Internal Investigations in 2007 - Current Strategies ... · and review of compliance and audit, risk management, ... Depot in its Strategic Financial Analysis Group and Internal Audit

©2007 Foley & Lardner LLP

INTERNAL INVESTIGATIONS IN 2007 - 1:15 PM CURRENT STRATEGIES, OPTIMAL PROCEDURES

Jerry Barbanel, Aon Corporation

Bryan House, Foley & Lardner LLP

Amy Jones, McDonald’s Corporation

John Landis, Foley & Lardner LLP

Corey Martens, Deloitte Financial Advisory Services LLP

Jerry Okarma, Johnson Controls, Inc.

David Skidmore, NCR Corporation


JERRY BARBANEL CO-GLOBAL PRACTICE LEADER AON CORPORATION

Jerry Barbanel is the Co-Global Practice Leader of the Financial Advisory & Litigation Consulting Services practice. Jerry has focused exclusively on forensic accounting and litigation consulting since 1997. Prior to joining Aon, he was the national practice leader for the forensic and investigative accounting services practice at another international consulting firm and also practiced at two Big Five accounting firms. He began his accounting career as an auditor at Peat Marwick Mitchell & Co. (now KPMG). A former prosecutor, Jerry served as an assistant district attorney in the Manhattan District Attorney's Office. In this capacity he handled numerous fraud cases, including working closely with lead prosecutor Eliot Spitzer in the prosecution of the Gambino crime family's trucking empire.

Jerry's experience spans a wide range of industries. Senior management and counsel of corporations have relied on him to assist with board of director, audit committee and special committee investigations related to financial, compliance, regulatory and other sensitive matters. He specializes in complex financial investigations, including fraud, money laundering, asset misappropriations, defalcations, Ponzi and pyramid schemes, insider trading, self-dealing, trading irregularities, reconstruction of books and records, accounting irregularities and fraudulent financial reporting as well as securities and commercial litigation.

In addition, Jerry has also advised counsel on the design and review of compliance and audit, risk management, fraud prevention, detection and monitoring programs.


2

BRYAN B. HOUSE PARTNER FOLEY & LARDNER LLP

Bryan B. House is a partner in Foley & Lardner LLP's Securities Litigation, Enforcement & Regulation and White Collar Defense & Corporate Compliance Practice Groups. Mr. House specializes in Securities Exchange Commission and other government enforcement proceedings, as well as securities litigation.

Mr. House has significant experience in securities law enforcement matters, including matters involving initial public offerings, listed equities, mutual funds and municipal bonds. He has represented accountants, broker-dealers, underwriters, issuers, futures commission merchants, bond counsel, financial institutions, individual stock purchasers, and directors and officers in enforcement matters and litigation. Mr. House has represented clients in such diverse matters as earnings misstatements, insider trading, yield-burning in municipal bond offerings, campaign finance, options backdating and the Foreign Corrupt Practices Act.

Another significant portion of Mr. House's practice includes representation of companies and board committees in internal investigations regarding accounting irregularities and other financial frauds. Mr. House has also represented individual officers, directors and attorneys in connection with these internal investigations. In these matters, Mr. House often advises clients regarding proper corporate governance and compliance practices.

Mr. House graduated, with distinction, from Indiana University in 1990, where he received Phi Beta Kappa honors. He graduated from the University of Minnesota, cum laude, in 1993. He is admitted to the bar in Wisconsin, Virginia and the District of Columbia, as well as numerous federal courts. Mr. House recently returned to the firm's Milwaukee office after more than nine years in the firm's Washington, DC office.


3

AMY JONES DIRECTOR OF INTERNAL AUDIT MCDONALD’S CORPORATION

Amy Jones has 10+ years of experience within world class audit organizations and is currently the Director of Internal Audit for McDonald's Corporation. At McDonald’s Corporation, Amy is responsible for directing McDonald’s internal audit activities throughout the world and managing audit teams in the United States, Europe, and Asia/Pacific. Since joining the company in 2004, she has been a key member in hiring and developing of the global McDonald’s Internal Audit Team, building the department’s processes and methodology, and testing and evaluating Sarbanes-Oxley controls. Prior to joining McDonald's, Amy worked for The Home Depot in its Strategic Financial Analysis Group and Internal Audit Department in Atlanta. Within the Internal Audit department, Amy was an integral part in transforming the existing department into one’s of the Company’s Leadership Programs for high performing employees. Amy started her career in public accounting at KPMG in its Real Estate and Public Services groups. Amy is a graduate of Auburn University and is a Certified Public Accountant.


4

JOHN LANDIS PARTNER FOLEY & LARDNER LLP

John R. Landis is a partner with Foley & Lardner LLP, and is a member of the firm's Securities Litigation, Enforcement and Regulation Practice. Mr. Landis’ practice includes advising and representing his clients in securities regulatory and enforcement proceedings, internal corporate investigations, commercial litigation and dispute resolution and general business matters (including corporate governance). Mr. Landis’ clients include a number of Fortune 500 corporations, investment banking and municipal finance firms, broker/dealers, mutual funds, hedge funds, insurance companies and banks. Mr. Landis also works with a number of civic and non-profit organizations, including the Kohl Children’s Museum of Greater Chicago.

Prior to joining Foley, Mr. Landis practiced for three years with Cravath, Swaine & Moore in New York City. He graduated from the University of Minnesota School of Law (J.D., magna cum laude, 1988), where he was a member of the law review, after which he clerked for two years for the Hon. James M. Rosenbaum, U.S. District Court, District of Minnesota. Mr. Landis also practiced with the Twin Cities firm Maun & Simon.

A native of Appleton, Wis., Mr. Landis received his undergraduate degree in mathematics from Lawrence University in 1984. He is admitted to practice in Illinois, New York, Minnesota, and Oregon.


5

COREY MARTENS DIRECTOR OF INTERNAL AUDIT DELOITTE FINANCIAL

ADVISORY SERVICES

Corey M. Martens is a partner in the Deloitte FAS Forensic & Dispute Services practice in Chicago. Corey focuses on client matters involving financial/fraud investigations, Securities and Exchange Commission (SEC) and other regulatory inquiries and investigations, and the provision of consulting services in the areas of forensic accounting, litigation support, and fraud risk management for public and private companies, both domestically and internationally. Corey has managed investigations in Canada, Mexico, Brazil, Venezuela, Chile, Argentina, Taiwan, South Korea, China, Pakistan, the Netherlands, Cyprus, and the United Arab Emirates, as well as numerous states within the United States. Corey joined the Chicago office in 1999 after practicing as an external auditor in the Deloitte & Touche LLP Milwaukee office, performing financial audits for public and private companies of varying sizes and industries, control reviews, and regulatory compliance audits.


6

JEROME OKARMA VICE-PRESIDENT, GENERAL

COUNSEL & SECRETARY JOHNSON CONTROLS, INC.

Mr. Okarma is Vice President, Secretary and General Counsel of Johnson Controls, Inc., a $32 billion (revenues) global market leader in automotive systems, facility management and control and power solutions, located in Milwaukee, WI. He joined the company in 1989, and had previously served as group vice president and general counsel for each of the Company’s operating groups.

Prior to joining Johnson Controls, Inc., Mr. Okarma served as Assistant Secretary and Senior Attorney at Borg-Warner Corporation, Chicago, IL, from 1982-1989, and as Attorney at Inland Steel Company, Chicago, IL, from 1977-1982.

Mr. Okarma received his Juris Doctor degree from Northwestern University School of Law, Chicago, IL, in 1977 and his B.A. (History) with Honors from Western Illinois University, Macomb, IL, in 1974. He is a member of the bar of both Wisconsin and Illinois.


7

DAVID SKIDMORE MANAGER, CORPORATE

SECURITY NCR CORPORATION

David Skidmore, CPP, joined NCR Corporate Security in March 2000. NCR is a Fortune 500 company headquartered in Dayton, Ohio, has annual revenues of $6.5 billion dollars with 28,000 employees. Dave was promoted in April 2004 to the Corporate Security Director, reporting to the VP of Internal Audit and the Audit Committee of the companies' Board of Directors. In this role, he manages and conducts investigations, oversees the departments overall responsibilities including losses from ATM machines, safety and security reviews, investigations of fraud, embezzlement, and other defalcations, and computer forensics investigations. The Corporate Security function at NCR is also responsible for investigations on behalf of NCR's Ethics and Compliance Officer. He is a retired Sergeant from the Montgomery County Sheriff’s Office where he served as a Detective and Detective Sergeant working criminal investigations, internal affairs investigations, and managed the department’s national accreditation process. Dave has 25 years of investigative experience. He then spent three years with a national investigative firm, based in Dayton, as the business development manager prior to joining NCR Corporation. Dave is a veteran of the United States Marine Corps and a graduate of Sinclair College with a degree in criminal justice.


Internal Investigations in 2007 Current Strategies, Optimal Procedures

National Directors Institute March 8, 2007

I. Panel Introductions

Jerry Okarma, Johnson Controls Jerry Barbanel, Aon Corporation Corey Martens, Deloitte Financial Advisory Services LLP Amy Jones, McDonald’s Corporation David Skidmore, NCR Corporation Bryan House, Foley & Lardner LLP John Landis, Foley & Lardner LLP

II. The Continuing Importance of Technology When Gathering Documents

A. Deciding whether to handle document collection in-house versus using vendors 1. Determining the scope of the document review 2. Balancing the costs of a search through voluminous electronic records

B. Conducting a thorough search for documents 1. Searching Archives/tapes 2. Checking multiple sources and locations

C. Searching the documents that you have 1. Establishing databases 2. Using word searches 3. Getting government sign-off and working with regulators

D. Dealing with the consequences of not conducting a thorough document collection 1. Effect of 2006 amendments to civil discovery rules 2. Adverse inferences in civil litigation 3. Losing trust with the regulators 4. Regulatory penalties for lack of cooperation

III. Surviving Regulatory Inquiries

A. Dealing with multiple agencies at the same time 1. Using the internal investigation to gain control over the situation 2. Convincing other agencies to stand down in favor of one primary agency

B. Considering waiver of privilege 1. Effect of the 2006 McNulty Memorandum setting guidelines for a criminal

prosecutors request for a waiver of privilege 2. SEC continues to request waiver despite court decisions against SEC

position, In re Quest Communications, Int’l., 450 F.3d 1179 (10th Cir. 2006)


3. American Bar Association submission to SEC Chairman Christopher Cox suggesting changes to 2001 “Seaboard Report” regarding cooperation credit

C. Ramifications of U.S. v. Stein, 435 F. Supp. 2d 330 (S.D.N.Y. 2006) (“Stein I”) and U.S. v. Stein, 440 F. Supp. 2d 315 (S.D.N.Y. 2006) (“Stein II”) 1. Deciding whether and when individuals may need separate counsel 2. Balancing the need to take action against wrongdoers with the

responsibility to comply with indemnification provisions IV. Ensuring that Your Internal Investigation Does Not Go Too Far

A. Considering potentially applicable federal and state civil and criminal laws 1. Understanding potentially relevant federal laws, including Telephone

Records and Privacy Protection Act of 2006, Gramm-Leach-Bliley, Computer Fraud and Abuse Act, Electronic Communications Privacy Act

2. Understanding the varying state laws, such as wiretapping and email access, that may be implicated in a multi-state investigation

3. Hewlett-Packard matter B. Remember State Bar Rules

1. Ethics rules prohibiting lawyers from counseling or assisting clients in committing a crime

2. Ethics rules prohibiting contact with unrepresented clients 3. Allen v. International Truck and Engine, Case No. 02CV0902 (S.D. Ind.

September 6, 2006) (finding numerous violations of Indiana ethics rules) 4. Urso v. Bayer Corp., Case No. 04C0114 (N.D. Ill. September 27, 2006)

(imposing sanctions against lawyer) C. Working with reputable investigators

1. Lawyers and clients cannot absolve themselves of responsibility by hiring outside parties to conduct the investigation a) Model Rule 5.3 b) Midwest Motor Sports v. Artic Cat Sales, Inc., 347 F.3d 693 (8th Cir. 2003) (holding attorneys for conduct of third parties attempts to gather evidence by improper means)

2. Ensuring that third parties are monitored and controlled during an investigation.

D. Protecting your investigation from employee claims, such as wrongful termination and defamation

Michael P. MatthewsFoley & Lardner LLP777 E. Wisconsin Ave.Milwaukee, WI 53202414-297-5556mmatthewsCa^foley.com

Gregory S. BruchFoley & Lardner LLP3000 K Street, NWWashington, DC 20007202-672-5300gbruchCa.foley.com

CONDUCTING INTERNAL INVESTIGATIONS

In the current regulatory environment, companies are increasingly conductinginternal investigations focused on potential wrongdoing. U.S. laws and law enforcement agenciesincreasingly expect that companies will police their own conduct and report potential misconductto the appropriate federal law enforcement agency. For example, the Office of Inspector Generalof the Department of Health and Human Services has adopted a formal disclosure protocol underwhich potential misconduct or unlawful activity can be reported to it. Additionally, theDepartment of Justice has adopted Principles of Federal Prosecution of Business Organizationsthat specifically require consideration of "[the] corporation's timely and voluntary disclosure ofwrongdoing and its willingness to cooperate in the investigation of its agents. ..." i Thisregulatory landscape highlights the critical importance of the issues discussed in this primerrelating to internal corporate investigations and government disclosure.

