24h-payday

Posts Tagged ‘FCPA’

For Westerners Seeking Discovery From China, Fortune Cookie Reads: Discovery is Uncertain, and Will Likely Be Hard

Monday, January 7th, 2013

In a recent Inside Counsel article, we explored the eDiscovery climate in China and some of the most important differences between the Chinese and U.S. legal systems. There is an increased interest in China and the legal considerations surrounding doing business with Chinese organizations, which we also covered on this Inside Counsel webcast.

 Five highlights from this series include:

1.  Conflicting Corporate Cultures- In general, business in China is done in a way that relies heavily on relationships. This can easily cause a conflict of interest for organizations and put them at risk for violations under the FCPA and UK Bribery Act. The concept that “relationships are gold” or Guanxi is crucial to conducting successful business in China. However, a fine line exists for organizations, necessitating a need for strong local counsel and guidance. Moreover, Chinese businesses don’t share the same definitions the Western world does for concepts like: information governance, legal hold or privacy.

 2.   FCPA and the UK Bribery Act- Both of these regulations are very troublesome for those doing business in China, yet necessary for regulating white-collar crime. In order to do business in China one must walk a fine line developing close relationships, without going too far and participating in bribery or other illegal acts. There are increased levels of prosecution under both of these statutes as businesses globalize.

3.  Drastically Different Legal Systems- The Chinese legal system is very different than those of common law jurisdictions. China’s legal system is based on civil law and there is no requirement for formal pre-litigation discovery. For this reason, litigants may find it very difficult to successfully procure discovery from Chinese parties. Chinese companies have been historically slow to cooperate with U.S. regulatory bodies and many discovery requests in civil litigation can take up to a year for a response. A copy of our eDiscovery passport on China can be found here, along with other important countries.

4.  State Secrets- In addition to the differences between common and civil law jurisdictions, China has strict laws protecting state secrets. Anything deemed a state secret would not be discoverable, and an attempt to remove state secrets from China could result in criminal prosecution. The definition of a state secret under People’s Republic of China law includes a wide range of information and is more ambiguous than Western definitions about national security (for example, the Chinese definitions are less defined than those in the U.S. Patriot Act). Politically sensitive data is susceptible to the government’s scrutiny and protection, regardless of whether it is possessed by PRC citizens or officials working for foreign corporations- there is no distinction or exception for civil discovery.

5.  Globalization- Finally, it is no secret that the world has become one huge marketplace. The rapid proliferation of information creation as well as the clashing of disparate legal systems creates real discovery challenges. However, there are also abundant opportunities for lawyers that become specialized in the Asia Pacific region today. Lawyers that are particularly adept in eDiscovery and Asia will flourish for years to come.

For more, read here…

APAC eDiscovery Passports: Litigation Basics for the Asia-Pacific Region

Wednesday, June 13th, 2012

Global economic indicators point to increased trade with and outsourcing to emerging markets around the world, specifically the Asia Pacific (APAC) region. Typical U.S. sectors transacting with the East include: manufacturing, business process outsourcing (BPO)/legal process outsourcing (LPO), call centers, and other industries. The Asian Development Bank stated last year that Asia will account for half of all global economic output by 2050 if their collective GDP stays on pace.  The next 10 years will likely bring BRICS (Brazil, Russia, India, China and Japan) and The Four Asian Tigers (Hong Kong, Singapore, South Korea and Taiwan) into the forefront of the global economy. Combining this projected economic growth with the data explosion makes knowledge about the APAC legal system a necessity for litigators and international business people alike.

The convergence of the global economy across different privacy and data protection regimes has increased the complexity of addressing electronically stored information (ESI). Money and data in large volumes cross borders daily in order to conduct international business. This is true not only for Asian countries transacting with each other, but increasingly with Europe and the United States. Moreover, because technology continues to decrease the reliance on data in paper format, data will need to be produced and analyzed in the form in which it was created. This is important from a forensic standpoint, as well as an information management perspective.  This technical push is reason alone that organizations will need to shift their processes and technologies to focus more on ESI – not in only in how data is created, but in how those organizations store, search, retrieve, review and produce data.

