For GCs, housekeeping holds key to internal investigation prep

When a credible tip about potential criminal conduct at an overseas subsidiary lands on the GC's desk, what's their next move?

A panel of in-house counsel and compliance professionals offered their suggestions for that scenario and several others at the 2016 DLA Piper Global Technology Summit. Their discussion, entitled "The Anatomy of an Internal Investigation" and led by David Gross, a partner in DLA Piper's San Francisco office, examined recent DOJ and SEC enforcement trends, the articulation of priorities emanating from Washington, and a few examples of global internal investigations into FCPA, cybersecurity and data privacy matters.

What follows are highlights from their conversation. The panelists were:

•  Gregg Farano, Director Legal Services, Cisco
•  Elizabeth O'Callahan, Vice President, Legal, NetApp
•  Robert Schlossman, Chief Legal Officer, Zscaler
•  Cameron Hoffman, Senior Corporate Counsel & Head of Internal Investigations, Symantec

What should you do to prepare in advance of any allegation?

Schlossman: I come at this from a generalist point of view and from the perspective of a growing tech company, not a large, multi-billion-dollar company. The best way to handle the situation is to be prepared in advance. You've got to have good policies, because you can't train people on compliance and the right way to behave if you don't have policies in place. That's one of the first things regulators will look for – they'll look to see if you have policies and programs that match your risk.

O'Callahan: It is critically important to establish a plan in advance and then follow it rigorously. Especially when you ultimately find that the allegation is not credible, it is essential that the process be followed exactly so that there can be no issue as to whether it was fully investigated. Every allegation needs to be taken seriously and evaluated. If you're consistent in setting criteria and following pre-defined processes, then you're making it clear that you're unbiased and serious in managing the claim

What should GCs be prepared to do if the regulators come knocking?

Hoffman: Prior to joining Symantec, I was with the SEC, so I come at this from a regulator's point of view. If and when a regulator contacts you, in all likelihood, something has gone wrong already. What you'll have to do at that point is prove that the policies and programs you have in place are up to standard to educate and prevent whatever activity is questioned. So you better not only conduct the training and have the policies, but you also better have a record of what you've done and when. My advice is to designate someone to keep records of your training. Know what you delivered, to whom, and when. 

Gross: One of the first things you need to consider is who controls that information, whether it's data, emails or other documents. Also, who, from an IT perspective, do you need to contact to make sure that data is retained. You immediately need to ensure the data, those emails, and those documents are secure. And to be able to do it quickly you need to know who those IT personnel are and have a plan to secure all relevant data.

How do you report inside the organization? 

Farano: Again, the best advice here is plan it out beforehand. When we have a potential complaint come in, it is assigned and assessed. We have a pre-arranged reporting process to the appropriate corporate authority. We determine what custodians need to be involved. We immediately put it into an e-discovery tool and start assessing and scoping the investigation.

When do you self-report to regulators?

Hoffman: Maybe it's blasphemy for me to say this having come out of the SEC, but I've been unchained to say so now, and I can see it from both sides of the equation. If the allegation comes to you from a very credible source, particularly if it's well-organized and relatively serious, then go to the SEC before they come to you. It raises a red flag if you're sure it's an employee and you don't report it.

Gross: With the whistleblower plaintiffs' bar, the chance of regulator involvement on an organized case is greater. When it's credible and there is real risk, self-report to the SEC or DOJ. You want to be ahead of the game, you don't want them to come to you.

Schlossman: You read the papers on some of these enforcement actions and cases and you just shake your head and say, ‘How did this happen?' It can happen to smart people, even to those who are working hard to get their organizations trained and compliant. I think it probably happens when you have a bunker or insular mentality. It can happen if you don't self-check yourself and your organization. Be careful of the it-can't-happen-here mentality.