programs of consciousness raising through information and training, audits and alerts by the statutory auditors for financial and accounting matters, bringing the matters before the Labour Inspector or the competent Courts).

So, the anonymous hotline (1) raises an unreasonable risk of false reports (posing a threat of harm to employees), and (2) is not the necessary to an effective ethics and compliance program.  Of course, this is contrary to compliance conventional wisdom in the United States, where Sarbanes-Oxley and the organizational sentencing guidelines require/encourage use of similar hotlines.

In the last paragraph of its discussion, the agency adds the following legal concerns:

The Commission considers, finally, that the employees subject to an alert would not be, by definition, informed as soon as the data questioning their professional or personal integrity is recorded, and as such they would not have the means to contest the processing of such data.  The terms and details of collection and processing of this data, which could involve actions likely to constitute criminal infractions, can no longer be considered as loyal as defined by Article 6 of the Law dated January 6, 1978 as amended.

This suggests that French law requires an opportunity for the employee to participate in (or to contest) the company’s investigation, starting as soon as the hotline report is filed.  Also, there is the cryptic statement that the “collection and processing of this data” – which I read to mean the investigation following the hotline complaint – “could involve actions likely to constitute criminal infractions.”  Of course, companies need to know what investigative techniques that might be acceptable in the United States would be criminal abroad.

August 2, 2005 in Compliance Developments, Monitoring, Auditing, and Evaluating, Organizations, Sentencing Guidelines | Permalink | TrackBack

July 20, 2005

More on Applying the Attorney-Client and Work Product Privileges to Internal Investigations

At a compliance conference last Spring, I was asked what the recent case Aronson v. McKesson
HBOC, Inc., 2005 WL 934331 (N.D. Cal., Mar. 31, 2005), says about application of the
attorney-client privilege (ACP) to the fruits of a corporate internal investigation that are shared
with the government.  The short answer is nothing, because the court’s decision rested on the
work product privilege, which has a much narrower application than the ACP.  This post
discusses the McKesson opinion as well as its implications (or lack thereof) for the ACP.

McKesson is a shareholder suit that arose out of the merger of McKesson, Inc. and HBO &
Company.  In the wake of a post-merger announcement of accounting problems, the merged
company’s audit committee charged outside counsel with investigating.  The company disclosed
the investigation report and materials to the government on condition that the government would
keep those materials confidential.  When the shareholders sought those materials in their private
civil suit, the company asserted the ACP and work product privilege.  The plaintiffs argued that
disclosure to the government waived both privileges.

For those who are interested, here is the court’s full discussion of the background facts:

A.    The Merger and Restatement

    On January 12, 1999, HBO & Company ("HBOC") and McKesson, Inc. merged.
McKesson, Inc. was renamed McKesson HBOC, Inc., while HBOC became the wholly owned subsidiary of McKesson HBOC now called McKesson Information Services ("MIS"). Four months after the merger on April 28, 1999, McKesson HBOC (hereinafter "McKesson") issued a press release in which it announced the company's discovery of more than $42 million in improperly recognized revenue, which would have to be reversed. Following that announcement, the share price of McKesson stock fell by more than 40% from $65.75 to $34.50, representing a $9 billion drop in market capitalization. Soon after the announcement, several dozen shareholders' suits were filed in federal and state court naming McKesson, its current and former directors,
officers, and employees as defendants.

B.    The Disputed Materials

    On or about May 3, 1999, McKesson's Board of Directors authorized its Audit Committee to review McKesson's accounting policies and procedures and make recommendations to prevent a recurrence of the issues that gave rise to the April 28 announcement. Soon thereafter, the Audit Committee retained Skadden to provide legal advice and assist in reviewing the circumstances and accounting policies, procedures, and controls that had resulted in the overstatement of revenue.
At the same time, McKesson hired Skadden to represent it in anticipated shareholder suits. Skadden retained PricewaterhouseCoopers LLP ("PWC") to assist in the internal investigation. Skadden, working with PWC as accounting consultants, conducted an extensive investigation, including document review and 55 attorney interviews of 37 present and former employees of McKesson and HBOC. Skadden compiled a report and supporting materials, including memoranda regarding the interviews its attorneys had conducted ("Skadden Report and Back-up Materials").

    On May 10, 1999, McKesson and PWC met with SEC investigators. Thereafter, Skadden, on McKesson's behalf, entered into substantially identical confidentiality agreements with the Securities and Exchange Commission ("SEC") on May 27, 1999 and the United States Attorney's Office ("USAO") on May 28, 1999 under which Skadden would provide the government with any report which might result from the internal investigation and the materials upon which such report would be based.  McKesson also agreed to provide "periodic oral summaries concerning the status of the review being conducted under the direction of the Audit Committee."