Discovery Equals eDiscovery

The world of eDiscovery for the purposes of regulation and litigation is no longer a U.S. anomaly. This is not only because organizations may be subject to the federal and state rules of civil procedure governing pre-trial discovery in U.S. civil litigation, but because under existing Asian laws and regulatory schemes, the ability to search and retrieve data may be necessary.

Regardless of whether the process of searching, retrieving, reviewing and producing data (eDiscovery) is called discovery or disclosure or whether these processes occur before trial or during, the reality in litigation, especially for multinational corporations, is that eDiscovery may be required around the world. The best approach is to not only equip your organization with the best technology available for legal defensibility and cost-savings from the litigator’s tool belt, but to know the rules by which one must play.

The Passports

The knowledge level for many lawyers about how to approach a discovery request in APAC jurisdictions is often minimal, but there are resources that provide straightforward answers at no cost to the end-user. For example, Symantec has just released a series of “eDiscovery Passports™” for APAC that focus on discovery in civil litigation, the collision of data privacy laws, questions about the cross-border transfer of data, and the threat of U.S. litigation as businesses globalize.  The Passports are a basic guide that frame key components about a country including the legal system, discovery/disclosure, privacy, international considerations and data protection regulations. The Passports are useful tools to begin the process of exploring what considerations need to be made when litigating in the APAC region.

While the rules governing discovery in common law countries like Australia (UPC) and New Zealand (HCR) may be less comprehensive and require slightly different timing than that of the U.S. and U.K., they do exist under the UPC and HCR.  Countries like Hong Kong and Singapore, that also follow a traditional common law system, contain several procedural nuances that are unique to their jurisdictions.  The Philippines, for example, is a hybrid of both civil and common law legal systems, embodying similarities to California law due to history and proximity.  Below are some examples of cases that evidence trends in Asian jurisdictions that lean toward the U.S. Federal Rules of Civil Procedure (FRCP), Sedona Principles and that support the idea that eDiscovery is going global.

  • Hong Kong. In Moulin Global Eyecare Holdings Ltd. v. KPMG (2010), the court held the discovery of relevant documents must apply to both paper and ESI. The court did, however, reject the argument by plaintiffs that overly broad discovery be ordered as this would be ‘tantamount to requiring the defendants to turn over the contents of their filing cabinets for the plaintiffs to rummage through.’ Takeaway: Relevance and proportionality are the key factors in determining discovery orders, not format.
  • Singapore. In Deutsche Bank AG v. Chang Tse Wen (2010), the court acknowledged eDiscovery as particularly useful when the relevant data to be discovered is voluminous.  Because the parties failed to meet and confer in this case, the court ordered parties to take note of the March 2012 Practice Direction which sets out eDiscovery protocols and guidance. Takeaway: Parties must meet and confer to discuss considerations regarding ESI and be prepared to explain why the discovery sought is relevant to the case.
  • U.S. In E.I. du Pont de Nemours v. Kolon Industries (E.D. Va. July 21, 2011), the court held that defendants failed to issue a timely litigation hold.  The resulting eDiscovery sanctions culminated in a $919 million dollar verdict against the defendant South Korean company. While exposure to the FRCP for a company doing business with the U.S. should not be the only factor in determining what eDiscovery processes and technologies are implemented, it is an important consideration in light of sanctions. Takeaway:  Although discovery requirements are not currently as expansive in Asia as they are in the U.S., if conducting business with the U.S., companies may be availed to U.S. law. U.S. law requires legal hold be deployed in when litigation is reasonably anticipated.