There is no standard definition of the term "internal investigation." For purposesof this primer, we mean to include the full range of information-gathering activities that acompany engages in upon learning of possible wrongdoing. In some instances, the internalinvestigation may appropriately be limited to a few interviews and the gathering and review of alimited number of documents. In other instances, the internal investigation will require a far-reaching and comprehensive search for documents, the review of vast quantities of documentsand other records, and extensive interviews of large numbers of witnesses.

For the most part, this primer focuses on internal investigations conducted as aresult of concerns that a company may have violated U.S. law. Similar issues (as well as certainimportant differences) are involved in internal investigations where the company is the potentialvictim of misconduct (e.g., theft of company assets), and we will touch upon those distinctionsbelow.

What follows is a thumbnail discussion of seven steps for conducting internalinvestigations from the initial stages, to document collection, to corrective action and governmentdisclosure.

I.

DECIDING WHETHER TO INITIATE AN INTERNAL INVESTIGATION

The initial issue to be considered upon uncovering potential wrongdoing is whetheran internal investigation is warranted. If it appears that the government has already initiated aninvestigation or that one is probable, then the case for undertaking an internal investigation islikely to be compelling. When faced with a government investigation, it is almost always in thebest interests of the company to gather information to enable the company to respond effectivelyto the government's investigation.

1 See December 12, 2006 Memorandum from Deputy Attorney General Paul J. McNulty, Principles of FederalProsecution of Business Organizations, at 4 (the "McNulty Memorandum").

MILW_2188630.2

There are several respects in which information gathered during an internalinvestigation can assist in forming an effective response to a government investigation. Theinternal investigation may uncover persuasive evidence from which the company can argue eitherthat no violative conduct occurred or that the matter otherwise does not warrant prosecution. Theresults of the internal investigation can assist the company in deciding whether to attempt tosettle the government investigation. The results of the internal investigation might assist thecompany in persuading the government to agree to a settlement that the company findsacceptable. Disclosing the results of the investigation can assist the company in persuading thegovernment either that no government investigation is necessary or, more likely, that thegovernment investigation need be far less extensive and disruptive than it might otherwise be.Evidence gathered in the internal investigation can also assist in preparing witness testimony.The internal investigation might uncover evidence that refreshes a witness's recollection so thatthe witness recalls exculpatory events or appears more credible than might otherwise be the case.In addition, an internal investigation might enable the company to develop themes that are helpfulto the company and that place the alleged misconduct in an appropriate context.

In the context of a possible criminal prosecution, the federal sentencing guidelinesfor corporations provide for an increase in criminal fines to be imposed on corporations inconnection with criminal violations of federal law if senior corporate personnel "participated in,condoned, or [were] willfully ignorant of the offense" or if "tolerance of the offense by substantialauthority personnel was pervasive throughout the corporation." Guidelines Manual § 8C2.5.Conversely, the guidelines provide for a reduction in a corporate criminal fine under certaincircumstances, if the criminal offense occurred despite "an effective program to prevent anddetect violations of law." Id. There is a presumption that the program was not effective if seniormanagement participated in, condoned, or were willfully ignorant of the offensive conduct. §8C2.5(f). In addition, certain government agencies have formally implemented programs that aredesigned to encourage companies voluntarily to disclose misconduct to the government beforethe government begins an investigation.

The fact that, upon uncovering red flags, a company promptly undertook aninternal investigation and implemented appropriate remedial action can also assist a company inarguing against the imposition of civil penalties. See United States v. Phelps Dodge Indus., Inc.,589 F. Supp. 1340 (S.D.N.Y. 1984). In Phelps Dodge, in considering the civil penalty to beimposed on Phelps Dodge in connection with an alleged violation of an FTC cease and desistorder, the district court considered the company's failure to investigate indications of misconductas one factor indicating the company's bad faith. Id. at 1364. The SEC also has stated that it willassess the "presence or lack of remedial steps by the corporation," as well as the extent of thecorporation's cooperation with law enforcement and other factors, in determining whether andhow much of a financial penalty to seek against a corporation. 2

The case for an internal investigation is also likely to be compelling if privatelitigation has been commenced or is probable. An internal investigation can greatly assist acompany in mounting an effective response to a private action. For example, in response to anallegation of discrimination, a prompt and effective investigation followed by appropriate remedialaction can assist the company in successfully asserting an affirmative defense pursuant toBurlington Industries, Inc. v. Ellerth, 524 U.S. 742 (1998) and Faragher v. City of Boca Raton,524 US. 775 (1998). Similarly, the extent, if any, to which the company may be exposed topunitive damages in a private action may be affected by whether a company conducted a promptand effective investigation in response to indications that an employee or agent may have engaged

2 See Statement of the Securities and Exchange Commission Concerning Financial Penalties, 2006-4, Jan. 4,2006 (available at http://www.sec.gov/news/press/2006-4.htm).

FOLEY & LARDNER LLP

MILW_2188630.2

2

FOLEY

in misconduct. The Restatement of Torts provides that punitive damages may properly beawarded against a company for the misconduct of the company's employee or agent if, amongother things, the company "ratified or approved of the" misconduct. Restatement (Second) ofTorts § 909 (1979). Failure to conduct a prompt and effective internal investigation may betreated as a ratification for this purpose. See Davis v. Merrill Lynch, Pierce, Fenner & Smith, Inc.,906 F.2d 1206, 1224 (8 th Cir. 1990) (Merrill Lynch "may have ratified [an employee's conduct] byfailing to investigate the unusual increase in [trading] activity in the [account of an elderlywidow]"). In addition, in determining the extent to which punitive damages are appropriateagainst a company, a trier of fact may consider whether company's management respondedappropriately to indications that an employee had acted inappropriately. Id. at 1225.

Determining whether to undertake an internal investigation is more difficult wherethe government has not yet initiated an investigation and where it appears improbable that thegovernment will initiate an investigation or that a private action will be brought. Internalinvestigations can have a number of negative consequences to a company. They can be expensiveand disruptive. They can distract the energy of management and create morale problems. Theycan uncover wrongful conduct that might otherwise never have become known. Moreover, theprocess of conducting an internal investigation can increase the likelihood that informationregarding possible misconduct will reach the government and/or the press. Accordingly, in theabsence of a government investigation or the threat of a lawsuit, management might hesitate toauthorize an internal investigation.

There are a number of reasons why management nevertheless often authorizesinternal investigations even when it does not appear that the government has initiated an internalinvestigation or is likely to do so. First, the willingness and capacity to conduct internalinvestigations in response to red flags is an important component of an effective complianceprogram. Company personnel are likely to take a company's procedures and policies lessseriously if they learn that the company does not pursue indications of wrongdoing. For example,if employees observe both that company personnel routinely make improper payments to foreignofficials in order to secure business for the company and that senior management appearsindifferent to these payments, employees will be more likely to ignore company policiesprohibiting such payments.

Second, senior management has an obligation to take steps when confronted withindications of wrongful conduct. Recent case law indicates that members of the board ofdirectors might be personally liable for fines, penalties and losses incurred by a company as aresult of unlawful conduct by the company or its employees unless the directors have assur[ed]themselves that information and reporting systems exist in the organization that are reasonablydesigned to provide to senior management and to the board itself timely, accurate informationsufficient to allow management and the board, each within its scope, to reach informedjudgments concerning both the corporation's compliance with law and its business performance.In re Caremark Intl, Inc., 698 A.2d 959, 970 (Del. Ch. 1996). In Caremark, the court opined that,under Delaware law, a director "includes a duty to attempt in good faith to assure that a corporateinformation and reporting system, which the board concludes is adequate, exists, and that failureto do so under some circumstances may, in theory at least, render a director liable for lossescaused by non-compliance with applicable legal standards." Id. See also McCall v. Scott, 239F.3d 808 (6 th Cir. 2001); Stone v. Ritter, A.2d _, No. 93, 2006, 2006 WL 3169168 (Del.Supr. Nov. 6, 2006). In addition, underwriters often require companies to maintain a complianceprogram as a condition to the issuance of an insurance policy covering officers' and directors'liability.

FOLEY & LARDNER LLP

MILW_2188630.2

3

FOLEY

In bringing an enforcement action against senior officials of a major securitiesdealer, Salomon Brothers, Inc., the Securities and Exchange Commission ("SEC") took theposition that supervisors have a duty to gather information in response to red flags:

Even where the knowledge of supervisors is limited to "red flags" or"suggestions" of irregularity, they cannot discharge their supervisoryobligations simply by relying on the unverified representations ofemployees. Instead, as the Commission has repeatedly emphasized,"[t]here must be adequate follow-up and review when a firm's ownprocedures detect irregularities or unusual trading activity. . . ." 3

In this particular case, the SEC sanctioned senior officials of Salomon Brothers on the grounds,among others, that upon receiving information that an irregularity had occurred, they failed to"take action to investigate what had occurred and whether there had been other instances ofunreported misconduct." 4

Third, and perhaps most importantly, companies recognize that even where it doesnot appear that the government has commenced or is likely to commence an investigation, futuredevelopments might result in a government investigation. In that event, for the reasons set forthabove, the information gathered during the internal investigation is likely to assist the company inresponding effectively to the government's later investigation and in preparing the company'sdefenses.

II.

STAFFING THE INVESTIGATION

Once the decision is made to conduct an internal investigation in response to a redflag or other indication of wrongdoing, a decision must be made regarding who will conduct theinvestigation. In many instances, indications of possible wrongdoing can be quickly addressedand resolved by company personnel without the involvement of outside counsel. In certain cases,company personnel have the experience and expertise necessary to obtain the information andcan do so with less disruption and expense to the company than outside counsel can. Forexample, the human resource department often has the skills and expertise necessary toinvestigate allegations of employment discrimination or sexual harassment. Similarly, the internalaudit department might have the skills and expertise necessary to investigate allegations of theftor embezzlement.

Companies often elect to involve attorneys in the direction and conduct of internalinvestigations. While there is no requirement that internal investigations be conducted or directedby attorneys, there are several reasons why this task is often delegated either to attorneys or tocompany personnel acting under the direction of attorneys.

First, attorneys, particularly former prosecutors or other law enforcementpersonnel, often have the skills and substantive expertise to direct and conduct an internalinvestigation effectively and efficiently. Such attorneys have been trained to plan investigations,gather and review documents, question witnesses, and organize and assess the resultinginformation.

See, e.g., In re Gutfreund, [1992 Transfer Binder] Fed. Sec. L. Rep. (CCH) ¶ 85,067 at 83,606 (Dec. 3, 1992)(footnote omitted).

4 Id.

FOLEY & LARDNER LLP

MILW_2188630.2

4

FOLEY

Second, attorneys are often asked to provide legal advice and services based onthe results of the investigation. For example, if the investigation involves possible improperpayments to a foreign government official, an attorney conversant with the Foreign CorruptPractices Act will be able quickly to assess which factual issues are legally significant to the issueof whether the FCPA has been violated. Furthermore, in many instances, it is possible that therewill be a need for the company to deal with law enforcement or regulatory agencies in connectionwith the subject matter. In these instances, there are benefits to utilizing attorneys who arefamiliar with the internal procedures and operations of those agencies.

Third, the involvement of attorneys will assist the company in successfullyasserting the attorney-client privilege and the work product doctrine. See Upjohn Co. v. UnitedStates, 449 U.S. 383 (1981) (applying the attorney-client privilege to notes that attorneysprepared while conducting an internal investigation); In re Allen, 106 F.3d 582, 602 (4th Cir.1997) (holding that an investigation may constitute legal services for purposes of the attorney-client privilege); United States v. Rowe, 96 F.3d 1294, 1297 (9th Cir. 1996) ("fact-finding whichpertains to legal advice counts as 'professional legal services"'). The benefit of using attorneys toconduct the internal investigation is illustrated by In re Grand Jury Subpoena, 599 F.2d 504 (2dCir. 1979). This subpoena enforcement action involved two internal investigations conducted onbehalf of a single company. The first investigation was conducted "mainly by non-lawyer seniorofficials" of the company and the results were reported to the Board of Directors. The auditcommittee then retained a law firm to assist the company's vice president and general counsel inconducting a second investigation. The Court of Appeals held that the first investigation was notprotected by the attorney-client or work-product privileges, even though the general counsel wasone of the senior officials who participated in the investigation, but that the second investigationwas protected by both privileges. Id. at 510-11. Significantly, interviews conducted by a non-attorney should be treated as privileged so long as they were conducted under the direction of anattorney and the purpose of the interviews was to assist counsel in rendering legal advice. SeeCarter v. Cornell Univ., 173 F.R.D. 92 (S.D.N.Y. 1997) (holding that interviews conducted byAssociate Dean of Human Resources were privileged).

The preceding considerations apply to both in-house and outside counsel. Thereare a number of reasons why companies sometimes choose outside counsel to conduct aninvestigation. First, outside counsel often are hired because of a perception that they are moreindependent than company employees. This perception of greater independence can beimportant for a number of reasons. If the subject matter of the investigation implicates seniormanagement or the legal department, the independence of the outside law firm might provide theboard of directors additional comfort in relying on the results of the investigation. In matters thatpose a potentially serious threat to the company, it often is appropriate to retain outside counsel.In determining whether the investigation is sufficiently serious to warrant the retention of outsidecounsel, companies consider the title and prominence of the individuals whose conduct will likelybe the subject of the investigation, the potential financial exposure to the company, and the extentthat the subject matter of the investigation is likely to result in law enforcement activity and/orsubstantial media coverage. In order to heighten both the reality and the perception that theinvestigation was independent, responsibility for overseeing outside counsel is sometimesassumed by the Board of Directors, the Audit Committee, or by a special committee consisting ofindependent members of the board of directors. This is especially appropriate where theinvestigation potentially involves conduct by the senior management of the company.

