24h-payday

Posts Tagged ‘Foreign Corrupt Practices Act’

APAC eDiscovery Passports: Litigation Basics for the Asia-Pacific Region

Wednesday, June 13th, 2012

Global economic indicators point to increased trade with and outsourcing to emerging markets around the world, specifically the Asia Pacific (APAC) region. Typical U.S. sectors transacting with the East include: manufacturing, business process outsourcing (BPO)/legal process outsourcing (LPO), call centers, and other industries. The Asian Development Bank stated last year that Asia will account for half of all global economic output by 2050 if their collective GDP stays on pace.  The next 10 years will likely bring BRICS (Brazil, Russia, India, China and Japan) and The Four Asian Tigers (Hong Kong, Singapore, South Korea and Taiwan) into the forefront of the global economy. Combining this projected economic growth with the data explosion makes knowledge about the APAC legal system a necessity for litigators and international business people alike.

The convergence of the global economy across different privacy and data protection regimes has increased the complexity of addressing electronically stored information (ESI). Money and data in large volumes cross borders daily in order to conduct international business. This is true not only for Asian countries transacting with each other, but increasingly with Europe and the United States. Moreover, because technology continues to decrease the reliance on data in paper format, data will need to be produced and analyzed in the form in which it was created. This is important from a forensic standpoint, as well as an information management perspective.  This technical push is reason alone that organizations will need to shift their processes and technologies to focus more on ESI – not in only in how data is created, but in how those organizations store, search, retrieve, review and produce data.

Discovery Equals eDiscovery

The world of eDiscovery for the purposes of regulation and litigation is no longer a U.S. anomaly. This is not only because organizations may be subject to the federal and state rules of civil procedure governing pre-trial discovery in U.S. civil litigation, but because under existing Asian laws and regulatory schemes, the ability to search and retrieve data may be necessary.

Regardless of whether the process of searching, retrieving, reviewing and producing data (eDiscovery) is called discovery or disclosure or whether these processes occur before trial or during, the reality in litigation, especially for multinational corporations, is that eDiscovery may be required around the world. The best approach is to not only equip your organization with the best technology available for legal defensibility and cost-savings from the litigator’s tool belt, but to know the rules by which one must play.

The Passports

The knowledge level for many lawyers about how to approach a discovery request in APAC jurisdictions is often minimal, but there are resources that provide straightforward answers at no cost to the end-user. For example, Symantec has just released a series of “eDiscovery Passports™” for APAC that focus on discovery in civil litigation, the collision of data privacy laws, questions about the cross-border transfer of data, and the threat of U.S. litigation as businesses globalize.  The Passports are a basic guide that frame key components about a country including the legal system, discovery/disclosure, privacy, international considerations and data protection regulations. The Passports are useful tools to begin the process of exploring what considerations need to be made when litigating in the APAC region.

While the rules governing discovery in common law countries like Australia (UPC) and New Zealand (HCR) may be less comprehensive and require slightly different timing than that of the U.S. and U.K., they do exist under the UPC and HCR.  Countries like Hong Kong and Singapore, that also follow a traditional common law system, contain several procedural nuances that are unique to their jurisdictions.  The Philippines, for example, is a hybrid of both civil and common law legal systems, embodying similarities to California law due to history and proximity.  Below are some examples of cases that evidence trends in Asian jurisdictions that lean toward the U.S. Federal Rules of Civil Procedure (FRCP), Sedona Principles and that support the idea that eDiscovery is going global.

  • Hong Kong. In Moulin Global Eyecare Holdings Ltd. v. KPMG (2010), the court held the discovery of relevant documents must apply to both paper and ESI. The court did, however, reject the argument by plaintiffs that overly broad discovery be ordered as this would be ‘tantamount to requiring the defendants to turn over the contents of their filing cabinets for the plaintiffs to rummage through.’ Takeaway: Relevance and proportionality are the key factors in determining discovery orders, not format.
  • Singapore. In Deutsche Bank AG v. Chang Tse Wen (2010), the court acknowledged eDiscovery as particularly useful when the relevant data to be discovered is voluminous.  Because the parties failed to meet and confer in this case, the court ordered parties to take note of the March 2012 Practice Direction which sets out eDiscovery protocols and guidance. Takeaway: Parties must meet and confer to discuss considerations regarding ESI and be prepared to explain why the discovery sought is relevant to the case.
  • U.S. In E.I. du Pont de Nemours v. Kolon Industries (E.D. Va. July 21, 2011), the court held that defendants failed to issue a timely litigation hold.  The resulting eDiscovery sanctions culminated in a $919 million dollar verdict against the defendant South Korean company. While exposure to the FRCP for a company doing business with the U.S. should not be the only factor in determining what eDiscovery processes and technologies are implemented, it is an important consideration in light of sanctions. Takeaway:  Although discovery requirements are not currently as expansive in Asia as they are in the U.S., if conducting business with the U.S., companies may be availed to U.S. law. U.S. law requires legal hold be deployed in when litigation is reasonably anticipated.