Asia eDiscovery Exchange

On June 6-7 at the Excelsior Hotel in Hong Kong, industry experts from the legal, corporate and technology industries gathered for the Asia eDiscovery Exchange.  Jeffrey Toh of innoXcell, the organizer of the event in conjunction with the American eDJ Group, says “this is still a very new initiative in Asia, nevertheless, regulators in Asia have taken steps to implement practice directions for electronic evidence.” Exchanges like these indicate the market is ready for comprehensive solutions for proactive information governance, as well as reactive eDiscovery.  The three themes the conference touched on were information governance, eDiscovery and forensics.  Key sessions included “Social Media is surpassing email as a means of communication; What does this mean for data collection and your Information Governance Strategy” with Barry Murphy, co-founder and principal analyst, eDiscovery Journal and Chris Dale, founder, e-Disclosure Information Project, as well as “Proactive Legal Management” (with Rebecca Grant, CEO of iCourts in Australia and Philip Rohlik, Debevoise & Plimpton in Hong Kong).

The Asian market is ripe for new technologies, and the Asia eDiscovery Exchange should yield tremendous insight into the unique drivers for the APAC region and how vendors and lawyers alike are adapting to market with their offerings.  The eDiscovery Passports™ are also timely as they coincide with a marked increase in Asian business and the proposal of new data protection laws in the region.  Because the regional differences are distinct with regard to discovery, resources like this can help litigators in Asia interregionally, as well as lawyers around the world.  Thought leaders in the APAC region have come together to discuss these differences and how technology can best address the unique requirements in each jurisdiction.  The conference has made clear that information governance, archiving and eDiscovery tools are necessary in the region, even if those needs are not necessarily motivated by litigation as in the U.S. 

The Demise of The News of the World: An Analysis of “Hackgate” Through an eDiscovery Lens

Friday, June 1st, 2012

The events surrounding the troubled News Corporation media empire, under investigation for the illegal seizure of electronic evidence (ESI), are seemingly never-ending. The Australian billionaire Rupert Murdoch is chairman of the New York-based parent company, News Corporation, and as a U.S. based company with subsidiaries abroad, the litigation exposure for the company is vast. News International, a U.K. subsidiary of News Corporation, shut down one of their oldest running publications, The News of the World, in July last year amid the monumental phone hacking scandal known as Hackgate. Although the paper was dissolved, allegations beginning as early as 2002 detail unethical media practices, email/phone (voicemail)/text hacking, police bribery, and the recent Leveson inquiry. This firestorm continues to plague the company and has created one of the most complex legal debacles of the modern era.

A myriad of reasons are responsible for these legal complexities that continue to unfold, including: active civil/criminal actions in both U.S. and U.K jurisdictions, questions about how evidence has been obtained and the subsequent admissibility in differing jurisdictions, public inquiries in the U.K., as well as investigations by the Federal Bureau of Investigation (FBI) and the U.S. Department of Justice under the Foreign Corrupt Practices Act (FCPA). Under the FCPA, American companies are prohibited from compensating representatives of a foreign government for a commercial advantage. This is particularly poignant given the recently released text messages uncovered in the Leveson inquiry, which expose alleged illegal communications between Frederic Michel, a lobbyist for News Corporation and Jeremy Hunt, the Secretary of State for Culture, Olympics, Media and Sport, during News Corporation’s bid to acquire BSkyB during 2010-11. The bid has since been abandoned and so have Murdoch’s attempts to create the largest media empire in the world.

eDiscovery and Hackgate

To date, there have been more than 60 civil claims brought in the U.K. derived from Hackgate (many have been privately settled), not including any U.S. litigation, Operation Weeting, the Leveson inquiry, and other various concurrent investigations. Several key disclosure orders from the High Court in these civil cases have resulted in extensive discovery that points to not only a conspiracy, but to the willful destruction of evidence. The High Court judge presiding over the civil lawsuits, Geoffrey Vos, was shocked by the company’s “startling approach” to e-mail, particularly because subsequent to receiving formal requests for documents, the company still failed to preserve relevant emails. In fact, the company inquired with its email provider about how to delete those emails. Vos is quoted as saying that News International should be “treated as deliberate destroyers of evidence.”