A second reason for utilizing outside counsel is the need to dedicate substantialresources to responding promptly to a red flag or other indication of possible wrongdoing. Itoften is difficult for even large companies to pull a team of employees from ongoing tasks anddevote them to an internal investigation.

MILW_2188630.2

5

FOLEYF O L E Y & L A R D N E R L L P

A third reason for utilizing outside counsel is the possibility that members of thelegal department will have relevant knowledge or that the conduct of the legal department willbecome an issue. For example, retaining outside counsel might be appropriate if the legaldepartment had been consulted with respect to the transaction or activity at issue and hadadvised the client concerning the matter.

A fourth reason for utilizing outside counsel is the reality that specialized outsidecounsel might have the experience and expertise to conduct the particular investigation moreeffectively or more efficiently than company personnel who do not specialize in this particular typeof investigation. In addition, to the extent that the subject matter of the investigation is likely toresult in interaction with a law enforcement or regulatory agency, it is often useful for a companyto be represented by counsel who is familiar with that agency. Similarly, if there is likely to belitigation, it often is appropriate to retain counsel with relevant litigation and trial experience.

A fifth reason for utilizing outside counsel is a desire to increase the likelihood thatthe results of internal investigation will be protected by the attorney-client privilege and the workproduct doctrine. While both the attorney-client privilege and the work product doctrine can applyto the work of an in-house attorney, see United States v. Rowe, 96 F.3d 1294, 1296 (9 th Cir.1996), a court is less likely to find that a business purpose was the primary purpose behind theinvestigation if the investigation was conducted by outside counsel. Paul R. Rice, Attorney-ClientPrivilege In The United States, 7-28 (Lawyers' Cooperative 1993) ("the courts have held thatcommunications to and from in-house counsel can be sheltered ònly upon a clear showing that[in-house counsel] gave [advice] in a professional capacity.") (quoting In re Sealed Case, 737F.2d 94, 99 (D.C. Cir. 1984) (in-house counsel also had "responsibilities outside the lawyer'ssphere")). If the company elects to utilize in-house counsel, and not outside counsel, it may beappropriate to take steps to ensure that the in-house counsel conducting the investigation is notalso performing a business advisory function and does not have non-legal responsibilities that arearguably relevant to the investigation.

If the decision is made to retain outside counsel, the company should considerwhether it should retain one of its regular law firms or whether it should retain a law firm withlittle, if any, prior association with the company. There are a number of potential advantages toutilizing regular counsel. Regular counsel is likely to be familiar with the company and itsoperations, products, and personnel. On the other hand, there are a number of reasons why itmight be appropriate to retain counsel with little or no prior association with the company. First,the conduct of regular outside counsel might be an issue in the investigation. Second, regularoutside counsel might lack the skills to conduct the investigation, the skills and experience tohandle the anticipated litigation and/or law enforcement activity, or the expertise in the relevantstatutes. Regular outside counsel may also lack either actual or perceived independence. Forexample, if a law enforcement action is considered likely, the company should seriously considerretaining counsel who has experience with the relevant agency and statutes. This experience willlikely enhance counsel's credibility with the relevant law enforcement agencies.

If outside counsel is retained to conduct the internal investigation, the companyshould assign an employee to act as a liaison between the company and the outside counsel. Theliaison can be an invaluable resource regarding background information regarding the company,its history, its operations, and its recordkeeping practices. The liaison can assist outside counselin identifying individuals and departments that are likely to possess relevant information. Theliaison can facilitate the interview process by making the initial introductions between the outsidecounsel and the company employees with relevant knowledge. In terms of supervision of theinvestigation, it is usually appropriate for the Legal Department or for other senior companyofficials to supervise the work of outside counsel, though in some instances, outside counselshould report to the Audit Committee or a special committee of the Board of Directors. Reporting

MILW_2188630.2

6


to the Audit Committee or a special committee is especially appropriate in matters where it isimportant to establish the independence of outside counsel and its investigation.

Internal investigations often require the assistance of individuals with accounting,engineering, or other areas of substantive expertise. One of the decisions that must be madeearly in an investigation is whether to rely on company personnel or outside experts for thatexpertise. While it frequently appears that the individuals who can most efficiently assist counselin analyzing company information are the company personnel already familiar with the matters atissue, the costs of relying on such personnel may outweigh the benefits. In Six Grand JuryWitnesses, 5 six corporate employees, who were responsible for monitoring the costs associatedwith certain contracts, had been asked by corporate counsel, in anticipation of litigation, toperform an analysis of those costs. The grand jury sought testimony regarding this analysis. Thecorporation argued that the analysis was protected by the work product doctrine. The court heldthat the witnesses could be compelled to testify regarding the analysis performed, and stated that"factual information is not protected . . . just because the information was developed inanticipation of litigation." 6 To the extent that company personnel are assigned to assist counselin the investigation, they should be careful to keep confidential any documents that they generatein such capacity and to mark all such documents confidential, privileged, and prepared for thepurpose of assisting counsel.'

If the decision is made to retain an accounting firm, consideration should be givento whether the company should retain a firm other than its auditors. The major advantage tousing the audit firm is that its personnel are familiar with the company, its procedures, and itspersonnel. The recent changes to the auditor independence rules do not prohibit a company fromengaging its audit firm "to perform internal investigations or fact finding procedures." 8

There are, however, a number of potential problems with using the audit firm.First, in many instances, the individuals who worked on the audit are potential witnesses. Using apotential witness in an investigation can be a problem because they may not be able tocompartmentalize the information that they learned during the investigation from the informationthey possessed before the investigation commenced. In addition, there is both a danger that theauditor will not be viewed as sufficiently independent and a danger that there will be a conflict ofinterest between the auditor and the company. Furthermore, there might be instances when theinvestigative personnel of the accounting firm feel compelled to share otherwise privilegedinformation with the audit practice of the accounting firm. This sharing of information canjeopardize the ability of the company to control the dissemination of the investigation results andprotect the appropriate privileges. Perhaps most importantly, the audit firm may be compelledby law to divulge findings that a firm other than the auditors may not be compelled to divulge.'For these reasons, a firm other than the company's audit firm is usually retained to assist with theinvestigation when there is a need for such expertise.

If a private investigator is retained to assist the investigation, steps should betaken to assure that the investigator does not engage in conduct that might be viewed as

5 In re Six Grand Jury Witnesses, 979 F.2d 939 (2d Cir. 1992).

5 Id. at 945.

' To the extent that such documents are created on computers, it is important that the computerized version ofsuch documents also bear such legends.

5 Final Rule: Strengthening the Commission's Requirements Regarding Auditor Independence (SEC Release No.33-8183) (Jan. 28, 2003) ("Final Auditor Rules") at II(B)(10).

9 Id.; 15 U.S.C. § 78j . 1.

FOLEY & LARDNER LLP

MILW_2188630.2

7

FOLEY

improper by either law enforcement agencies or triers of fact. Thus, investigators should becarefully controlled and instructed that they should not to engage in misrepresentations in orderto obtain desired information or in any other conduct that would be improper for counsel. Asdiscussed below, special care must also be taken in deciding whether and how to contact anythird party witnesses, especially if the company is aware of pending government investigations.

In order to maximize the likelihood that all such work product is fully protected,counsel should prepare a letter or memorandum to each expert that specifies that the expert hasbeen retained (or in the case of company employees, detailed) to assist counsel in providing legaladvice and services; that the expert is being retained or detailed in anticipation of litigation; thatthe expert is not being retained (at least for the time being) as a testifying expert; and that theexpert agrees to keep confidential any work performed pursuant to the engagement or detail.

III.

DEFINING THE SCOPE OF THE INVESTIGATION AND DEVELOPING AN ACTION PLAN

An initial assessment must be made regarding the scope of the investigation. Forexample, if the internal investigation is being triggered by an allegation that a specific companyemployee might have made an improper payment to a Mexican government official in return forthe government's awarding a specific contract to the company, the scope of the investigation willinclude determining: (1) whether the payment was offered or made to a person who was a foreignofficial within the meaning of the Foreign Corrupt Practices Act (the "FCPA") and (2) whether theoffer or payment violated the antibribery provisions of the FCPA. The scope of the internalinvestigation will also include: (1) identifying the company personnel and agents who made theoffer or payment; (2) identifying any other company personnel who knew that the offer or paymentwas made or was being considered; (3) determining whether the company personnel responsiblefor the offer or payment had involved the company in any other improper payments or offers toMexican officials; (4) determining whether any false company records had been created inconnection with the transaction; (5) determining the extent, if any, to which company procedureswere violated or circumvented; and (6) determining the extent to which the appropriatecompliance materials had been disseminated to the involved personnel and the extent to whichproper training programs had been implemented.

Determining the scope of the investigation involves a delicate balancing of thefactors discussed above in determining whether to undertake an internal investigation. In theabove example, for instance, consideration should be given to: (1) whether the scope of theinvestigation is broad enough to determine whether misconduct did in fact occur; (2) whether thescope is broad enough to uncover evidence that might assist the company in respondingeffectively to a government investigation; (3) whether the scope is broad enough to enable thecompany to take appropriate remedial action, including determining the extent, if any, to whichcompany personnel should be disciplined; the extent, if any, to which company records werefalsified; the extent to which compliance procedures should be enhanced and/or the company'scompliance policies should be clarified or expanded; and the extent, if any, to which otherremedial action should be taken (e.g., if company personnel made an improper payment for thepurpose of influencing the government to award a concession to the company, considerationshould be given to asking the government to reopen that decision); (4) if it is anticipated that theresults of the internal investigation might be disclosed to the government, whether the scope ofthe internal investigation is broad enough to satisfy the government; (5) the expense anddisruption caused by the internal investigation; (6) the need for speed; and (7) the need tomaintain the confidentiality of the internal investigation.

At the outset of the investigation, the company should issue a charter setting forththe mandate pursuant to which the internal investigation is being conducted. This charter canconsist of one or more of: a resolution of the Board of Directors; a resolution of the Audit

MILW_2188630.2

8

.FOLEYFOLEY & LARDNER LLP

Committee; an engagement letter; or a memorandum issued by senior management or theGeneral Counsel. The charter should instruct the investigators to conduct a confidential internalinvestigation, define the scope of the investigation, authorize the investigators to inform companypersonnel that they are instructed to cooperate in the investigation, and specify (if appropriate)that the investigation is being conducted in anticipation of litigation and for the purpose ofobtaining legal advice. Because some courts cease to protect attorney work product once thelitigation relating to the work product has been concluded, 1O the charter should be drafted broadlyenough to cover all conceivable litigation likely to arise, including securities class actions,derivative actions, and related commercial litigation. Such a charter forces the company to focuson the scope of the internal investigation and will assist the company in successfully seeking theprotection of the attorney-client privilege and the work product doctrine in the event thatdiscovery is sought for documents generated in connection with the investigation.

This initial memorandum should also identify the client. Usually, the client will bethe corporation. Sometimes, the client will be the Board of Directors of the corporation, astanding committee of the Board of Directors (e.g., the Audit Committee or the ComplianceCommittee), or a special committee of Board of Directors.

The scope of the investigation should be constantly reevaluated as information isgathered and analyzed. While the initial red flags or indications of possible wrongdoing mighthave warranted an investigation of limited scope, the investigation might uncover information thatwarrants a substantial expansion of the scope of the investigation. For example, an initialindication that a company improperly re-exported certain U.S. technology to Iraq could trigger aninternal investigation that uncovers evidence that additional U.S. technology was improperly re-exported to Iraq. It might sometimes be appropriate, on the other hand, to curtail the initialscope of the investigation once information is obtained that casts a new light on the initial red flagor other indication of possible wrongdoing. It is important that an internal investigation beconducted quickly, efficiently and effectively, especially if the company anticipates that thegovernment may initiate its own investigation. In many circumstances, the government will notdefer its investigation pending completion of the company's internal investigation. Factors thatthe government considers in evaluating whether to defer its investigation include: (1) the amountof time expected to elapse during the company's internal investigation; (2) the nature of thesuspected violation and whether it is potentially ongoing; (3) whether the internal investigation isbeing conducted by outside counsel; and (4) whether the government will be permitted to see allof the notes and records compiled during the internal investigation.

In developing the action plan, the investigative team must always consider theneed for speed. This urgency can arise from several sources. There might be a need to completethe investigation before the government becomes aware of the matter. Management might needthe results of the investigation so that it can make informed decisions or required disclosures. Insome contexts, (e.g., the employment context), speed might be essential to establishing anaffirmative defense.

The action plan should describe the documents to be gathered and identify whoshould be responsible for gathering the documents. The plan should also identify the witnesses tobe interviewed, the nature of the questions to be posed during the interviews, and where thewitnesses will be interviewed. The plan should address the order of the interviews and the extent,if any, to which potential witness interviews can be conducted by telephone or other means. In

10 See FDIC v. Cherry, Bekaert & Holland, 131 F.R.D. 596, 604 (M.D. Fla. 1990) (discussing a split among courtsregarding the status of work-product immunity upon the termination of underlying litigation).