Asia eDiscovery Exchange

On June 6-7 at the Excelsior Hotel in Hong Kong, industry experts from the legal, corporate and technology industries gathered for the Asia eDiscovery Exchange.  Jeffrey Toh of innoXcell, the organizer of the event in conjunction with the American eDJ Group, says “this is still a very new initiative in Asia, nevertheless, regulators in Asia have taken steps to implement practice directions for electronic evidence.” Exchanges like these indicate the market is ready for comprehensive solutions for proactive information governance, as well as reactive eDiscovery.  The three themes the conference touched on were information governance, eDiscovery and forensics.  Key sessions included “Social Media is surpassing email as a means of communication; What does this mean for data collection and your Information Governance Strategy” with Barry Murphy, co-founder and principal analyst, eDiscovery Journal and Chris Dale, founder, e-Disclosure Information Project, as well as “Proactive Legal Management” (with Rebecca Grant, CEO of iCourts in Australia and Philip Rohlik, Debevoise & Plimpton in Hong Kong).

The Asian market is ripe for new technologies, and the Asia eDiscovery Exchange should yield tremendous insight into the unique drivers for the APAC region and how vendors and lawyers alike are adapting to market with their offerings.  The eDiscovery Passports™ are also timely as they coincide with a marked increase in Asian business and the proposal of new data protection laws in the region.  Because the regional differences are distinct with regard to discovery, resources like this can help litigators in Asia interregionally, as well as lawyers around the world.  Thought leaders in the APAC region have come together to discuss these differences and how technology can best address the unique requirements in each jurisdiction.  The conference has made clear that information governance, archiving and eDiscovery tools are necessary in the region, even if those needs are not necessarily motivated by litigation as in the U.S. 

The Demise of The News of the World: An Analysis of “Hackgate” Through an eDiscovery Lens

Friday, June 1st, 2012

The events surrounding the troubled News Corporation media empire, under investigation for the illegal seizure of electronic evidence (ESI), are seemingly never-ending. The Australian billionaire Rupert Murdoch is chairman of the New York-based parent company, News Corporation, and as a U.S. based company with subsidiaries abroad, the litigation exposure for the company is vast. News International, a U.K. subsidiary of News Corporation, shut down one of their oldest running publications, The News of the World, in July last year amid the monumental phone hacking scandal known as Hackgate. Although the paper was dissolved, allegations beginning as early as 2002 detail unethical media practices, email/phone (voicemail)/text hacking, police bribery, and the recent Leveson inquiry. This firestorm continues to plague the company and has created one of the most complex legal debacles of the modern era.

A myriad of reasons are responsible for these legal complexities that continue to unfold, including: active civil/criminal actions in both U.S. and U.K jurisdictions, questions about how evidence has been obtained and the subsequent admissibility in differing jurisdictions, public inquiries in the U.K., as well as investigations by the Federal Bureau of Investigation (FBI) and the U.S. Department of Justice under the Foreign Corrupt Practices Act (FCPA). Under the FCPA, American companies are prohibited from compensating representatives of a foreign government for a commercial advantage. This is particularly poignant given the recently released text messages uncovered in the Leveson inquiry, which expose alleged illegal communications between Frederic Michel, a lobbyist for News Corporation and Jeremy Hunt, the Secretary of State for Culture, Olympics, Media and Sport, during News Corporation’s bid to acquire BSkyB during 2010-11. The bid has since been abandoned and so have Murdoch’s attempts to create the largest media empire in the world.

eDiscovery and Hackgate

To date, there have been more than 60 civil claims brought in the U.K. derived from Hackgate (many have been privately settled), not including any U.S. litigation, Operation Weeting, the Leveson inquiry, and other various concurrent investigations. Several key disclosure orders from the High Court in these civil cases have resulted in extensive discovery that points to not only a conspiracy, but to the willful destruction of evidence. The High Court judge presiding over the civil lawsuits, Geoffrey Vos, was shocked by the company’s “startling approach” to e-mail, particularly because subsequent to receiving formal requests for documents, the company still failed to preserve relevant emails. In fact, the company inquired with its email provider about how to delete those emails. Vos is quoted as saying that News International should be “treated as deliberate destroyers of evidence.”