A hard copy of an email from 2008 addressed to Mr. Murdoch’s son, James Murdoch, who at the time was a top executive of News International, is of particular interest regarding his level of knowledge about Hackgate. The email is from a thread between News Corporation’s in-house counsel to the then-editor, Colin Myler, informing James that the legal fallout from phone-hacking was imminent.  James and his father later testified that they had no knowledge of the emails and that they failed to appreciate any illegal activity regarding phone hacking at the newspaper. Apparently, the electronic copy of the email was deleted on Jan. 15, 2011 during an “e-mail stabilization and modernization program.”

As frequently discussed in the U.S., having a document retention policy is crucial to the defensible deletion of data in a corporation. That deletion must be suspended and relevant data must be place on legal hold once litigation is reasonably anticipated. Moreover, it should not be instituted in the midst of a company-wide international crisis.  What is troublesome in this scenario is that no such policy seems to have existed regarding document retention or legal hold.  If a properly deployed retention schedule existed, then the emails would have been deleted prior to 2011 as part of the normal course of business. Conversely, if there was reasonable anticipation of litigation, then given the proper issuance of legal hold, the emails surely would not have been deleted. In the U.K., case law does exist to support the need for preservation and an ESI management system that would allow for full disclosure of relevant information.

The News Corporation has both the U.S. and U.K. to contend with regarding the defensibility of their information management systems and potential sanctions. However, in either scenario, the intentional deletion of relevant evidence is an obstruction of justice (in a criminal sense). News Corporation is a prime example of a multinational corporation that is not only suffering from the repercussions of bad behavior, but one that could not mitigate these risks at the highest level due to poor information management. The need for a comprehensive information governance plan and in-house technology would have been key to any internal investigations to research and monitor alleged illegal activities of employees, as well as to responding to litigation and regulatory inquiries. A proper information management system might have obviated much of News of the World’s troubles, provided for more transparency, and potentially prevented this never-ending downward spiral.

Losing Weight, Developing an Information Governance Plan, and Other New Year’s Resolutions

Tuesday, January 17th, 2012

It’s already a few weeks into the new year and it’s easy to spot the big lines at the gym, folks working on fad diets and many swearing off any number of vices.  Sadly perhaps, most popular resolutions don’t even really change year after year.  In the corporate world, though, it’s not good enough to simply recycle resolutions every year since there’s a lot more at stake, often with employee’s bonuses and jobs hanging in the balance.

It’s not too late to make information governance part of the corporate 2012 resolution list.  The reason is pretty simple – most companies need to get out of the reactive firefighting of eDiscovery given the risks of sloppy work, inadvertent productions and looming sanctions.  Yet, so many are caught up in the fog of eDiscovery war that they’ve failed to see the nexus between the upstream, proactive good data management hygiene and the downstream eDiscovery chaos.

In many cases the root cause is the disconnect between differing functional groups (Legal, IT, Information Security, Records Management, etc.).  This is where the emerging umbrella concept of Information Governance comes to play, serving as a way to tackle these information risks along a unified front. Gartner defines information governanceas the:

“specification of decision rights, and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archiving and deletion of information, … [including] the processes, roles, standards, and metrics that ensure the effective and efficient use of information to enable an organization to achieve its goals.”

Perhaps more simply put, what were once a number of distinct disciplines—records management, data privacy, information security and eDiscovery—are rapidly coming together in ways that are important to those concerned with mitigating and managing information risk. This new information governance landscape is comprised of a number of formerly discrete categories:

  • Regulatory Risks – Whether an organization is in a heavily regulated vertical or not, there are a host of regulations that an organization must navigate to successfully stay in compliance.  In the United States these include a range of disparate regimes, including the Sarbanes-Oxley Act, HIPPA, the Securities and Exchange Act, the Foreign Corrupt Practices Act (FCPA) and other specialized regulations – any number of which require information to be kept in a prescribed fashion, for specified periods of time.  Failure to turn over information when requested by regulators can have dramatic financial consequences, as well as negative impacts to an organization’s reputation.
  • Discovery Risks – Under the discovery realm there are any number of potential risks as a company moves along the EDRM spectrum (i.e., Identification, Preservation, Collection, Processing, Analysis, Review and Production), but the most lethal risk is typically associated with spoliation sanctions that arise from the failure to adequately preserve electronically stored information (ESI).  There have been literally hundreds of cases where both plaintiffs and defendants have been caught in the judicial crosshairs, resulting in penalties ranging from outright case dismissal to monetary sanctions in the millions of dollars, simply for failing to preserve data properly.  It is in this discovery arena that the failure to dispose of corporate information, where possible, rears its ugly head since the eDiscovery burden is commensurate with the amount of data that needs to be preserved, processed and reviewed.  Some statistics show that it can cost as much as $5 per document just to have an attorney privilege review performed.  And, with every gigabyte containing upwards of 75,000 pages, it is easy to see massive discovery liability when an organization has terabytes and even petabytes of extraneous data lying around.
  • Privacy Risks – Even though the US has a relatively lax information privacy climate there are any number of laws that require companies to notify customers if their personally identifiable information (PII) such as credit card, social security, or credit numbers have been compromised.  For example, California’s data breach notification law (SB1386) mandates that all subject companies must provide notification if there is a security breach to the electronic database containing PII of any California resident.  It is easy to see how unmanaged PII can increase corporate risk, especially as data moves beyond US borders to the international stage where privacy regimes are much more staunch.
  • Information Security Risks Data breaches have become so commonplace that the loss/theft of intellectual property has become an issue for every company, small and large, both domestically and internationally.  The cost to businesses of unintentionally exposing corporate information climbed 7 percent last year to over $7 million per incident.  Recently senators asked the SEC to “issue guidance regarding disclosure of information security risk, including material network breaches” since “securities law obligates the disclosure of any material network breach, including breaches involving sensitive corporate information that could be used by an adversary to gain competitive advantage in the marketplace, affect corporate earnings, and potentially reduce market share.”  The senators cited a 2009 survey that concluded that 38% of Fortune 500 companies made a “significant oversight” by not mentioning data security exposures in their public filings.

Information governance as an umbrella concept helps organizations to create better alignment between functional groups as they attempt to solve these complex and interrelated data risk challenges.  This coordination is even more critical given the way that corporate data is proliferating and migrating beyond the firewall.  With even more data located in the cloud and on mobile devices a key mandate is managing data in all types of form factors. A great first step is to determine ownership of a consolidated information governance approach where the owner can:

  • Get C-Level buy-in
  • Have the organizational savvy to obtain budget
  • Be able to define “reasonable” information governance efforts, which requires both legal and IT input
  • Have strong leadership and consensus building skills, because all stakeholders need to be on the same page
  • Understand the nuances of their business, since an overly rigid process will cause employees to work around the policies and procedures

Next, tap into and then leverage IT or information security budgets for archiving, compliance and storage.  In most progressive organizations there are likely ongoing projects that can be successfully massaged into a larger information governance play.  A great place to focus on initially is information archiving, since this one of the simplest steps an organization can take to improve their information governance hygiene.  With an archive organizations can systematically index, classify and retain information and thus establish a proactive approach to data management.  It’s this ability to apply retention and (most importantly) expiration policies that allows organizations to start reducing the upstream data deluge that will inevitably impact downstream eDiscovery processes.

Once an archive is in place, the next logical step is to couple a scalable, reactive eDiscovery process with the upstream data sources, which will axiomatically include email, but increasingly should encompass cloud content, social media, unstructured data, etc.  It is important to make sure  that a given  archive has been tested to ensure compatibility with the chosen eDiscovery application to guarantee that it can collect content at scale in the same manner used to collect from other data sources.  Overlaying both of these foundational pieces should be the ability to place content on legal hold, whether that content exists in the archive or not.