F O L E Y & L A R D N E R L L P

MILW_2188630.2

9

FOLEY

connection with both searching for documents and conducting interviews, consideration should begiven to the extent, if any, to which foreign language skills will be required.

One important issue that often arises in developing an action plan is the extent, ifany, to which the investigators should contact third party witnesses. In many instances, thirdparties are likely to possess information significant to the investigation. For example, in aninvestigation involving revenue recognition, customer personnel might have significant informationregarding when sales contracts were executed and whether the sales contracts were accompaniedby any side agreements. On the other hand, contacting third parties might endanger theconfidentiality of the investigation or jeopardize the company's relationship with the third party.The decision whether to contact third parties can also be a double-edged sword in terms of thegovernment, as the government may view the failure to contact third parties negatively (e.g., as areason to doubt the completeness of the investigation), or, to the extent there are missteps (oralleged missteps) in communicating with third parties, the government may view the companynegatively, or worse, may choose to pursue witness tampering or obstruction of justice charges.In many instances, an investigative plan can be developed that will enable the investigators toobtain the information they need while minimizing the associated risks.

It is important to stress that the action plan will often evolve during theinvestigation as documents are gathered and reviewed and as witnesses are interviewed. Thisevolution can result from a redefinition of the scope of the investigation, from the identification ofnew avenues of investigation, from the initiation of a government investigation or the receipt of agovernment subpoena, or from a conclusion that one of the issues initially identified has beenresolved and that some of the avenues of investigation initially identified are no longer warranted.

IV.

GATHERING DOCUMENTS

Documents are a key part of almost all internal investigations. Government lawenforcement officials tend to place great weight on the documents. Documents can assist counselin obtaining information from witnesses by, for example, educating counsel so that counsel canask more informed questions or refresh a witness's recollection.

As soon as the company becomes aware of allegations of wrongful conduct, itshould suspend normal document retention procedures or otherwise take action to ensure thatcompany personnel do not destroy or otherwise dispose of documents relating to the transactionor the incident that is the subject of the investigation. For example, the legal department mightcirculate to appropriate personnel a memorandum instructing personnel not to destroy or discardspecified categories of documents. Such a memorandum is especially appropriate where thecompany is aware that the government has already initiated an inquiry or investigation, or where agovernment inquiry or investigation may be contemplated." While communicating theimportance of not destroying relevant documents, the memorandum should disclose only asmuch information regarding the matter under investigation as the recipient needs to know.

It is critical to consider whether the company may be discarding or overwritingcomputerized information in the ordinary course of business as back up media are rotated and

" If the government has initiated an inquiry or investigation, the intentional destruction of documents mightconstitute obstruction of justice. In addition, SOX 802 and 1102 specifically criminalize the destruction or alteration ofdocuments even if the government has not initiated an inquiry or investigation, if the documents are destroyed with intentto impair their availability for use in an official proceeding or with intent to impede, obstruct or influence an investigation.See 18 U.S.C. §§ 1512(c), 1512(f)(1), 1519. If a company issues a memorandum instructing personnel not to destroy ordiscard documents, the likelihood of the government charging the company with obstruction of justice or a violation ofSOX 802 or 1102 can be substantially reduced.

MILW_2188630.2

10


yF.iPF.-r

r-

r

_

-_

'.1:^-il'

- - .. _

iT^ 4'.

-

-. ^ T'i.. ^_.^^4r-_'S . ' '^C.^^ì l^". Si_:^c.^^:i5 ^"ri^^1'4_=2::i ^^'^7-:-. r̂-►ea^r .`^-. ^• -' r -..1 TA^'. - - '. ^^x` - _ -^

reused, and as tapes are recycled, electronic media storage devices are replaced, and newsoftware is loaded. Companies should consider coordinating with InformationTechnology/Information Systems personnel as soon as practicable after the company becomesaware of wrongful conduct to ensure that relevant emails or other relevant electronic documentsare not being deleted, that relevant backup tapes are preserved, and that the preservation of anyother relevant electronic records is confirmed and documented.

A diligent search should be taken to locate and secure the documents that relate tothe subject transaction or incident. Before designing the search for documents, it is important tolearn the types of documents routinely generated by the corporation, to review the organizationchart of the company and identify company personnel likely to possess relevant documents, andto learn the company's practices regarding document retention and storage. Considerationshould also be given to obtaining copies of the calendars and message slips of appropriatepersonnel, as well as, in some cases, information on PDA's, Blackberries, and other electronicdata storage devices. Similarly, compliance manuals, training materials, personnel directories,and job descriptions for the period of time that is the subject of the internal investigation shouldbe obtained.

In designing the search for documents, consideration must be given to informationsaved in electronic form, such as word-processing documents, reports generated by databases,spreadsheets, and, of course, e-mail. It may be necessary to search the company's servers,backup tapes, or other electronic storage media, as well as hard drives of certain PC's. It mayalso be possible to recover "deleted" materials from the user's hard drive. In many investigations,a thorough search for documents can only be conducted through individual interviews ofemployees about their individual document retention practices.

In conducting its document search, the company must limit its reliance onindividuals who might have participated in the suspected underlying misconduct. In someinstances, it is best to have counsel show up at the critical locations and search for relevantdocuments without prior warning so that the individuals involved in the suspected underlyingmisconduct will not have an opportunity to destroy or discard significant documents.

There are several reasons why it is important to act promptly to secure relevantdocuments. The retained documents might contain exculpatory information that would assist inthe company's defense. Regulators and law enforcement officials are more likely to take severeaction against a company if they learn that relevant documents were destroyed or discarded oncered flags had been identified. Under some circumstances, the destruction of evidence mightresult in an increase in the criminal penalty to be imposed on the company, see United States v.Grewal, 39 F.3d 1189, 1994 WL 587395, at *3 (9 th Cir. 1994) (imposing two-level adjustment forobstruction of justice), or might give rise to an adverse inference against the company, see Farrellv. Connetti Trailer Sales, Inc., 727 A.2d 183 (R.I. 1999) (advising the jury that it can draw anadverse inference against the plaintiffs because plaintiffs caused certain evidence to beunavailable to defendants).

The investigation team must organize the documents according to various criteria.Documents are generally classified in a spectrum ranging from irrelevant to crucial. In general,the relevant documents should be organized to facilitate preparation of a chronology, an analysisof key topics, and witness interviews. It usually is appropriate to maintain a file containing thecrucial documents. This file is often referred to as the "key document" or "hot document" file. Inmany instances, it is necessary to rely, at least in part, on a computerized system for organizingand storing documents.

MILW_2188630.2

11

FOLEYFOLEY & LARDNER LLP

A careful record should be maintained listing the locations that were searched inconnection with the investigation and the individuals who were contacted in connection with thedocument search. A log should be created identifying the location from which each documentwas obtained. Where the relevant files are being actively used, consideration should be given tomarking (or otherwise making a record of) the documents that were in the file at the time of thedocument search. The documents gathered should be numbered sequentially (e.g., bateslabeled).

V.

INTERVIEWING WITNESSES

Interviews are also a key aspect of the investigation process. Along withdocuments, interviews are the primary source of the information that will be gathered during theinvestigation. In addition, interviews present an important opportunity for the investigators toassess the credibility of the witness.

Counsel should interview all company personnel likely to have knowledge regardingthe relevant transaction or the alleged violation. Before interviewing personnel, counsel shouldreview the relevant documents and interviews, prepare an outline of topics to be covered with thewitness, and select the documents that should be shown to the witness during the interview.Questioning witnesses regarding documents can serve several purposes. The author of adocument might be able to explain what a document was intended to convey or why a documentwas drafted in a particular way. Other witnesses might be able to put important documents intocontext. The document might refresh a witness's recollection or persuade a witness to provideaccurate information that the witness might otherwise have been reluctant or unwilling to provide.Counsel should be aware that showing a privileged document to a witness during the interviewcould result in a court later holding that the privilege has been waived.

Companies should also consider whether to give witnesses or their counsel thespecific documents that the witness is going to be asked about before an interview (when there isthe luxury of time and resources to do so, which is often not the case). While it may expedite andperhaps improve the interview, the government might view such advance notice negatively insome situations. On the other hand, because the company's investigators lack subpoena power,the company may in some situations need to deliver relevant documents before the interviewwhere witnesses or their counsel insist upon it as a precondition to the witness's consent to beinterviewed (e.g., when the witness is not a current employee of the company).

Questionnaires should be used sparingly, if at all. In general, the use ofquestionnaires should be limited to soliciting purely objective information when it is necessary togather information from a large number of personnel that cannot be gathered more efficiently andeffectively any other way.

Other company personnel should be discouraged from attending employeeinterviews. The presence of senior officers at interviews could chill the candor of the witness andmay undermine the protection of the attorney-client privilege. Additionally, the senior officer'spresence can be misconstrued as part of an effort to compare and conform the witness'srecollection with the version of the facts advocated by the executive. 12

In some instances, counsel will need the assistance of experts from outside thecompany. In order to maximize the likelihood that the interviews will be protected by the

12 Under certain circumstances, an employee may be entitled to representation by a fellow employee. See NLRBv. J. Weingarten, Inc., 420 U.S. 251 (1975).

MILW_2188630.2

12


attorney-client privilege and/or the work product doctrine, experts should be retained by counsel,and the engagement letter should contain provisions designed to preserve the confidentiality ofinformation shared with and the work product of those experts.

At the outset of each interview, the investigators should inform the witness that:(1) senior management (or the board of directors, the audit committee of the board of directors,or a special committee of the board of directors) has authorized the investigators to state thatcompany employees should cooperate in the investigation; (2) the investigators are attempting todetermine the truth relating to the matter and the surrounding circumstances; and (3) the witnessshould not destroy or discard any documents relevant to the investigation (at least to the extentthe witness has not received that instruction previously). If the investigators are attorneys, theyshould also: (1) identify their client, and state they do not represent the individual witness; 13 (2)explain that they are seeking information to assist in providing legal advice and services to thecompany; (3) indicate that, in order to protect the privileged nature of the interview, it isimportant that the witness keep the substance of the interview confidential from anyone otherthan counsel; and (4) state that the company controls the privileges associated with theinvestigation and has the sole right to determine whether to waive those privileges and disclosethe substance of the interview to the government. If the company has already agreed to discloseto the government information obtained in the interview, counsel should advise the witness of thisagreement.

This is a delicate part of the interview. In communicating this information to thewitness, counsel should be sensitive to the danger that these communications will cause unduealarm on the part of the witness and thereby impede the ability of the company to gather thenecessary information. To the extent an employee refuses to be interviewed or otherwise fails tocooperate with the investigation, the company should consider whether disciplinary action, up toand including termination, is warranted (and may be expected by the government in somesituations).

Consideration should be given in advance (with the company) to whether thewitness should be specifically advised that he or she may have personal counsel present at theinterview. If appropriate, the witness should also be advised that the company will indemnify himor her for reasonable fees and expenses associated with the participation of personal counsel. Indeciding whether the company should agree to pay these fees and expenses, the company shouldconsider the applicable corporate indemnification statutes, the corporate charter and bylaws, theapplicable contract provisions if any, and the benefits that the company may derive by providingseparate counsel. Unless applicable law or corporate bylaws require indemnification, however,the government may view indemnification of an employee's attorney fees negatively, at least tothe extent the government considers the employee to be "culpable." 14 Recently, the courts havebegun to challenge the Department of Justice's positions on such issues, 15 and the Department of

13 D.C. Bar Ethics Opinion No. 269, Obligation of Lawyer for Corporation to Clarify Role in Internal CorporateInvestigation (January 15, 1997) (where a possible conflict between a corporation and a corporate employee is apparentand there is any ambiguity regarding the lawyer's role, the lawyer should advise the employee of the lawyer's position ascounsel to the corporation.); see also In re Grand Jury Subpoena, 415 F.3d 333 (4 th Cir. 2005) (giving guidance on theproper instruction to witnesses regarding who the lawyer represents).

14 See United States Department of Justice Attorney's Manual Section 162, Federal Prosecution of BusinessOrganizations (the "Thompson Memorandum," now mostly incorporated in the McNulty Memorandum).

'5 See United States v. Stein, 435 F. Supp. 2d 330 (S.D.N.Y. 2006); United States v. Stein, 440 F. Supp. 2d 315(S.D.N.Y. 2006).

MILW 2188630.2

13

FOLEYFOLEY & LARONER LLP

Justice recently modified its position slightly in declaring that "a corporation's compliance withgoverning state law and its contractual obligations cannot be considered a failure to cooperate." 16

It is preferred to have at least two investigators present for each witness interview.Having two investigators present makes the interview more effective since one of the investigatorscan take the lead in asking questions and the other can focus on taking notes. In addition, thesecond investigator can later serve, if necessary, as a witness to corroborate the recollections ofthe first investigator regarding both the statements of the witness and that the first investigatorconducted the interview appropriately.

It is usually appropriate for a senior attorney to conduct at least the most criticalinterviews. First, obtaining information from a witness is a delicate art that requires substantialexperience. Second, the credibility of the witness will often be important. A senior attorney mighthave a better sense both for assessing the credibility of the witness on behalf of the company andfor evaluating whether a government agency and/or a trier of fact would find the witness to becredible.