    In the letter agreements, McKesson set forth that it was disclosing the information to the SEC and USAO on the basis of common interest.  Both letter agreements asserted that the materials were protected by attorney-client and work product privileges. The agreements provided that McKesson did not waive any applicable privileges by agreeing to produce or producing the Skadden Report and Back-up Materials, but that the material therein would assist the SEC and USAO "in carrying out its law enforcement responsibilities."  The agreement with the USAO permitted use of the disputed materials "in any criminal investigation or prosecution, including any prosecution of [McKesson]." Further McKesson agreed that the USAO could use
the disputed materials "as it deems appropriate in furtherance of the investigation and any resulting prosecutions" and specifically consented "to the disclosure of the Report and Back-up Materials to a federal grand jury as the [USAO] deems appropriate, and in any criminal prosecution that may result from the Office's investigation."  The SEC agreed "not to disclose the Report or Back-up Materials to any third party, except to the extent that the [SEC] determines that the disclosure is otherwise required by federal law or in furtherance of the [SEC's] discharge of its duties and responsibilities."

    On July 14, 1999, McKesson announced that it would restate its revenues. Five days later, on July 19, 1999, the SEC issued a formal order of investigation of McKesson. Skadden submitted the final report to the Audit Committee on July 22, 1999. McKesson gave the Skadden Report to the SEC and USAO between July 27 and August 5, 1999.

Note the following facts from the case:

First, consider the ACP.  The court explained that the ACP attaches:

"1)Where legal advice of any kind is sought; 2) from a legal adviser in his capacity as such; 3) the communications relating to that purpose; 4) made in confidence; 5) by the client; 6) are at his instance permanently protected; 7) from disclosure by himself or by the legal adviser; 8) unless the protection be waived."

The court held that the ACP did not apply to the company’s investigation materials because those
materials were not “made in confidence”:

McKesson agreed to disclose the Skadden Report and Back-up Materials and provide oral updates as to the progress of the investigation to the government in late May 1999. The Skadden Report was not yet in existence at the time the letter agreements were signed.  McKesson received the final report from Skadden around July 22, 1999--well after McKesson had agreed to share the Report and Back-up Materials with the government--and subsequently shared the information with the government. Where, as here, there is an agreement by the client that provides for the disclosure to a third party of the communications between a client and attorney in advance of those communications being made, the communications disclosed pursuant to that agreement are not confidential and the goals of the attorney-client privilege are not in play.

Because the ACP never attached, the court never reached the question whether selective
disclosure to the government waived the privilege.

Next, the court turned to the work product privilege.  All parties conceded that that privilege
applied because, as noted above, the investigation was carried out in anticipation of defending
pending litigation.  The question was whether selective disclosure of the investigation materials to
the government waived the privilege.  The court noted a split in the circuits weighing heavily in
favor of waiver, but also explained that the Ninth Circuit had not taken a clear position on the
issue.  The court then adopted a narrow allowance of selective disclosure without waiver:

     The court finds [the minority view] persuasive with regard to recognizing a distinction between disclosure to a private entity (resulting in waiver) and disclosure to a government entity pursuant to a confidentiality agreement (maintaining work product protection).  Permitting disclosure to the government under a confidentiality agreement would not undermine the underlying principles of the work product doctrine. "The work product privilege rests on the belief that ... promotion of adversary preparation ultimately furthers the truth-finding process." AT & T, 642 F.2d 1285, 1300 (D.C.Cir.1980). Its ultimate aim is "to promote the proper administration of justice." In re Grand Jury, 138 F.3d 978, 984 (3d Cir.1998). As the D.C. Circuit acknowledged in AT & T when considering common interest between MCI and the government in pursuing parallel antitrust cases, permitting "MCI to contribute the fruit of its analysis to the Government on those issues common to their two cases will further the Government's preparation for trial and eliminate some duplication of effort." Id. While the alignment of issues and goals may be insufficient to constitute a common interest where, as here, the disclosing and receiving parties are potentially on opposite side of the litigation, the presence of a confidentiality agreement ensures, to the extent possible under the law, that disclosure of the protected materials will not reach adverse parties.

    . . . .

    The Skadden Report and Back-up Material have resulted in significant benefits to the government: permitting the government to focus its investigation on the primary wrongdoers, filtering documents produced to the SEC, and permitting the government to deploy fewer employees to investigate McKesson. Therefore, taking into consideration the benefit to the public of permitting disclosure of work product to the government and in light of the cases cited above rejecting selective waiver but endorsing the preservation of work product protection under negotiated confidentiality with the government, the court finds that the facts presented by this case warrant the conclusion that McKesson did not waive work product protection as to the Skadden Report and Back-up Materials.