As we enter 2012, there is no doubt that information governance should be an element in building an enterprise’s information architecture.  And, different from fleeting weight loss resolutions, savvy organizations should vow to get ahead of the burgeoning categories of information risk by fully embracing their commitment to integrated information governance.  And yet, this resolution doesn’t need to encompass every possible element of information governance.  Instead, it’s best to put foundational pieces into place and then build the rest of the infrastructure in methodical and modular fashion.

“Look Right” – How E-Discovery Helps Solve the UK Bribery Act

Wednesday, June 1st, 2011

I’ve just returned from a trip across the pond where I spoke at IQPC’s Information Retention and eDisclosure Management conference, which was well attended by both local practitioners and experts from the States.  In addition to numerous discussions comparing and contrasting the US e-discovery and UK e-disclosure practices, there was also a ton of time spent focusing on regulatory compliance.  In particular, the Bribery Act 2010 was a hot topic, not surprisingly given its looming implementation date of July 1.

It occurred to me that both with the Bribery Act and its kissing cousin, the FCPA, the UK and US are strikingly similar in many ways.  We both speak the same language (sort of), but there are any number of things that are just different enough that Americans must take pause.  As an easy example, crossing the street in London can be a perilous journey given our tendency to “look left.”  Fortunately our friends abroad don’t want their lorries dented up by hapless yanks so they kindly paint numerous “look right” signs on street corners throughout their fair city.

As e-discovery and e-disclosure continue to mature in their respective lands, the sense is that the difference will rapidly become obscured, especially in light of how well the countries seem to be collaborating around best practices and civil procedure standards.  During the judges’ panel at the IQPC event, noted e-discovery legends (Judges Grimm, Peck and Facciola) roundly complimented the UK’s disclosure process, often describing how much the US can learn from our allies.

Similarly, it’s interesting to see how the Bribery Act has “gone to school” on the FCPA.  For the past decade or so the UK has been criticized for its Laissez-faire attitude towards commercial bribery, particularly with a glaring gap in applicable legislation (like the FCPA). And, while a wee bit late to the party, the UK finally enacted its anti-bribery statute (on April 8, 2010), curiously dubbed the “Bribery Act 2010,” which in many way leapfrogs the 34 year old FCPA.  While ostensibly similar, the Act differs from the FCPA in a number of ways, many of which broaden applicability. For example, unlike the FCPA, the Act covers bribes to both the public and private sector and does not make an exception (like the FCPA) for facilitation payments (small payments given to public officials to speed up a routine service).  Similarly, the Act applies to all organizations that do business in the UK, even if they’re not based there, and even if the bribery occurs in another country.

The Bribery Act was originally scheduled to become effective in October of last year but, after numerous delays and outcries from the business community, the Ministry of Justice recently issued its “Bribery Act 2010: Guidance” and announced that the Act will finally take effect on July 1, 2011. This guidance has been eagerly awaited by anxious enterprises given the extremely broad potential of the Act.In concert with the recently promulgated prosecutorial guidelines, the guidance document gives some insight into how UK prosecutors (as enforced by the Serious Fraud Office) will initially decide who to pursue and then how the Act will be applied.  Fortunately, the promulgated guidance documents suggest that the Act is “directed at making life difficult for the mavericks responsible for corruption, not unduly burdening the vast majority of decent, law-abiding firms.”

To this end, the Guidance states that “[i]t is a full defence for an organisation to prove that despite a particular case of bribery it nevertheless had adequate procedures in place to prevent persons associated with it from bribing.”  It is these “adequate procedures” that provide a safe harbour of sorts and therefore should be perused quite carefully by impacted organisations to ensure that their compliance programs are up to muster.  The following six “guiding principles” are designed not to be prescriptive or “one-size-fits-all,” but rather to suggest a “risk-based” and proportionate approach to managing bribery risks.