A hard copy of an email from 2008 addressed to Mr. Murdoch’s son, James Murdoch, who at the time was a top executive of News International, is of particular interest regarding his level of knowledge about Hackgate. The email is from a thread between News Corporation’s in-house counsel to the then-editor, Colin Myler, informing James that the legal fallout from phone-hacking was imminent.  James and his father later testified that they had no knowledge of the emails and that they failed to appreciate any illegal activity regarding phone hacking at the newspaper. Apparently, the electronic copy of the email was deleted on Jan. 15, 2011 during an “e-mail stabilization and modernization program.”

As frequently discussed in the U.S., having a document retention policy is crucial to the defensible deletion of data in a corporation. That deletion must be suspended and relevant data must be place on legal hold once litigation is reasonably anticipated. Moreover, it should not be instituted in the midst of a company-wide international crisis.  What is troublesome in this scenario is that no such policy seems to have existed regarding document retention or legal hold.  If a properly deployed retention schedule existed, then the emails would have been deleted prior to 2011 as part of the normal course of business. Conversely, if there was reasonable anticipation of litigation, then given the proper issuance of legal hold, the emails surely would not have been deleted. In the U.K., case law does exist to support the need for preservation and an ESI management system that would allow for full disclosure of relevant information.

The News Corporation has both the U.S. and U.K. to contend with regarding the defensibility of their information management systems and potential sanctions. However, in either scenario, the intentional deletion of relevant evidence is an obstruction of justice (in a criminal sense). News Corporation is a prime example of a multinational corporation that is not only suffering from the repercussions of bad behavior, but one that could not mitigate these risks at the highest level due to poor information management. The need for a comprehensive information governance plan and in-house technology would have been key to any internal investigations to research and monitor alleged illegal activities of employees, as well as to responding to litigation and regulatory inquiries. A proper information management system might have obviated much of News of the World’s troubles, provided for more transparency, and potentially prevented this never-ending downward spiral.

Losing Weight, Developing an Information Governance Plan, and Other New Year’s Resolutions

Tuesday, January 17th, 2012

It’s already a few weeks into the new year and it’s easy to spot the big lines at the gym, folks working on fad diets and many swearing off any number of vices.  Sadly perhaps, most popular resolutions don’t even really change year after year.  In the corporate world, though, it’s not good enough to simply recycle resolutions every year since there’s a lot more at stake, often with employee’s bonuses and jobs hanging in the balance.

It’s not too late to make information governance part of the corporate 2012 resolution list.  The reason is pretty simple – most companies need to get out of the reactive firefighting of eDiscovery given the risks of sloppy work, inadvertent productions and looming sanctions.  Yet, so many are caught up in the fog of eDiscovery war that they’ve failed to see the nexus between the upstream, proactive good data management hygiene and the downstream eDiscovery chaos.

In many cases the root cause is the disconnect between differing functional groups (Legal, IT, Information Security, Records Management, etc.).  This is where the emerging umbrella concept of Information Governance comes to play, serving as a way to tackle these information risks along a unified front. Gartner defines information governanceas the:

“specification of decision rights, and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archiving and deletion of information, … [including] the processes, roles, standards, and metrics that ensure the effective and efficient use of information to enable an organization to achieve its goals.”

