e-discovery 2.0

I’ve just returned from a trip across the pond where I spoke at IQPC’s Information Retention and eDisclosure Management conference, which was well attended by both local practitioners and experts from the States.  In addition to numerous discussions comparing and contrasting the US e-discovery and UK e-disclosure practices, there was also a ton of time spent focusing on regulatory compliance.  In particular, the Bribery Act 2010 was a hot topic, not surprisingly given its looming implementation date of July 1.

It occurred to me that both with the Bribery Act and its kissing cousin, the FCPA, the UK and US are strikingly similar in many ways.  We both speak the same language (sort of), but there are any number of things that are just different enough that Americans must take pause.  As an easy example, crossing the street in London can be a perilous journey given our tendency to “look left.”  Fortunately our friends abroad don’t want their lorries dented up by hapless yanks so they kindly paint numerous “look right” signs on street corners throughout their fair city.

As e-discovery and e-disclosure continue to mature in their respective lands, the sense is that the difference will rapidly become obscured, especially in light of how well the countries seem to be collaborating around best practices and civil procedure standards.  During the judges’ panel at the IQPC event, noted e-discovery legends (Judges Grimm, Peck and Facciola) roundly complimented the UK’s disclosure process, often describing how much the US can learn from our allies.

Similarly, it’s interesting to see how the Bribery Act has “gone to school” on the FCPA.  For the past decade or so the UK has been criticized for its Laissez-faire attitude towards commercial bribery, particularly with a glaring gap in applicable legislation (like the FCPA). And, while a wee bit late to the party, the UK finally enacted its anti-bribery statute (on April 8, 2010), curiously dubbed the “Bribery Act 2010,” which in many way leapfrogs the 34 year old FCPA.  While ostensibly similar, the Act differs from the FCPA in a number of ways, many of which broaden applicability. For example, unlike the FCPA, the Act covers bribes to both the public and private sector and does not make an exception (like the FCPA) for facilitation payments (small payments given to public officials to speed up a routine service).  Similarly, the Act applies to all organizations that do business in the UK, even if they’re not based there, and even if the bribery occurs in another country.

The Bribery Act was originally scheduled to become effective in October of last year but, after numerous delays and outcries from the business community, the Ministry of Justice recently issued its “Bribery Act 2010: Guidance” and announced that the Act will finally take effect on July 1, 2011. This guidance has been eagerly awaited by anxious enterprises given the extremely broad potential of the Act.In concert with the recently promulgated prosecutorial guidelines, the guidance document gives some insight into how UK prosecutors (as enforced by the Serious Fraud Office) will initially decide who to pursue and then how the Act will be applied.  Fortunately, the promulgated guidance documents suggest that the Act is “directed at making life difficult for the mavericks responsible for corruption, not unduly burdening the vast majority of decent, law-abiding firms.”

To this end, the Guidance states that “[i]t is a full defence for an organisation to prove that despite a particular case of bribery it nevertheless had adequate procedures in place to prevent persons associated with it from bribing.”  It is these “adequate procedures” that provide a safe harbour of sorts and therefore should be perused quite carefully by impacted organisations to ensure that their compliance programs are up to muster.  The following six “guiding principles” are designed not to be prescriptive or “one-size-fits-all,” but rather to suggest a “risk-based” and proportionate approach to managing bribery risks.

1. “Proportionate procedures: A commercial organisation’s procedures to prevent bribery by persons associated with it are proportionate to the bribery risks it faces and to the nature, scale and complexity of the commercial organisation’s activities. They are also clear, practical, accessible, effectively implemented and enforced.
2. Top-level commitment:  The top-level management of a commercial organisation (be it a board of directors, the owners or any other equivalent body or person) are committed to preventing bribery by persons associated with it. They foster a culture within the organisation in which bribery is never acceptable.
3. Risk assessment: The commercial organisation assesses the nature and extent of its exposure to potential external and internal risks of bribery on its behalf by persons associated with it. The assessment is periodic, informed and documented.
4. Due diligence: The commercial organisation applies due diligence procedures, taking a proportionate and risk based approach, in respect of persons who perform or will perform services for or on behalf of the organisation, in order to mitigate identified bribery risks.
5. Communication (including training): The commercial organisation seeks to ensure that its bribery prevention policies and procedures are embedded and understood throughout the organisation through internal and external communication, including training, that is proportionate to the risks it faces.
6. Monitoring and review: The commercial organisation monitors and reviews procedures designed to prevent bribery by persons associated with it and makes improvements where necessary.”

Organisations looking for clarity should certainly start with an analysis of how well their existing anti-bribery procedures (many likely designed with the FCPA in mind) map to the six principles.  The hope of many is that the Bribery Act won’t inherently require a complete reboot for entities trying to comply.  Instead, a more measured and reasonable goal should be to have complaint entities examine the Act to see if any augmentation is necessary.  Fortunately, the Guidance principles are peppered with terms like “proportionate”, “risk-based” and “practical” that should give solace to the entities that had significant indigestion when the Act was first released.