Before getting too excited about this holding, one should note three important limitations.  First,
the work product doctrine attaches only to investigations conducted in anticipation of litigation.
In McKesson, this thorny question was not at issue because litigation was already pending when
the investigation started.  In most compliance situations, however, an organization must begin its
investigation upon receiving an internal report of wrongdoing, long before litigation has entered
the mind of a plaintiff or prosecutor.  In such instances, the work product privilege will
be inapplicable if the court believes that the investigation was conducted for purposes of risk
management or internal compliance, and not in anticipation of litigation.  Without the privilege,
waiver is never even an issue.

Second, the investigation materials must be produced to the government under a confidentiality
agreement.  If confidentiality is discussed or promised after disclosure, the McKesson holding
does not apply.

Third, McKesson is truly a minority position. Whether its rule gains traction outside of the
Northern District of California (and that can occur only in the Circuits without directly contrary
precedent) remains to be seen.  (A recent decision from the Southern District of New York
applies Second Circuit precedent in allowing similar selective disclosure.  See In re Natural Gas
Commodity Litigation, 2005 WL 1457666 (S.D.N.Y., June 21, 2005).)

July 20, 2005 in Cases, Compliance Developments, Enforcement Actions, Monitoring, Auditing, and Evaluating | Permalink | TrackBack

June 29, 2005

Sentencing Commission to Take Up Booker, Waiver of Attorney-Client Privilege

In a recent Federal Register notice, the United States Sentencing Commission sought comment on its proposed priorities for the next year.  The list included seven items, two of which are relevant to compliance personnel:

For the amendment cycle ending May 1, 2006, and possibly continuing into the amendment cycle ending May 1, 2007, the Commission has identified the following tentative priorities:

. . .

(2) continuation of its work with the congressional, executive, and judicial branches of the government and other interested parties on appropriate responses to United States v. Booker, including any appropriate guideline changes;

. . .

(5) review, and possible amendment, of commentary in Chapter Eight (Organizations) regarding waiver of the attorney-client privilege and work product protections;

. . . .

The Commission hereby gives notice that it is seeking comment on these tentative priorities and on any other issues that interested persons believe the Commission should address during the amendment cycle ending May 1, 2006, including short- and long-term research issues. To the extent practicable, comments submitted on such issues should include the following: (1) a statement of the issue, including scope and manner of study, particular problem areas and possible solutions, and any other matters relevant to a proposed priority; (2) citations to applicable sentencing guidelines, statutes, case law, and constitutional provisions; and (3) a direct and concise statement of why the Commission should make the issue a priority.

June 29, 2005 in Compliance Developments, Enforcement Actions, Regulatory Actions, Sentencing Guidelines | Permalink | TrackBack

June 20, 2005

Extending the Compliance Program to Third Parties

The recent breach of credit card security at CardSystems Solutions highlights a sticky issue for compliance professionals.  An article in today’s New York Times describes the breach:

The chief of the credit card processing company whose computer system was penetrated by data thieves, exposing 40 million cardholders to a risk of fraud, acknowledged yesterday that the company should not have been retaining those records.

The official, John M. Perry, chief executive of CardSystems Solutions, indicated that the records known to have been stolen covered roughly 200,000 of the 40 million compromised credit card accounts, from Visa, MasterCard and other card issuers. He said the data was in a file being stored for "research purposes" to determine why certain transactions had registered as unauthorized or uncompleted.

"We should not have been doing that," Mr. Perry said. "That, however, has been remediated." As for the sensitive data, he added, "We no longer store it on files."

Under rules established by Visa and MasterCard, processors are not allowed to retain cardholder information including names, account numbers, expiration dates and security codes after a transaction is handled.

The article goes on to explain that Visa and MasterCard have had difficulty keeping track of whether processors have been complying with these rules:

"The standards themselves are very effectively written," said Tom Arnold, a partner at Payment Software Company, a consulting firm in San Francisco that advises and provides security assessments for merchants and processors. "The challenge in the industry can be when people don't fully comply or try to cut corners."

Avivah Litan, an industry analyst at Gartner Inc., agreed. "If they are really serious about these programs, they should pay attention to how the processors are guarding the data, and they are not," she said. After the disclosure of the security breach at CardSystems, varying accounts were offered about the company's compliance with card association standards.

Jessica Antle, a MasterCard spokeswoman, said that CardSystems had never demonstrated compliance with MasterCard's standards. "They were in violation of our rules," she said.