Both the notes of the interview and the memoranda summarizing the interviewshould be marked as "confidential," and should note (if true) that they reflect the attorney'smental impressions and are not a substantially verbatim record of the interview. The notesshould clearly reflect that the investigators made the appropriate statements to the witness (asdiscussed above) at the outset of the interview. The interviewer also should consider whether theinterview memoranda should contain and intertwine the attorney's mental impressions andexplicit strategy, because such memoranda are more likely to be protected as opinion workproduct under the work product doctrine. However, lacing the memoranda with mentalimpressions can result in complications later if the memoranda are disclosed to the government,because a decision will have to be made about waiving work product protection of suchstatements or having to redact all such statements (which a court may order in any event if thememoranda are ever ordered to be disclosed). In addition, the Department of Justice hasdifferent standards for requesting production of "purely factual interview memoranda" than itdoes for production of memoranda that include counsel's mental impressions and conclusions.'In drafting interview memoranda, the investigator should be conscious of the possibility that thememoranda will ultimately be disclosed to prosecutors or to counsel for a plaintiff litigatingagainst the company.

If the witness is represented by counsel, caution should be exercised beforeagreeing that the interview will be subject to an undefined "joint defense privilege" or otherlimitation on the ability of the company to use the information obtained in the interview. SeeUnited States v. Weissman, 195 F.3d 96 (2d Cir. 1999). Weissman involved two interviews of thechief financial officer of Empire Blue Cross and Blue Shield. Empire was represented at theinterviews by both inside counsel and outside counsel and Mr. Weissman was represented by hispersonal attorney. After learning that Empire was the subject of a grand jury investigation,Empire's counsel later provided its notes of the interviews to the prosecutors and the prosecutorsindicted Weissman. There was a factual dispute as to whether the interviews had been expresslysubject to a joint defense agreement ("JDA"). The Court of Appeals found that Weissman hadfailed to establish the existence of a JDA and that his damaging admissions made during theinterviews could be used against him. Id. 18 To the extent the company decides to enter a JDA

16 McNulty Memorandum at 11-12.

17 McNulty Memorandum at 9 . 10.

18 Weissman also illustrates the importance of documenting the extent to which the company is agreeing to limitits ability to use information obtained in an interview. After noting that neither Weissman nor his counsel were able to

MILW_2188630.2

14


with a witness, the company should consider (1) whether the JDA should be put in writing, (2)whether to draft it so that it is one-sided in favor of the company (if possible), and (3) whether thegovernment may view the existence of the JDA negatively, especially if the company uses it toprovide information about the government's investigation to the employee (see, e.g., the McNultyMemorandum).

During the interview, counsel should ask questions designed to learn everythingpossible regarding the underlying transaction and the circumstances surrounding it. Thus, theinvestigator should refrain from relying on leading questions. Who, what, when, where, why andhow questions are best relied on to elicit complete information. The investigator should listenattentively to the witness and attempt to encourage the witness to relax and tell the story in his orher own words.

It will sometimes be necessary to interview a witness more than once. At thebeginning of the interview process, counsel might not be sufficiently familiar with the facts toappreciate the significance of a witness's statements. After conducting the interview, counselmight become aware of statements by other witnesses or of documents that pose new questionsfor the witness. As a result of information gathered during the internal investigation, the scope ofthe investigation might broaden to include topics that were outside the scope of the investigationwhen the witness was previously interviewed.

The investigators may request that the witness contact them if the witness recallsany additional information or discovers any additional documents or if the witness is contactedregarding the transaction by the media or by government officials. While it would be improperand illegal to instruct a witness not to talk to U.S. government officials, it is appropriate to discusswith the witness that the witness has the right to decline to answer questions without firstcontacting the company or consulting with an attorney (though care must be taken to avoidcreating any misconceptions, such as creating a perceived misimpression that the company issuggesting that the witness should decline to answer questions). In conducting the interview,investigators should be careful not to attempt to influence the witness's answers. To the extentpossible, the investigators should avoid telling one witness what another witness has told them orotherwise educating the witness regarding the transaction, although it will often be necessary torefresh the witness's recollection regarding facts of which the witness once had knowledge.

Company counsel should not provide employees or their counsel with copies ofinterview memoranda. While having the employee review the memorandum might enhance theaccuracy and utility of the memorandum, a witness who reviews an interview memorandum mightbe found to have adopted the memorandum as a witness statement, which might render thememorandum discoverable under U.S. law.

Similarly, it rarely is advisable to tape record witness interviews or to have a courtreporter transcribe the interview. Such a record of the interview is less likely to be treated asprotected by the attorney-client and/or work product privileges than a memorandum that hasbeen prepared by counsel and that contains the mental impressions of counsel. The FederalRules of Criminal Procedure require production of contemporaneously recorded statements aftera witness has testified on direct examination at trial. Fed. R. Crim. P. 26.2. Because the witnesshas not yet had an opportunity to review the documents and refresh his/her recollection orbecause the witness might be prey to a misguided temptation to distort the truth, an initial

locate their notes to corroborate their testimony that the first interview was expressly subject to a joint defense agreementand that the notes of Empire's counsel did not refer to a joint defense agreement, the Court found that Weissman had notmet his burden of showing that the first interview was expressly covered by the joint defense privilege. Id.

MILW_2188630.2

15


interview is the moment when a witness is most likely to misstate the facts. The one exception tothis rule would involve a situation where the company is the victim of the employee's conduct andthe company wishes to memorialize verbatim an employee's admissions.

In many cases, former employees will be among the key witnesses. The interviewof a former employee might be protected by attorney-client privilege if the witness is beinginterviewed regarding information obtained when the witness was an employee of the companyrepresented by counsel. While the law is not completely settled, a number of courts have heldthat the attorney-client privilege can apply to communications between a former employee of acompany and counsel to a company, at least if the former employee had been employed by thecompany when the relevant conduct occurred. In re Allen, 106 F.3d 582, 605 (5 th Cir. 1997); Inre Coordinated Pretrial Proceedings, 658 F.2d 1355, 1361 n.7 (9 th Cir. 1981).

VI.

PREPARING A REPORT OF THE INVESTIGATION

Whether the report of the investigation is ultimately delivered orally or in writtenform, it usually includes: (1) identification of the circumstances that prompted the investigationand a statement that the investigation was conducted in anticipation of litigation and for thepurpose of providing legal advice; (2) a description of the action plan that was implemented (e.g.,the locations searched, witnesses interviewed); (3) a summary of the relevant background facts(e.g., a chronology of the relevant events, a description of the relevant individuals and entities, anoutline of the relevant agreement and/or transactions); (4) with respect to the key facts, adiscussion of the evidence; (5) an outline of the relevant law; (6) an application of the law to theevidence gathered during the investigation; and (7) identification of the corrective measures thatshould be considered (or have been taken) as a result of any issues uncovered during theinvestigation.

As the investigation is being commenced, the investigators should begin preparinga working chronology to the extent time and resources permit. Ideally, this chronology should beannotated both to show the document(s) and interview(s) on which each entry is based and thedocument(s) and interview(s) that appear to be inconsistent with each entry. Then, as theinvestigation progresses, the chronology should be frequently revised to reflect new facts. Such aworking chronology will help counsel better understand the facts and their implications and willalso prompt certain new lines of questioning with the witnesses.

In order to protect the privileged nature of the chronology and any other workproduct generated by investigators, distribution of work product should be carefully limited, and itshould never be shown to a witness. Care should be exercised in presenting any work product orfindings to senior management or any other person whose interview has not yet concluded.Moreover, if counsel conducting the investigation represents only the board or a committee of theboard, there may be some risk that disclosure of work product to management or other non-clients could at some later time be deemed a waiver of work product protection.

Reporting to a company's auditors is often required as well and must beapproached carefully to minimize the risk of waiver of work product protection. The companyshould consider whether to attempt to reach agreement with the auditors on a confidentiality andnon-waiver agreement and on whether the reporting will be oral or written, as well as on thetiming of the reporting. See, e.v,, Merrill Lynch & Co. v. Allegheny Energy, Inc., 229 F.R.D. 441(S. D. N.Y. 2004).

The evidence relating to key facts is often ambiguous and/or conflicting. Thedescription of this evidence in the report should be balanced and complete. It usually isappropriate to discuss incriminating evidence in the report even if the investigators believe that

MILW_2188630.2

16


the incriminating evidence is outweighed by the exculpatory evidence. See, e.g., In re John DoeCorp., 675 F.2d 482, 489-92 (2d Cir. 1982) (a decision had been made to exclude from the reporta reference to the possibility that a payment to an attorney was for the purpose of bribing localgovernmental officials, and the court held that this decision might have been for the purpose ofcreating a misleading report). A balanced report is more informative to the company officials whomust act on the report and more credible to law enforcement officials who may later review it. Areport that includes exculpatory as well as incriminating evidence is also more fair to theindividuals and entities that may be criticized in the report.

To the extent appropriate, the report should include positive findings. Forexample, even if the investigation determines that a sales manager had caused U.S. technology tobe re-exported to Iraq, it might still be accurate to report that the company had establishedcompliance procedures prohibiting such re-exports, that these procedures were reasonablydesigned, that this prohibition had been stressed in specific training programs, that one factor indetermining bonuses was the extent to which sales management promoted a good complianceatmosphere, that senior management had no prior involvement in the incident, and that whensenior management learned of the incident, they promptly authorized an internal investigation,disciplined the sales manager, and took steps to enhance the compliance system.

Careful consideration should be given to whether some or all portions of theinvestigation should be reduced to writing. Reducing the report to writing can offer a number ofbenefits. Written reports often contain substantially more content and more precise analysis, andare easier for company management to digest, than oral reports. The Board of Directors may feelmore comfortable relying on a written report than on an oral report. If disclosed to thegovernment, a written report can help persuade the government that a thorough investigation hadbeen conducted and either no wrongful conduct occurred or that government action is otherwisenot warranted.

There are also a number of problems associated with reducing a report to writing.The process of writing a report can be expensive. If disclosed to the government or to othersoutside the corporation, the written report can be used against the company. Production of thewritten report is likely to jeopardize the privileges associated with the investigation. Insubsequent litigation, adversaries will seek to discredit the report by identifying arguableomissions or inaccuracies in the report.

Careful consideration should also be given to whether the company should disclosethe results of the investigation to the government. Under some circumstances, companies have alegal obligation to report to the government or otherwise disclose that they have engaged inconduct that is unlawful. The New York Stock Exchange requires that member firms promptlyreport to the NYSE whenever the member, or any employee associated with the member, hasviolated any provision of any securities laws or regulations or any rules of a self-regulatoryorganization or has engaged in conduct inconsistent with just and equitable principles of trade.NYSE Rule 351. Under some circumstances a publicly owned corporation may have an obligationunder the federal securities laws to disclose in its periodic reports or on a Current Report on Form8-K a violation of law that is material to the operations or financial condition of the company.19' 20

19 See United States SEC v. Fehn, 97 F.3d 1276, 1290 (9 th Cir. 1996); Roeder v. Alpha Indus. Inc., 814 F.2d 22(1st Cir. 1987); In re Par Pharm. Inc., 733 F. Supp. 668, 674 (S.D.N.Y. 1990). But see United States v. Matthews, 787F.2d 38, 39 (2d Cir. 1986); United States v. Crop Growers Corp., 954 F. Supp. 335 (D.D.C. 1997); Ballan v. Wilfred Am.Educ. Corn., 720 F. Supp. 241, 249 (E.D.N.Y. 1989); In re Teledyne Defense Contracting, 849 F. Supp. 1369 (C.D. Cal.1993).

MILW_2188630.2

17


The Department of Commerce has promulgated regulations imposing on U.S. persons anobligation to report requests that the person take any action which has the effect of furthering orsupporting a restrictive trade practice or boycott. 15 C.F.R. § 760.5.

Self-reporting can increase the likelihood of the company's obtaining lenienttreatment from the government. As set forth above, a number of government law enforcementagencies have formal programs that offer leniency to companies that report violations before thegovernment begins an investigation. Absent such a program, prosecutors may neverthelessexercise their discretion and decide not to prosecute a company that has voluntarily reported aviolation. See McNulty Memorandum; Report of Investigation Pursuant to Section 21(a) of theSecurities Exchange Act of 1934 and Commission Statement on the Relationship of Cooperationto Agency Enforcement Decisions (S.E.C. Release No. 44969) (Oct. 23, 2001) (the "SeaboardReport"); Dominic Bencivenga, "Reporting Wrongdoing: Taking Time To Investigate Is ConsideredDelay," New York Law Journal, at 5 (Mar. 7, 1996) ("Corporations wanting to avoid indictmentmust be proactive, and [prosecutors] will not look kindly at a [reporting] delay.") (quoting the U.S.Attorney for the Southern District of New York). The federal sentencing guidelines forcorporations provide for a corporation to receive credit for having an effective program to preventand detect violations of law only if, after becoming aware of offense, the corporation does notunreasonably delay reporting the offense to appropriate government authorities. § 802.5.Voluntary disclosure to the government might also assist the corporation in receiving credit for fullcooperation in the investigation and for acceptance of responsibility for criminal conduct. Forexample, after Salomon Brothers (in the case discussed above) voluntarily notified thegovernment of misconduct, provided to the government detailed information regarding the firm'sinternal investigation, provided documents to the government, and made employees available forinterviews and testimony, the U.S. Attorney announced that criminal charges would not bepursued. See Press Release, U.S. Attorney For the Southern District of New York (May 29, 1992).