Traditional e-discovery solutions may very well be called into duty to help augment an organisation’s “adequate procedures” particularly regarding the “risk assessment” and “due diligence” principles.  These two principles specifically call out procedures that proactively facilitate:

• Identification of the internal and external information sources that will enable risk to be assessed and reviewed.
• Accurate and appropriate documentation of the risk assessment and its conclusions.
• Conducting direct interrogative enquiries, indirect investigations, or general research on proposed associated persons.
• Appraisal and continued monitoring of recruited or engaged “associated” persons may also be required, proportionate to the identified risks.

Re-purposing of e-discovery tools in this compliance context makes sense given how things have played out here in the States with the FCPA and provides yet another way to rationalize bringing solutions in-house.  In this scenario the advanced analytical components will likely come more into play than will the downstream review and production elements.  This expansion of traditional e-discovery concepts, procedures and applications is logical and coincides with a leftwards movement on the EDRM spectrum.  It’s also aligned with rapidly expanding notions of IMRM and information governance.  I postulate that soon it will be too limiting to just talk about pure “e-discovery”tools since it inherently leaves out the rest of the compliance story.  In addition to looking “right” we’ll also need to look “left” (on the EDRM) to take into account use cases like the Bribery Act.

Ask a European about e-discovery, or e-disclosure as it is called in the UK, and you will often be met with a look of distaste. Much like SUVs or obesity, electronic discovery is viewed as an unpleasant, uniquely American phenomenon. But, in reality, there are fat people in Paris, Range Rovers all over London, and a lot of electronic discovery happening all across Continental Europe – whether people like to admit it or not.

One reason for that is the Foreign Corrupt Practices Act (FCPA). This US law, which has inspired similar legislation in other countries, prohibits companies from engaging in corruption, such as bribing government officials to win large contracts. That sounds simple enough, but it’s not always easy to do. For example, an American friend of mine runs a travel website in China. To advertise, he hired people to hand out flyers at all the major train stations. But after a few weeks, his employees began to get hassled by station officials who said they needed an official “permit”. So he did what anyone would do and paid the “permit fees” even though no paperwork for this “permit” was ever produced. When his US auditors looked at that, they immediately cried foul. He was then compelled to end the practice and bring in a law firm to conduct a full FCPA investigation. The result: lots of legal bills, no more advertising in train stations, and a more powerful Chinese-run competitor who has no such qualms about paying “permit fees”.

In speaking to Daniel Dorsky, Tyco’s Compliance Counsel and an expert in FCPA issues, I discovered that my friend’s experience is no longer the exception. From what Daniel described, enforcement of the FCPA has been stepped up dramatically in the past couple of years. Apparently, 2007 was the watershed. Prior to that, no one really worried about the FCPA too much. But two years ago, the Department of Justice (DoJ) under Mark Mendelsohn, began to take a different approach. First, the fines became much stiffer as, for example, Baker Hughes got hit with a $44 million penalty, by far the largest ever at the time. Second, the DoJ started to prosecute executives personally, bringing 15 criminal cases against individuals. Nothing focuses the mind like the threat of jail time, and FCPA compliance suddenly took on greater urgency.

The number of FCPA enforcement actions continued to increase in 2008, most notably with the infamous Siemens case. By the time the dust settled, the CEO of Siemens had been fired and the company was reeling from a $1.4 billion fine. Nor do things look like they are slowing down in 2009. In the first few months of this year, ABB took an $800 million accounting reserve for FCPA issues, Halliburton got fined $177 million, KBR $502 million, and the KBR CEO, Albert Stanley, got 7 years in jail to go along with his $11 million personal fine. These companies are also now vulnerable to civil suits. While there’s no private right of action under the FCPA, that does not stop securities fraud class actions or shareholder lawsuits, which charge that defendants either understated the risks or overstated the controls in their disclosures.

There are a number of reasons why FCPA enforcement actions will likely increase further in the coming months and years. The FBI recently created an FCPA taskforce of 8-12 agents, bringing all the standard law enforcement tools to FCPA compliance (e.g., wire-taps, subpoenas, informants, warrants, etc.). Many other countries are starting to enforce similar laws, with much encouragement from the US which does not want to see American businesses disadvantaged by doing the right thing. And international law enforcement agencies are cooperating more than ever before. For example, last summer in Paris, international agencies held their first FCPA conference to share information.

All of this is driving a boom in e-discovery as General Counsels and Compliance Officers regularly conduct investigations of their overseas subsidiaries to ensure FCPA compliance. These investigations often center on “red flag” countries like China, Brazil, or Russia, where compliance is most difficult. They almost always involve outside counsel, and require the processing, analysis and review of large volumes of electronic information. This applies to European companies as much as it does to American ones. Non-US nationals can be prosecuted if either communications or money goes via the US, and many European countries are following the DoJ’s lead (e.g., $600 million of Siemens’ $1.4 billion fine came from German authorities).

So no matter how Europeans feel about e-discovery, or e-disclosure, they will be doing more of it in the coming years, much like their American counterparts. It’s fair to say that, in this domain, as perhaps in others, Europeans and Americans have much more in common than they might think.