  1. “Proportionate procedures: A commercial organisation’s procedures to prevent bribery by persons associated with it are proportionate to the bribery risks it faces and to the nature, scale and complexity of the commercial organisation’s activities. They are also clear, practical, accessible, effectively implemented and enforced.
  2. Top-level commitment:  The top-level management of a commercial organisation (be it a board of directors, the owners or any other equivalent body or person) are committed to preventing bribery by persons associated with it. They foster a culture within the organisation in which bribery is never acceptable.
  3. Risk assessment: The commercial organisation assesses the nature and extent of its exposure to potential external and internal risks of bribery on its behalf by persons associated with it. The assessment is periodic, informed and documented.
  4. Due diligence: The commercial organisation applies due diligence procedures, taking a proportionate and risk based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified bribery risks.
  5. Communication (including training): The commercial organisation seeks to ensure that its bribery prevention policies and procedures are embedded and understood throughout the organisation through internal and external communication, including training, that is proportionate to the risks it faces.
  6. Monitoring and review: The commercial organisation monitors and reviews procedures designed to prevent bribery by persons associated with it and makes improvements where necessary.”

Organisations looking for clarity should certainly start with an analysis of how well their existing anti-bribery procedures (many likely designed with the FCPA in mind) map to the six principles.  The hope of many is that the Bribery Act won’t inherently require a complete reboot for entities trying to comply.  Instead, a more measured and reasonable goal should be to have complaint entities examine the Act to see if any augmentation is necessary.  Fortunately, the Guidance principles are peppered with terms like “proportionate”, “risk-based” and “practical” that should give solace to the entities that had significant indigestion when the Act was first released.

Traditional e-discovery solutions may very well be called into duty to help augment an organisation’s “adequate procedures” particularly regarding the “risk assessment” and “due diligence” principles.  These two principles specifically call out procedures that proactively facilitate:

  • Identification of the internal and external information sources that will enable risk to be assessed and reviewed.
  • Accurate and appropriate documentation of the risk assessment and its conclusions.
  • Conducting direct interrogative enquiries, indirect investigations, or general research on proposed associated persons.
  • Appraisal and continued monitoring of recruited or engaged “associated” persons may also be required, proportionate to the identified risks.

Re-purposing of e-discovery tools in this compliance context makes sense given how things have played out here in the States with the FCPA and provides yet another way to rationalize bringing solutions in-house.  In this scenario the advanced analytical components will likely come more into play than will the downstream review and production elements.  This expansion of traditional e-discovery concepts, procedures and applications is logical and coincides with a leftwards movement on the EDRM spectrum.  It’s also aligned with rapidly expanding notions of IMRM and information governance.  I postulate that soon it will be too limiting to just talk about pure “e-discovery”tools since it inherently leaves out the rest of the compliance story.  In addition to looking “right” we’ll also need to look “left” (on the EDRM) to take into account use cases like the Bribery Act.

FCPA in the News: Corruption At Home and Abroad

Friday, July 31st, 2009

It’s not just in New Jersey that corruption is in the news. It feels like everywhere you go, the authorities are investigating white collar crime and thus have an increasing need for electronic discovery technology.

Earlier this month, as those of you who follow my Twitter feed will know, I was visiting customers and partners in Germany. In virtually every meeting, data privacy and corruption investigations were top of mind, and with good reason. Following the Siemens case last year, German investigators have become much more active and it was easy for my hosts to list example after example of recent cases. There was the Deutsche Bahn case of management spying on its own employees, in violation of German privacy laws; the Deutsche Bank case of management spying on its own board; and, the Deutsche Telecom case of management phone tapping employees to find leaks. There were stories of price collusion among cable car companies in the Alps, and corruption investigations into the activities of German companies in Eastern Europe.

A similar focus on anti-corruption exists closer to home. I have written before about the increase in FCPA investigations and that’s been reflected in recent headlines. As the Wall Street Journal reports, Sun and Shell have recently come under the microscope, according to their public filings. And Frederic Bourke, a founder of the accessories firm Dooney & Bourke, was recently found guilty of conspiracy to violate the Foreign Corrupt Practices Act, which may result in jail time.

All indications are that the U.S. Department of Justice and its counterparts overseas are just warming up. It’s not a good time for white collar crime, wherever you are in the world.