Perhaps more simply put, what were once a number of distinct disciplines—records management, data privacy, information security and eDiscovery—are rapidly coming together in ways that are important to those concerned with mitigating and managing information risk. This new information governance landscape is comprised of a number of formerly discrete categories:

  • Regulatory Risks – Whether an organization is in a heavily regulated vertical or not, there are a host of regulations that an organization must navigate to successfully stay in compliance.  In the United States these include a range of disparate regimes, including the Sarbanes-Oxley Act, HIPPA, the Securities and Exchange Act, the Foreign Corrupt Practices Act (FCPA) and other specialized regulations – any number of which require information to be kept in a prescribed fashion, for specified periods of time.  Failure to turn over information when requested by regulators can have dramatic financial consequences, as well as negative impacts to an organization’s reputation.
  • Discovery Risks – Under the discovery realm there are any number of potential risks as a company moves along the EDRM spectrum (i.e., Identification, Preservation, Collection, Processing, Analysis, Review and Production), but the most lethal risk is typically associated with spoliation sanctions that arise from the failure to adequately preserve electronically stored information (ESI).  There have been literally hundreds of cases where both plaintiffs and defendants have been caught in the judicial crosshairs, resulting in penalties ranging from outright case dismissal to monetary sanctions in the millions of dollars, simply for failing to preserve data properly.  It is in this discovery arena that the failure to dispose of corporate information, where possible, rears its ugly head since the eDiscovery burden is commensurate with the amount of data that needs to be preserved, processed and reviewed.  Some statistics show that it can cost as much as $5 per document just to have an attorney privilege review performed.  And, with every gigabyte containing upwards of 75,000 pages, it is easy to see massive discovery liability when an organization has terabytes and even petabytes of extraneous data lying around.
  • Privacy Risks – Even though the US has a relatively lax information privacy climate there are any number of laws that require companies to notify customers if their personally identifiable information (PII) such as credit card, social security, or credit numbers have been compromised.  For example, California’s data breach notification law (SB1386) mandates that all subject companies must provide notification if there is a security breach to the electronic database containing PII of any California resident.  It is easy to see how unmanaged PII can increase corporate risk, especially as data moves beyond US borders to the international stage where privacy regimes are much more staunch.
  • Information Security Risks Data breaches have become so commonplace that the loss/theft of intellectual property has become an issue for every company, small and large, both domestically and internationally.  The cost to businesses of unintentionally exposing corporate information climbed 7 percent last year to over $7 million per incident.  Recently senators asked the SEC to “issue guidance regarding disclosure of information security risk, including material network breaches” since “securities law obligates the disclosure of any material network breach, including breaches involving sensitive corporate information that could be used by an adversary to gain competitive advantage in the marketplace, affect corporate earnings, and potentially reduce market share.”  The senators cited a 2009 survey that concluded that 38% of Fortune 500 companies made a “significant oversight” by not mentioning data security exposures in their public filings.

Information governance as an umbrella concept helps organizations to create better alignment between functional groups as they attempt to solve these complex and interrelated data risk challenges.  This coordination is even more critical given the way that corporate data is proliferating and migrating beyond the firewall.  With even more data located in the cloud and on mobile devices a key mandate is managing data in all types of form factors. A great first step is to determine ownership of a consolidated information governance approach where the owner can:

  • Get C-Level buy-in
  • Have the organizational savvy to obtain budget
  • Be able to define “reasonable” information governance efforts, which requires both legal and IT input
  • Have strong leadership and consensus building skills, because all stakeholders need to be on the same page
  • Understand the nuances of their business, since an overly rigid process will cause employees to work around the policies and procedures

Next, tap into and then leverage IT or information security budgets for archiving, compliance and storage.  In most progressive organizations there are likely ongoing projects that can be successfully massaged into a larger information governance play.  A great place to focus on initially is information archiving, since this one of the simplest steps an organization can take to improve their information governance hygiene.  With an archive organizations can systematically index, classify and retain information and thus establish a proactive approach to data management.  It’s this ability to apply retention and (most importantly) expiration policies that allows organizations to start reducing the upstream data deluge that will inevitably impact downstream eDiscovery processes.

Once an archive is in place, the next logical step is to couple a scalable, reactive eDiscovery process with the upstream data sources, which will axiomatically include email, but increasingly should encompass cloud content, social media, unstructured data, etc.  It is important to make sure  that a given  archive has been tested to ensure compatibility with the chosen eDiscovery application to guarantee that it can collect content at scale in the same manner used to collect from other data sources.  Overlaying both of these foundational pieces should be the ability to place content on legal hold, whether that content exists in the archive or not.