A vivid example of the potential benefits of self-reporting can be found in theantitrust field. The Antitrust Division of the Department of Justice has established a programwhich, under certain circumstances, allows corporations and corporate officers to obtain leniencyif the corporation or corporate officer reports antitrust activity of which the Division was previouslyunaware. See Stephen J. Squeri, "Minimizing Damage to Your Client Through CorporateCompliance Programs and the Antitrust Division's New Corporate and Individual LeniencyPrograms," at 6.005-6.011 to be found in Materials on Antitrust Compliance (Business Laws, Inc.1993). In some circumstances, corporations can obtain leniency by self-reporting even if theAntitrust Division has already begun an investigation. Id. In 1999, the Department of Justiceobtained criminal fines totaling $500 million against two pharmaceutical firms, but did notcriminally prosecute a third pharmaceutical company which had participated in the antitrustconspiracy. The Deputy Assistant Attorney General for the Criminal Division explained that thethird company was treated leniently for having provided the information that the Division "neededto crack the largest antitrust conspiracy uncovered to date." Press Release, Department ofJustice (May 20, 1999).

If the company decides to make some disclosure to the government, it mightattempt to limit the extent of the disclosure. In some circumstances, the government might agreethat it is sufficient if the company identifies the nature and extent of the offense and theindividual(s) responsible for the criminal conduct. In general, however, the government will oftenpress to see both the report of the internal investigation and/or the materials generated and

20 In general, a failure to disclose a felony is not a misprision of a felony under 18 U.S.C. § 4 absent some"affirmative step to conceal the crime." United States v. Ciambrone, 750 F.2d 1416, 1417 (9 th Cir. 1984). See alsoUnited States v. Cefalu, 85 F.3d 964, 969 (2 "d Cir. 1996).

MILW_2188630.2

18

`FOLEYFOLEY & LARDNER LLP

collected in connection with the investigation, including interview memoranda. Outside legalcounsel should always be consulted prior to making a disclosure to the government. A meticulousrecord must be kept of materials produced and not produced to the government. In at least onecase, United States v. Mass. Inst. of Tech., 129 F.3d 681 (1 st Cir. 1997), a party was required toproduce to a third party potentially more materials than had been produced to the government,because the party could not show exactly which materials had been voluntarily disclosed to thegovernment and which had not.

If the company decides to disclose a written report to the government, there is asubstantial risk that all of the company's privileges with respect to the investigation will bedeemed waived. A majority of the courts addressing the issue have held that disclosure of areport to a law enforcement agency waives any privileges that would otherwise attach to the reportunder U.S. law. See In re Subpoena Duces Tecum (Fulbright and Jaworski), 738 F.2d 1367 (D.C.Cir. 1984); Westinghouse Elec. Corp. v. Republic of the Philippines, 951 F.2d 1414 (3d Cir.1991); In re Martin Marietta Corp., 856 F.2d 619 (4 th Cir. 1988); In re Quest CommunicationsIntl, Inc., 450 F.3d 1179 (10 th Cir. 2006). The Eighth Circuit has held that voluntary disclosure ofan internal investigation report does not waive the privileges that would otherwise attach to thereport. Diversified Indus., Inc. v. Meredith, 572 F.2d 596 (8 th Cir. 1977) (en banc). The U.S.Court of Appeals for the Second Circuit has stated that there may be situations in which theagency and the disclosing entity may enter into an explicit agreement that the agency willmaintain the confidentiality of the report. In re Steinhardt Partners, L.P., 9 F.3d 230 (2d Cir.1993).

In an attempt to remedy this dilemma, changes to Federal Rule of Evidence("FRE") 502 were recently proposed that would in effect create a "government investigationprivilege" protecting privileged and work product materials disclosed to the government in agovernment investigation from further disclosure to others. The proposed amendments to FRE502 may not offer ironclad protection, however, because courts may find that they do not overruleFederal Rule of Criminal Procedure 16 and Brady v. Maryland, 21 which require governmentdisclosure of exculpatory materials to criminal defendants -- typically the individuals charged incorporate misconduct cases, who may be entitled to the work product and privileged informationdisclosed by a corporation to the government.

The relief provided by the proposed amendments to FRE 502 is not yet available,as it still needs to be approved by the Advisory Committee on Evidence Rules, the StandingCommittee, the Judicial Conference, the Supreme Court, and Congress after the public commentperiod closes in February 2007. Some commentators believe that enactment of the proposedamendments to FRE 502 will actually increase the pressure on companies to disclose privilegedinformation, as the government will insist that there is now no excuse not to disclose (other thanfear of prosecution, of course), and courts may place more emphasis on failure to disclose insentencing. On the other hand, while the Department of Justice, the SEC, and the U.S.Sentencing Guidelines applicable to corporations took the position several years ago that thecorporation's willingness to waive the attorney-client privilege may be a factor in determiningwhether to charge the corporation with a crime and what penalty will be sought or imposed, theU.S. Sentencing Commission recently voted to remove that language from the OrganizationalSentencing Guidelines, a change that took effect November 1, 2006, and the recent McNultyMemorandum reflects the limited change in policy that prosecutors must not consider acorporation's declination to produce core attorney work product or privileged information("Category II" information) against the corporation (but may favorably consider the corporation's

21 373 U.S. 83 (1963).

MILW_2188630.2

19


acquiescence). 22 In any event, at the moment, there is no guarantee that confidentialityagreements with the government will be upheld by the courts, and the weight of authority iscurrently against enforcement of such agreements.

Accordingly, if a company decides voluntarily to disclose to a governmental agencythe report of its investigation, the company should seek an agreement with the governmentexpressly stating that: (1) the disclosure is being made at the request of the agency; (2) it is theintention of both the disclosing entity and the agency that the disclosed materials will be keptconfidential; (3) it is the intention of both the disclosing party and the agency that the disclosureshould not act as a waiver of the attorney-client privilege and the work product doctrine as to anyother materials; and (4) it is the intention of both the disclosing party and the agency that withrespect to any other entity the disclosure should not act as a waiver of the attorney-client privilegeand the work product doctrine. Some law enforcement agencies may even agree to support thecompany if the company later has to argue that the voluntary disclosure to the government shouldnot be deemed a waiver. For example, in connection with a company's agreeing voluntarily todisclose the results of an internal investigation to the Securities and Exchange Commission, theSEC may now agree to intervene in a private discovery dispute and file papers urging that thedisclosure should not be deemed to have waived the privilege, as it did in the recent McKessonmatter in the Ninth Circuit. 23 Section 105(d)(5) of the Sarbanes-Oxley Act may provide somemeasure of confidentiality in disclosing to the Public Company Accounting Oversight Board,though the application of that section is largely untested.

If a company decides to disclose the report of the internal investigation to thegovernment, and the report is critical of specific individuals and companies, disclosure of thereport might result in a claim for defamation, invasion of privacy, publicity in a false light, tortiousinterference with economic interests, or infliction of mental distress. See Pearce v. E.F. HuttonGroup, Inc., 664 F. Supp. 1490 (D.D.C. 1987) (former E.F. Hutton branch manager sued E.F.Hutton and former Attorney General Griffin Bell in connection with a report of an internalinvestigation prepared on behalf of E.F. Hutton).

In any event, steps should always be taken to protect the investigation and anywritten investigation materials from discovery. Any documents or other written materialsprepared as part of an investigation should be marked privileged and confidential, and theirdistribution should be limited.

VII.

TAKING CORRECTIVE ACTION BASED ON THE INVESTIGATION

The company must assess what corrective action, if any, should be taken in light ofthe information gathered during the internal investigation. Throughout the course of theinvestigation, counsel and the company should be alert to whether there might be an ongoing,recurring or other prospective violation of law or of the company's policies and procedures. If itappears that there might be an ongoing or recurring violation, then the company should takemeasures necessary to prevent any further violations. These measures can consist of institutingnew procedures, instituting new training sessions, and/or disseminating compliance materials.

22 In addition, Senator Arlen Specter has twice introduced, in 2006 and 2007, an "Attorney-Client PrivilegeProtection Act" bill that would further curtail the Department of Justice from considering against a corporation itsassertion of the privilege, paying employees' legal fees, sharing information with employees, entering into a joint defenseagreement with an employee, or refusing to fire or sanction an employee who asserted constitutional rights during aninvestigation.

23 See Brief of the Securities and Exchange Commission, Amicus Curiae, in Support of McKesson Corporationand Supporting Reversal, in United States v. McCall, Case No. 03 . 10511 (9 th Cir.), available athttp://www.sec.gov/litigation/briefs/mckesson.htm.

MILW_2188630.2

20


Furthermore, the company should consider whether any employee and/or agentshould be disciplined and whether the investigation has revealed any areas in the complianceprogram that should be enhanced. In many instances, the decision to sanction the employee isdifficult. The employee may be a valuable employee who has (lawfully) enabled the company toearn substantial money in the past. The disciplining of the employee may have an adverse impacton employee morale and may expose the company to legal liability. In addition, the discipliningof the employee may increase the likelihood of the government learning of the unlawful conduct.The imposition of discipline might trigger a reporting obligation, 24 the disciplined employee mightgo to the government, or the disciplining of the employee might otherwise attract attention (e.g.,the disciplined attorney might file a wrongful discharge action). In any subsequent litigation orgovernmental investigation, the disciplining of the employee may be considered an admission.

On the other hand, there are important reasons to impose sanctions on employeeswho violate company policies. First, applicable law may require it in some situations-forexample, the CEO/CFO compensation "clawback" provision of the Sarbanes-Oxley Act (Section304; 15 U.S.C. § 7243). Also, company policies may lose their force if they can be violated withimpunity. The employees might engage in future violations. If the company does not sanctionemployees who act improperly, the government will likely conclude that the company condonedthe misconduct or lacks a meaningful compliance policy. 25 The availability of an affirmativedefense to a sex or race harassment claim may also depend upon whether sanctions wereimposed. Under the Faragher/Burlington Industries analysis, the employer must show that itexercised reasonable care to prevent and promptly correct the harassing behavior. Theeffectiveness of the corrective steps taken must be assessed, such as whether or not the allegedharasser was removed as the immediate supervisor for the victim and whether, if there are priorincidents of harassment by the alleged harasser, the employer terminated, suspended, or at aminimum, severely reprimanded the alleged harasser upon finding that the alleged conductoccurred.

The sanction should reflect the seriousness of the offense, the extent to which theemployee has been put on notice that the conduct at issue was contrary to company policy, andthe need to protect the company from future violations. In some instances, the company canappropriately respond to an infraction with additional training and education coupled with areprimand and/or warning. In other instances, the company can appropriately sanction theemployee by suspending the employee, denying the employee a promotion, demoting anemployee, or denying the employee a bonus. In other instances, especially instances involvingcriminal conduct that puts the company at risk or poses a substantial threat of future violations, itmay be appropriate to terminate an employee. With respect to claims of employmentharassment, the remedial steps must be "reasonably calculated" to halt the harassment. Inconsidering the appropriate discipline to be imposed, the company should also consider the legalstandard likely to be applied in evaluating whether the discipline was excessive (e.g., is theemployee an at will employee or can the employee only be fired with just cause). The sanctionsshould be applied fairly and consistently.

24 For example, the Form U-5 promulgated by the National Association of Securities Dealers (the "NASD")requires that member firms of the NASD, with respect to terminated employees, report whether the employee "[c]urrentlyis, or at termination was ... under internal review for fraud or wrongful taking of property or violating investment-relatedstatutes, regulations, rules or industry standards of conduct." Similarly, the New York Stock Exchange requires membersof the exchange to promptly report whenever an employee of the member is the subject of any disciplinary action taken bythe member against any of its associated persons involving suspension, termination, the withholding of commissions orimposition of fines in excess of $2,500 or any other significant limitation on activities. NYSE Rule 351.

25 See McNulty Memorandum t 11 (stating that a corporation's "retaining the employees without sanction fortheir misconduct ... may be considered by the prosecutor in weighing the extent and value of a corporation'scooperation").

MILW_2188630.2

21


The company should consider whether the employee should be provided advancednotice of the tentative findings of the internal investigation and should be given a fair opportunityto respond to that notice (though care should be taken to minimize the risk of waiver of privilegesor work product protection in doing so). In addition to the benefits intrinsic in providing a fairprocedure to an employee before discipline is imposed, providing the employee with a fairopportunity to respond to the notice will benefit the company by permitting it to make a moreinformed decision regarding the sanction, if any, that is appropriate.