It is not clear whether or when MasterCard intervened with the company in the past to insure compliance, but MasterCard said Friday that it had now given CardSystems "a limited amount of time" to do so.

So, how much should an organization concern itself with the compliance measures in place at the companies it deals with?  That is a big question in compliance circles these days, driven in large part by new government mandates.  For example, the amended organizational sentencing guidelines require organizations to extend compliance training to “as appropriate, the organization’s agents.”  And some government compliance regulations are requiring companies to vouch for the compliance programs of the companies they do business with.  For example, the Treasury Department’s anti-money laundering compliance program regulations require credit card system operators to (among other things):

Incorporate policies, procedures, and internal controls designed to ensure [t]hat the operator does not authorize, or maintain authorization for, any person to serve as an issuing or acquiring institution without the operator taking appropriate steps, based upon the operator’s money laundering or terrorist financing risk assessment, to guard against that person issuing the operator’s credit card or acquiring merchants who accept the operator’s credit card in circumstances that facilitate money laundering or the financing of terrorist activities.

And of course, beyond legal requirements, organizations may face pressure from their customers or other third parties to make sure that the organization is not trusting work to vendors or others that do not have adequate compliance programs, which may lead to pressure for more regulation:

"There is going to be a lot of finger-pointing," said Susan Crawford, a professor of Internet law at Cardozo Law School. "It's a very complex situation, and we'll wind up for calls for very heavy-handed government regulation of data transmission."

June 20, 2005 in Compliance Developments, Compliance in the News | Permalink | TrackBack

June 13, 2005

Diamonds Are a Money-Launderer’s Best Friend

Last week, the Financial Crimes Enforcement Network (FinCEN) issued its Anti-Money Laundering (AML) compliance program rules for dealers in precious metals, stones, and jewels.  The rules flesh out the requirement in section 352 of the USA PATRIOT Act that:

[E]ach financial institution shall establish anti-money laundering programs, including, at a minimum--
(A) the development of internal policies, procedures, and controls;
(B) the designation of a compliance officer;
(C) an ongoing employee training program; and
(D) an independent audit function to test programs.

“Financial institution” is defined quite broadly, including used car dealers, insurance companies, banks, and pawn brokers.  These are the first rules for dealers in precious metals, stones, and jewels.  The rule is actually an “interim final rule,” which an FAQ accompanying the rule describes as follows:

FinCEN is issuing this rule as an interim final rule to give us the flexibility to more narrowly tailor certain aspects of the rule in response to our request within this rule for additional public comment on four discrete issues, while still ensuring that dealers immediately begin to develop anti-money laundering programs. Through the course of the rulemaking process and in developing a final rule, FinCEN has identified several important issues that would affect the scope of the regulation but on which it received little or no public comment.

FinCEN will accept comments for 45 days.

The rule defines three classes of covered goods – “jewel,” “precious metal,” and “precious stone.”  Also, the regulation exempts certain retailers based on either volume of business attributable to the covered goods or whether the retailer’s supply is mainly domestic or foreign.

The required compliance program elements should be no surprise:

AML risk assessment
Policies, procedures, and internal controls
Compliance officer
Education and training
Independent testing

The FinCEN release notes that the AML compliance program must go beyond a narrow focus on the federal requirement to report currency transactions exceeding $10,000.  Rather, the AML compliance program must examine each transaction for signs that the dealer is being used to launder money or further terrorist financing. The FinCEN release and the rule offer some guidance on what additional topics the compliance program should include, citing examples of suspicious conduct as well as conduct involved in recent cases.  For example, it says the following about training:

Appropriate topics for an anti-money laundering program include, but are not limited to: BSA requirements, a description of money laundering, how money laundering is carried out, what types of activities and transactions should raise concerns, what steps should be followed when suspicions arise, and the need to review OFAC and other government lists.

The FinCEN release also explains that the agency is considering whether to require suspicious activity reports, though it encourages dealers to do so:

[D]ealers are encouraged to adopt procedures for voluntarily filing Suspicious Activity Reports with FinCEN and for reporting suspected terrorist activities to FinCEN using its Financial Institutions Hotline . . . .
FinCEN has not at this time proposed a suspicious activity reporting rule for dealers. However, given the importance of ensuring that information relevant to the use of covered products for financial crime or the financing of terrorism is provided to law enforcement, we are considering proposing a suspicious activity reporting rule in the future. We will work closely with law enforcement and the industry as we consider whether such a rule is appropriate.

When the rule becomes final, I will post and update.

June 13, 2005 in Compliance Developments, Regulatory Actions | Permalink | TrackBack