As we enter 2012, there is no doubt that information governance should be an element in building an enterprise’s information architecture.  And, different from fleeting weight loss resolutions, savvy organizations should vow to get ahead of the burgeoning categories of information risk by fully embracing their commitment to integrated information governance.  And yet, this resolution doesn’t need to encompass every possible element of information governance.  Instead, it’s best to put foundational pieces into place and then build the rest of the infrastructure in methodical and modular fashion.

Foreign Corrupt Practices Act (FCPA) Drives Increased Electronic Discovery Overseas

Tuesday, May 5th, 2009

Ask a European about e-discovery, or e-disclosure as it is called in the UK, and you will often be met with a look of distaste. Much like SUVs or obesity, electronic discovery is viewed as an unpleasant, uniquely American phenomenon. But, in reality, there are fat people in Paris, Range Rovers all over London, and a lot of electronic discovery happening all across Continental Europe – whether people like to admit it or not.

One reason for that is the Foreign Corrupt Practices Act (FCPA). This US law, which has inspired similar legislation in other countries, prohibits companies from engaging in corruption, such as bribing government officials to win large contracts. That sounds simple enough, but it’s not always easy to do. For example, an American friend of mine runs a travel website in China. To advertise, he hired people to hand out flyers at all the major train stations. But after a few weeks, his employees began to get hassled by station officials who said they needed an official “permit”. So he did what anyone would do and paid the “permit fees” even though no paperwork for this “permit” was ever produced. When his US auditors looked at that, they immediately cried foul. He was then compelled to end the practice and bring in a law firm to conduct a full FCPA investigation. The result: lots of legal bills, no more advertising in train stations, and a more powerful Chinese-run competitor who has no such qualms about paying “permit fees”.

In speaking to Daniel Dorsky, Tyco’s Compliance Counsel and an expert in FCPA issues, I discovered that my friend’s experience is no longer the exception. From what Daniel described, enforcement of the FCPA has been stepped up dramatically in the past couple of years. Apparently, 2007 was the watershed. Prior to that, no one really worried about the FCPA too much. But two years ago, the Department of Justice (DoJ) under Mark Mendelsohn, began to take a different approach. First, the fines became much stiffer as, for example, Baker Hughes got hit with a $44 million penalty, by far the largest ever at the time. Second, the DoJ started to prosecute executives personally, bringing 15 criminal cases against individuals. Nothing focuses the mind like the threat of jail time, and FCPA compliance suddenly took on greater urgency.

The number of FCPA enforcement actions continued to increase in 2008, most notably with the infamous Siemens case. By the time the dust settled, the CEO of Siemens had been fired and the company was reeling from a $1.4 billion fine. Nor do things look like they are slowing down in 2009. In the first few months of this year, ABB took an $800 million accounting reserve for FCPA issues, Halliburton got fined $177 million, KBR $502 million, and the KBR CEO, Albert Stanley, got 7 years in jail to go along with his $11 million personal fine. These companies are also now vulnerable to civil suits. While there’s no private right of action under the FCPA, that does not stop securities fraud class actions or shareholder lawsuits, which charge that defendants either understated the risks or overstated the controls in their disclosures.

There are a number of reasons why FCPA enforcement actions will likely increase further in the coming months and years. The FBI recently created an FCPA taskforce of 8-12 agents, bringing all the standard law enforcement tools to FCPA compliance (e.g., wire-taps, subpoenas, informants, warrants, etc.). Many other countries are starting to enforce similar laws, with much encouragement from the US which does not want to see American businesses disadvantaged by doing the right thing. And international law enforcement agencies are cooperating more than ever before. For example, last summer in Paris, international agencies held their first FCPA conference to share information.

All of this is driving a boom in e-discovery as General Counsels and Compliance Officers regularly conduct investigations of their overseas subsidiaries to ensure FCPA compliance. These investigations often center on “red flag” countries like China, Brazil, or Russia, where compliance is most difficult. They almost always involve outside counsel, and require the processing, analysis and review of large volumes of electronic information. This applies to European companies as much as it does to American ones. Non-US nationals can be prosecuted if either communications or money goes via the US, and many European countries are following the DoJ’s lead (e.g., $600 million of Siemens’ $1.4 billion fine came from German authorities).

So no matter how Europeans feel about e-discovery, or e-disclosure, they will be doing more of it in the coming years, much like their American counterparts. It’s fair to say that, in this domain, as perhaps in others, Europeans and Americans have much more in common than they might think.