Disciplinary action that results in the termination of the employee responsible foralleged misconduct may lead to the employee bringing a lawsuit for wrongful discharge. Courtsdiffer as to the legal standard to be applied in determining whether the disciplined employee hasa cause of action against the company. Compare Cotran v. Rollins Hudig Hall Int'I, Inc., 948P.2d 412 (Cal. 1998) with Sanders v. Parker Drilling Co., 911 F.2d 191 (9 th Cir. 1990) (applyingAlaska law). In Cotran, a company had terminated an employee after finding that the employeehad sexually harassed certain fellow employees. The terminated employee sued his formeremployer alleging that he had been terminated without just cause. The trial court ruled that theissue was whether the employee had actually engaged in the alleged sexual harassment, foundthat the terminated employee had not engaged in sexual harassment, and held that the employeehad therefore been terminated without just cause. The California Supreme Court held that theemployee had been terminated with just cause as long as at the time of the decision to terminatethe employment, the employer, acting in good faith and following an investigation that wasappropriate under the circumstances, had reasonable grounds for believing plaintiff had done so.948 P.2d at 423. In Sanders, two employees of Parker Drilling Co. informed Parker's safetymanagers that several fellow employees were routinely smoking marijuana on the job and duringbreak periods. The company asked for and obtained written statements from the two employeesstating this accusation. The company then confronted the plaintiffs who denied using drugs.Based on this information, Parker terminated the plaintiffs. The Ninth Circuit held that to carryits burden of showing just cause for termination, Parker had the burden of showing that thedischarged employees had engaged in the alleged prohibitive conduct, and held that Parker'ssubjective good faith belief that it possessed good cause was insufficient. 911 F.2d at 194 . 95.

Finally, a company considering remedial action should consider taking additionalremedial steps, such as making compensatory payments to individuals or entities that wereoverbilled; making job offers to job applicants against whom the company had discriminated; andcorrecting disclosure statements that have been released to the investing public.

MILW_2188630.2

22


Me JOSuo! a oIn 6uio6uo pelep o{.,

su0!18611s9nuf pa erai uoilL61111:11f cv;y:1,11:r.",b'oua6ijialu.̀1enpadwoocr.^^K^

s

st {

.,.ry.Y1,q•y4:t

^.

'i{l:LcT.'l'li

•^...-x"

nE,ad35:.4sr-rre.4.r.^r.^•

yt'^Y ry

r

4

sua!ap anggenuaaq

.:^.

slassa eTaaodaoo jo jeq /esnsislaaoas epaaljo uoiTeudoaddas!W -

paooaa10 uogeOWSIe.; 6uile6iisenuisuoi6apIepnaa j 6ui unoooa/aouaui J

staoaaasaa`sasseu

o .q.lu

^.!nnpug 1suoITe61lsenui:L4aladwoo-uoN„ y

Buiiaodaa Al.pgalaotani.a6i.sanulsoaounoa6oa.ssao uoIIoa o

(6u!Je6uIIew)!episiIges!a --

. -- Hewlett Packard caselPotential violations of attc hY code of professional responsibilitypotential disciplinary consequences

'd'

y.

.

-

False statement of material fact or law td third person .Conduct involving dishonesty, fraud, deceit or misrepresentationFailure to supervise 5:7--' ,..Counseling client to commit a crime or fraudMisleading unrepresented persons"Reflects adversely" on lawyer's "fitness to practice"

.4a

Civil liability for investigators tortious conduct, ti yt=; -,

FOLEY

cDO

op Q

oq

}. v) C.]

iosied Imo Jo uoissiwied sseJdxeJoud eq1nownnùosJJrLIIJOSuoi1OeSUBJfJOsaliinlioe JalflO JO`panlaoeJ Jo apU, ''wF "``

Y[OIeo!unwwoo -ùa)ej sualoeeI4opJooeJCue ofsseooe

•6u!u!e6 Jo esodJnd NI aoj Jagloue Jo Iuewnoop uogeo Jljuap!.-; Ieuosiad Jo uoijewJojui uoi eopuopi IeuosJed►Cue 6uisn

Jo ùosied leyi Jo uoissiwJed sseJdxeoiid.'aii)nOIOM ùosJedwigJo Iuewnoop uo!1eoiuepi

IeuosJpdJO -' O!4et.JoJu! uo!leo!J!Iuep! jeuosied Cue of_ssaooe6u!uie6Joesodind aukJojès!mJa o Joùosiedwinse

MesJay Jo 11eswiyICeJlJodoT. JeLgoue Jo juewnoop uoileopuap!'_ieuosaadJouo!IeWJOJuIuo!leoluepi Ieuosiedicue6uHsn

, ..

:s}!q!uoadsspiooeJ euoqdueglWOW, JJeA06 01 Me 140thlA1,Uop! SPOPUOWV

Melsiouilll

co

a)u)

o

.B

oe

tl!q

7

Y

_sec0_;

Eocac

E

03co-=

._._ o v v

v v

v o

o2

22

2zzzzzzzz0

0

Financial Advisory and Litigation Consulting ServicesIT Risk Consulting

Best Practices Strategies for Electronic Discovery Management February 15, 2006

By Anne Kemp Warren G. Kruse III Kathleen A. Skapik

Financial Advisory and Litigation Consulting Services IT Risk Consulting

Using computers for business or personal reasons is part of almost everyone’s daily routine in the United States and in most developed countries worldwide. It has been conservatively estimated that 90% of business information is now in electronic form, and that most paper is just a subset of the electronic data. The amount of electronic data generated by organizations is staggering. It is estimated that a large corporation generates 250 to 300 million email messages per month. On December 1, 2006, changes in the Federal Rules of Civil Procedure (FRCP) went into effect substantially altering the discovery, production, and admissibility requirements of evidentiary information in U.S. federal courts. Specifically, FRCP impacts information created, shared, modified, stored, and retrieved in electronic form. Key provisions of the new amendments require early attention to what is electronically stored; adds the concept of what is “reasonably accessible;” describes procedures for inadvertent production; provides guidance to courts regarding sanctions; sets time limits to complete discovery; and shifts the burden to the responding party for addressing electronically stored information. The electronic communications evolution and the new regulations have now made best practices strategies in electronic discovery management mandatory in order to successfully:

• Litigate a matter or respond to a government regulated investigation. • Meet the requirements of the 2006 FRCP amendments. • Preserve the integrity of electronic files. • Avoid sanctions. • Reduce the time and costs of identifying, collecting, processing, and reviewing electronic files as

evidentiary material. Best practices strategies are based on proven approaches and methodologies that lead to desired results and are dependant on using all the knowledge and technology at one's disposal to ensure success. In electronic discovery, best practice approaches start with knowledge, including understanding the nature of electronic files and the differences between electronic and paper copy collections; and a foundation in the new changes in FRCP. Best practice strategies also need to consider proactive litigation preparedness; ways to avoid preservation traps; strategies for “meet and confer” conferences; data collection; the role of the computer forensic specialist; and ways to avoid spoliation. Direct and indirect costs associated with electronic discovery and employing technology to reduce these costs should also be addressed. Each of these areas is discussed in this paper with a focus of collectively developing a best practice plan for electronic discovery management. Electronic vs. Paper Nature of Electronic Files

Outside of IT departments and technical specialists, few are aware of the actual nature of electronic files that need to be considered from a discovery perspective. Unlike paper collections, electronic files exist in a variety of file types and formats; can be incomprehensible when separated from the system that created them; are dynamic in nature and easily changed; and are most often greater in volume than paper documents. Although in-depth technical knowledge is not always required, an appreciation of some of the characteristics of electronic files is important for many discovery-related decisions. These characteristics are described below.

Best Practices for Electronic Discovery Management Page 2


Types of Electronic Files The types of electronic files tend to vary according to functionality. Common types found in everyday business activity include:

• Emails and Email Attachments • End User Active Files - Word Processing, Spreadsheets, Presentations, and Database Files • Application Files • Legacy Application Files (often the result of a merger and acquisition and not easily accessible) • Instant Messages • Text Messages (SMS) • Phone Messages • Video Recordings • Fax Machine Memories • Backup Tapes

Format of Electronic Files The format of electronic files can also vary according to the system on which they were created. For example, email formats generated from the following systems are system-dependant and require standardization for any discovery review process:

• Microsoft Exchange/Outlook • IBM Lotus Notes • Novell GroupWise

Although the files are already in an electronic format, it does not mean they are readily accessible. Unless access is available to all of the operating systems and/or software programs that were used in developing all of the different types and formats, access to all of the information is all but impossible. Conversion Requirements Electronic files typically require additional processing for standardized retrieval. Conversion to native file format (such as HTML) and/or an image format (such as TIFF or PDF) are formats widely used in the legal practice. Conversion to TIFF or PDF files is traditionally more expensive and time consuming. Some file types, such as Excel spreadsheets that were really never meant to be printed, do not readily convert to TIFF. As the number of electronic files increase, so does the need to contain costs. Native file reviews are becoming more the norm, with selected TIFF or PDF files generated for production purposes. Some have deemed native file review as a “best practice” strategy to contain costs and reduce processing time to prepare files for inspection. Information Reservoir Electronic files have more information than paper copy, much of which is not readily seen. Much of this “invisible” information is not content related, but can provide extremely valuable evidence during a litigation or an investigation. This information is about a data set or document which describes how, when, and by whom it was collected, created, accessed, modified, and printed as well as how it was formatted. Referred to as “metadata,” this underlying information, such as “creation date” or “date last modified,” is also important to capture and can be potentially valuable if discovered. Sensitivity to Change Electronic files have a high sensitivity to change. Computers operate by constantly overwriting and deleting information and simply turning them “on” or “off” will change the hard drive data and potentially destroy important links to residual data. The need to maintain the integrity of the data, including



preserving the metadata, is essential to the discovery process. Metadata associated with an email can be changed simply by forwarding the email. A best practice strategy is to avoid any manipulation of the files that would change anything. Another important strategy is to use an outside resource that specializes in converting files without jeopardizing the files’ legal value. Greater Volume Electronic files store information in compressed format in bits and bytes – or more realistically for litigation purposes in gigabytes (GB) or terabytes (TB). The volume of available electronic files can be staggering. A banker’s box of paper generally equates to 2,000 – 2,500 pages of paper that, if necessary, can be physically counted. Estimating how much electronic information may need to be reviewed is not easy or accurate. Volumes can vary substantially according to file type and format, as well as storage media. An average user generates one GB of email per year; a number that continues to grow. To equate to paper, most industry experts use 60,000-75,000 pages per GB.

Volume Estimating Guidelines

• Average user generates one Gigabyte of email/year

1 Megabyte (MB) = 75 pages

1 Gigabyte (GB) = 75,000 pages/30 boxes

30 GB = 2.25M pages/1,000+ boxes

1 Terabyte (TB) = 100M pages

• 500 million typewritten plain text pages = 1 TB of data • Library of Congress = 10-20 TB of data

Accurate estimates for discovery review are further complicated by guaranteed duplicates, files that are not candidates for further processing (e.g., application files), and the unknown number of totally irrelevant files.

The Nature of Electronic Information

• Exist in various formats and file types • System dependant • Have additional information (metadata) • Dynamic in nature • Greater volume than paper documents

The approach to electronic file discovery is very different than that traditionally taken with paper. Best Practices for Electronic Discovery Management Page 4


Paper vs. Electronic Discovery If not completely painless, paper discovery is fairly straightforward. Most businesses have some idea of where important papers are physically located in either on-site or off-site storage. They can visually see the paper that is housed in boxes, file cabinets, and other storage containers taking up physical space on office or storage facility floors. Based on a finite number of pages that can fit into a dimension specific box or file drawer, they also have an idea of how many pages may need to be potentially reviewed during discovery. As boxes and sub-containers, such as redwelds or file folders, are often labeled to describe contents and may even be listed on a box/file folder index, irrelevant materials are easily eliminated via a box/file index review or a “thumb-nail” search across the pages. Even if the pages are image scanned to capture a picture of the document that is machine readable, the originating source is still paper. To prepare for paper copy discovery, the contents of potentially relevant boxes, drawers, or folders are typically copied or imaged. With large collections, a computerized database of additional information on a document’s contents may also be created to facilitate document review. Full-text databases may be generated from images using optical character recognition (OCR) technology and/or databases of bibliographic information of the document’s contents, such as the to, from, and date, may be developed. Physical paper is manually reviewed (images are often reviewed online) for relevancy, privilege, and other production purposes. The responsive, non-privileged documents are copied or printed from images often endorsed with Bates numbers and other desired disclaimers (e.g., “confidential” stamp) and subsequently produced to the opposing party. Throughout the process, privilege logs are maintained. With paper copy, discovery management budgets can be estimated based on visually apparent volumes. Large volume cases involve only scalable differences - more space, people, time, money, and perhaps technology - in creating coded and/or full-text databases linked with digital images. The discovery process essentially remains the same for all paper copy collections. Adherence to compliance requirements and litigation hold policies are supported by visual inspection. While adherence to record retention plans are often encouraged by cost savings in office furniture, equipment, and space. Nothing about electronic discovery is straightforward. If electronic data is not pursued, critical evidentiary information that may decide a case may be missed. A range of discovery sanctions may be also brought if the technology infrastructure and information are not evaluated. A best practice strategy in approaching electronic discovery is to clearly appreciate the differences between paper copy and electronic files, for example:

• Electronic information usually holds more value than its paper equivalent, due to inherent metadata, such as metadata file names, formatting information, docs open history, file size, and access dates. Some files also contain information that may not be visible if printed, such as spreadsheet formulas, links, and hidden notes. Not insignificant is the ability to use technology to search this “information about information.”

• Electronic data is more volatile than paper. Special care must be exercised in preserving, moving,

copying, or reviewing electronic data so as not to destroy, corrupt, or alter the information, including hidden data. A significant risk of sanctions now exists if reasonable preservation measures are not taken.



• Unlike paper, electronic information can be stored in multiple formats and at multiple times in the same or different formats and in multiple locations. The sources of potential evidentiary materials can be overwhelming and duplicates abound most collections.