Foreign Corrupt Practices Act (FCPA) Drives Increased Electronic Discovery Overseas

Tuesday, May 5th, 2009

Ask a European about e-discovery, or e-disclosure as it is called in the UK, and you will often be met with a look of distaste. Much like SUVs or obesity, electronic discovery is viewed as an unpleasant, uniquely American phenomenon. But, in reality, there are fat people in Paris, Range Rovers all over London, and a lot of electronic discovery happening all across Continental Europe – whether people like to admit it or not.

One reason for that is the Foreign Corrupt Practices Act (FCPA). This US law, which has inspired similar legislation in other countries, prohibits companies from engaging in corruption, such as bribing government officials to win large contracts. That sounds simple enough, but it’s not always easy to do. For example, an American friend of mine runs a travel website in China. To advertise, he hired people to hand out flyers at all the major train stations. But after a few weeks, his employees began to get hassled by station officials who said they needed an official “permit”. So he did what anyone would do and paid the “permit fees” even though no paperwork for this “permit” was ever produced. When his US auditors looked at that, they immediately cried foul. He was then compelled to end the practice and bring in a law firm to conduct a full FCPA investigation. The result: lots of legal bills, no more advertising in train stations, and a more powerful Chinese-run competitor who has no such qualms about paying “permit fees”.

In speaking to Daniel Dorsky, Tyco’s Compliance Counsel and an expert in FCPA issues, I discovered that my friend’s experience is no longer the exception. From what Daniel described, enforcement of the FCPA has been stepped up dramatically in the past couple of years. Apparently, 2007 was the watershed. Prior to that, no one really worried about the FCPA too much. But two years ago, the Department of Justice (DoJ) under Mark Mendelsohn, began to take a different approach. First, the fines became much stiffer as, for example, Baker Hughes got hit with a $44 million penalty, by far the largest ever at the time. Second, the DoJ started to prosecute executives personally, bringing 15 criminal cases against individuals. Nothing focuses the mind like the threat of jail time, and FCPA compliance suddenly took on greater urgency.

The number of FCPA enforcement actions continued to increase in 2008, most notably with the infamous Siemens case. By the time the dust settled, the CEO of Siemens had been fired and the company was reeling from a $1.4 billion fine. Nor do things look like they are slowing down in 2009. In the first few months of this year, ABB took an $800 million accounting reserve for FCPA issues, Halliburton got fined $177 million, KBR $502 million, and the KBR CEO, Albert Stanley, got 7 years in jail to go along with his $11 million personal fine. These companies are also now vulnerable to civil suits. While there’s no private right of action under the FCPA, that does not stop securities fraud class actions or shareholder lawsuits, which charge that defendants either understated the risks or overstated the controls in their disclosures.

There are a number of reasons why FCPA enforcement actions will likely increase further in the coming months and years. The FBI recently created an FCPA taskforce of 8-12 agents, bringing all the standard law enforcement tools to FCPA compliance (e.g., wire-taps, subpoenas, informants, warrants, etc.). Many other countries are starting to enforce similar laws, with much encouragement from the US which does not want to see American businesses disadvantaged by doing the right thing. And international law enforcement agencies are cooperating more than ever before. For example, last summer in Paris, international agencies held their first FCPA conference to share information.

All of this is driving a boom in e-discovery as General Counsels and Compliance Officers regularly conduct investigations of their overseas subsidiaries to ensure FCPA compliance. These investigations often center on “red flag” countries like China, Brazil, or Russia, where compliance is most difficult. They almost always involve outside counsel, and require the processing, analysis and review of large volumes of electronic information. This applies to European companies as much as it does to American ones. Non-US nationals can be prosecuted if either communications or money goes via the US, and many European countries are following the DoJ’s lead (e.g., $600 million of Siemens’ $1.4 billion fine came from German authorities).

So no matter how Europeans feel about e-discovery, or e-disclosure, they will be doing more of it in the coming years, much like their American counterparts. It’s fair to say that, in this domain, as perhaps in others, Europeans and Americans have much more in common than they might think.