• Archived paper is often housed in less expensive off-site storage, easily retrieved by a “box”

request. Archived electronic files may require special technology to access and search. Although it can be costly to restore such electronic data, the risks and legal obligations in not doing so can be substantial.

• Increased capacity and lower cost of electronic data storage over the last 10 years has prompted

saving more information than is probably necessary. Over the last year, the legal community has been faced with the impending changes in the Federal Rules of Civil Procedure dealing directly with electronic files. Now that the changes are in effect, best practice strategies include understanding their effects on electronic discovery management. Changes in the Federal Rules of Civil Procedure The Federal Rules of Civil Procedure define the stages of civil litigation as:

• Commencement (FRCP 3-6) • Pleadings (FRCP 7-15) • Pre-Trial/Scheduling Conference (FRCP 16)1 • Discovery (FRCP 26-37) • Trial (FRCP 38-53) • Post-Trial (FRCP 54-end)

Surprising to some, the stage that carries the greatest weight in determining the outcome of the case is not trial, but discovery. “Cases are more often won or lost during discovery, rather than at trial. The use of trials in disposing of cases has been steadily declining. One study noted that 11.5 percent of federal civil cases were disposed of by trial in 1962; 40 years later in 2002 only 1.8 percent of cases were disposed of by trial…. For this reason, pretrial electronic and paper based discovery in support of your claim or defense often determines the outcome of your case.” Michael Arkfeld, Esq., Electronic Discovery and Evidence, 2006 Although amendments have been made to the rules since their inception in 1938, modifications reflective of information technology were last addressed in the 1970 amendments. The new rules take into consideration 26 years of technological advances that have increasingly changed U.S. business practices from paper and ink to bits

1 The ordering of the stages and the order of the Rules have one minor out-of-sequence anomaly. The pre-trial conference required under FRCP 16 will occur after the Discovery Planning conference mandated by R. 26(f), though certainly not after the conclusion of Discovery in general. Best Practices for Electronic Discovery Management Page 6


and bytes of electronic data. The new amendments are based on problems with computer-based discovery initially brought to the attention of the U.S. Advisory Committee on Civil Rules at a discovery conference in 1996. Such problems included the high costs and extensive processing time associated with the full-disclosure of often daunting amounts of electronic information in a multitude of formats. Based on 10 years of extensive and collaborative efforts among the bench, bar, technology experts, and the public, the new regulations recognize electronically stored information as subject to the judicial process and sets forth procedures to be followed to reduce the associated burdens of electronic discovery.

Timeline of Federal Rule of Civil Procedure Changes Regarding

Electronically Stored Information

1970 – Discovery rules last amended to take into account changes in information technology. 1996 – Federal Advisory Committee on Civil Rules first hears about problems associated with computer-based discovery at a conference. 1999 – Advisory Committee Chair sets forth mission to devise “mechanisms for providing full disclosure in a context where potential access to information is virtually unlimited and in which full discovery could involve burdens far beyond anything justified by the interests of the parties to the litigation.” 2000 – Start of Extensive Study with Comprehensive Input. Findings - Discovery of electronically stored information becoming more time-consuming, burdensome, and costly, and there are inadequate guidelines for determining discovery rights and objections. 2004 – Proposed amendments to rules circulated for comments. 2005 – September 2005, Committee on Rules of Practice and Procedures recommends that the Judicial Conference accept changes regarding electronic records. 2006 – December 1, 2006 new rules for discovery of electronic records went into effect.

The changes in the FRCP formally recognize electronically stored information (ESI) and broaden the scope of ESI to include any reference to a “document” in other applicable rules. ESI is also defined by the new rules as possibly being “metadata” or data generated by computer programs and applications “behind the scenes.”

Key provisions of the FRCP amendments as related to electronic data discovery include:

• Introducing the term electronically stored information.

• Mandating early attention to planning for electronically stored information.

• Adding the concept of justification for what is not reasonable accessibility.

• Allowing “entry upon land” for inspection of “electronically stored information” possessed by an

adverse party.

• Shifting the burden to the responding party for electronically stored information.



• Adding procedures for inadvertent production.

• Providing guidance to courts regarding sanctions.

• Guiding the use of digital forensic techniques to acquire discovery from an adverse party; and specifically addressing the scheduling of ESI production at the pretrial conference.

• Directing the parties to discuss “any issues relating to preserving discoverable information” and

developing a discovery plan that concerns “any issues relating to disclosure or discovery of electronically stored information, including the form or forms in which it should be produced.”

More specifically, the changes to the rules include: Rule 16 Pretrial Conferences; Scheduling; Management

Establishes process for the parties and court to address early issues pertaining to the disclosure and discovery of electronic information.

Rule 26 General Provisions Governing Discovery; Duty of Disclosure Requires parties to discuss issues relating to the disclosure and discovery of electronically stored information during the discovery-planning conference.

Rule 26(f) “Meet and Confer”

Conference of Parties; Planning for Discovery.…the parties must…at least 21 days before a scheduling conference under Rule 16(b), confer…to discuss any issues relating to preserving discoverable information and to develop a proposed discovery plan concerning discovery of electronically stored information including the form/s in which it should be produced…In addition, parties must discuss issues relating to privilege or protection as trial-preparation including asserting such claims after inadvertent production.

Rule 33 Interrogatories to Parties

Expressly provides that an answer to an interrogatory involving review of business records should involve a search of electronically stored information.

Rule 34 Production of Documents and Things and Entry Upon Land for Inspection and Other Purposes

Distinguishes between electronically stored information and “documents” and allows any party to serve a request “…to inspect, copy, test, or sample, any designated documents or electronically stored information…stored in any medium,” and to specify how the information should be produced.

Rule 37 Failure to Make Disclosure or Cooperate in Discovery; Sanctions

Creates a “safe harbor” that protects a party from sanctions for failing to provide electronically stored information lost because of the routine operation of the party's computer system.

Rule 45 Subpoena

Technical amendments that conform to other proposed amendments regarding discovery of electronically stored information.


http://www.uscourts.gov/rules/Reports/ST09-2005.pdf#page=110







Failing to deal effectively with the new regulations may yield tactical, financial, and legal disadvantages. It matters little whether the request is fair and well-targeted, a fishing expedition, or a cost-driven ploy. A responding party must also now apply the same disciplines to investigate, preserve, disclose, and produce its own relevant electronic data. The “I won’t ask if you don’t” approach over the last several years is no longer a viable strategy. Coupled with the new FRCP changes, trends such as the following are having a significant impact on how electronic information is maintained and considered. These trends must also be taken into account as part of the development of best practice strategies:

• State and federal regulators now require certain industries to keep and submit electronic records instead of paper. In the securities industry, traders and analysts must keep all email relating to an investigation or face stiff sanctions. In mergers and acquisitions productions and second requests, the government requests production of electronic files and email in machine readable formats.

• State and federal judges are now more educated in electronic discovery due to the disputes brought before

them as well as by judicial conferences and seminars.

• Despite the right to discover, courts are increasingly concerned with privacy and privilege issues, even over corporate claims of data ownership.

• The “unduly burdensome” argument is becoming a faint memory. Computer forensic and electronic data processing experts are now more readily available. So much so, that the courts often expect responding parties to avail themselves of such outside services in order to manage large electronic databases, complex email systems, and potentially relevant data backup tapes.

• The concept of cost sharing based on a “balancing test” is now only a glimmer of hope for respondents with large systems or lots of backup tapes.

• Outside counsel failing to adequately investigate, disclose, preserve, or produce on behalf of their clients are more frequently being faced with financial and procedural sanctions, including judgments. Some jurisdictions have developed detailed and specific rules for the conduct of post-filing preservation and pretrial disclosure.

Given the nature of electronic files, the explosive growth of electronic communications and stored information in the workplace, coupled with the new amendments, most corporations are now faced with the challenge of being litigation ready for electronic discovery well before any action is filed. Being prepared in advance for litigation is a corner stone of best practice strategies for handling electronic discovery.

Litigation Preparedness Litigation preparedness includes determining the “who, what, when, where, why, and how” of electronically stored information, as well as considering record retention plans and litigation hold policies in a legally defensible manner.



How Ready Are You?

• Less than 15% of legal departments believe they have

tools and processes in place to handle e-discovery

• Less than 35% of the same departments believe they have an established e-discovery response workflow process

• Burden may end up resting on outside counsel to

understand the client’s technology infrastructure

Historically, when working on matters involving large paper copy collections, legal professionals would often wait until the time and money absolutely had to be committed before developing a comprehensive plan to manage paper; the hope being that settlement would occur before expending a substantial amount of money. With the FRCP rules requiring early disclosure of electronic files and the short time allowed to prepare for meet and confer conferences, this type of last minute discovery management does not apply for electronic discovery. Proactive, early planning is now required for compliance and successful management of electronic data. A wait-and-see approach with regards to electronic information will most likely result in defending motions and emergency spending, plus facing the risk of sanctions. A best practice strategy approach to electronic discovery requires early litigation preparedness planning and investment based on cost containment methodologies. With the exigencies of data preservation, the risk of spoliation, mandatory disclosures, and the need to be prepared for meet and confers, litigation readiness is no longer optional. An early commitment to a preservation and production plan, including an Electronic Discovery Action Plan on a matter-by-matter basis is a good practice foundation. Part of litigation preparedness includes having knowledge of the technology infrastructure, specifically where and how data resides and at least a rudimentary identification of key sources of potentially litigation relevant information. Also of equal importance is compliance with record retention and hold policies and procedures. Both are essential to best practices in avoiding the preservation trap, preserving newly created data, and managing overlapping litigation holds. It is difficult to preserve or protect electronic files if you do not know they exist, where to find them, and how to access them if needed. Lack of knowledge has rarely been a good defense. In addition, as most companies do not need to keep electronic files indefinitely, nor could most afford to do so, adherence to record retention policies based on federal guidelines is of particular concern. Although an integral part of the litigation ready process, the IT department is chiefly a technical discipline with the goal of keeping systems operational and end users productive. More and more businesses, sometimes at the request of outside counsel, are bringing in experts in computer forensics, e-discovery, high-tech investigations, information security, records management, and corporate investigations to assist in performing a range of tasks not necessarily related to a specific litigation or investigation, such as:

• Assessing current procedures related to preservation and production, and recommending cost-effective, time-efficient “best practice” changes.



• Determining what kind of electronic information resides where (e.g., network servers, hard drives, backup tapes, PDAs, etc.).

• Developing network maps.

• Surveying and/or interviewing key personnel and other custodians of records for additional sources of

electronic business files (e.g., personal PCs housing business files, flash drives, memory sticks, etc.).

• Providing “snap shot” file indices and other inventories.

• Forensically identifying files that are not “reasonably accessible” under FRCP and providing defensible documentation (e.g., backup tapes).

• Ranking files sources and file types for e-discovery potential.

• Identifying and mapping communications flow, including hold policies and retention guidelines.

• Assisting in securing necessary outside resources needed to implement a litigation preparedness plan.

Mapping the technology infrastructure, for example, is becoming a necessity to identifying key custodians of potentially litigious electronic files. It also provides the source information in advance for meet and confer conferences that allow little time for preparation. Information not only relevant to what might be requested, but also how the production requests should be defined to comply with in-house systems. Using outside experts, such as computer forensic specialists for data collection as a best practice strategy is addressed later in this paper. Knowing the where, how, and by whom electronic files are created and stored sets the stage for developing best practice strategies to avoid preservation traps. Preservation Traps Preservation traps can be substantially reduced by best practice strategies which encompass existing data, newly created data, and overlapping litigation holds. Existing Data In the electronic workplace, it is not uncommon for previously used company PCs to be reassigned, systems upgraded, server space reallocated, files overwritten, and backup tapes reused. At the very least, most employees delete some unneeded files. Although many companies have records retention policies, electronic data changes or disappears with alarming frequency. With the “whiff of litigation” there is an inherent duty to preserve electronic files before knowing much about the data itself. Failure to preserve can have swift and disastrous results, including costs, sanctions, adverse inferences, adverse jury instructions, and adverse judgments. Early attention to a preservation plan with clearly defined protocols and action is a best practice strategy that manages substantial risk, helps to maintain a tactical position, and gives a head start to budgeting and resource management.



Components of a best practice strategy to avoid preservation traps for existing data may include:

• Having comprehensive communication protocols in place for sending immediate preservation notices to potentially relevant custodians, as well as the technology staff responsible for server management, data storage, data access, and tape backups. Avoid the result in In Re Prudential Insurance Company of America Sales Practices Litigation, 169 F.R.D. 598 (D. N.J. 1997) where the preservation notices were sent in such a way that the field staff was likely to ignore them.

• Requiring acknowledgements from all preservation notice recipients that they have received the

preservation order. Particularly important if a member of the technology staff or a designated company custodian of records is called as a 30(b)(6) witness to ensure compliance with the procedures or protocols implemented after the preservation notice was issued.

• Conducting proactive interviews of key custodians to assess the types of data they typically create,

plus where and how it is typically stored. Survey questionnaires are an excellent tool for collecting this type of information and can be periodically updated. Identify “key” custodians early on so as not to have the entire organization at issue for preservation and production.

• Creating an early position on scope of preservation and discovery on information from in-person

interviews and questionnaires from key custodians. Such information may be useful in pre-trial to discuss with opposing counsel to confirm a preservation plan. It might also be an advantageous topic at a meet and confer.

• Considering a protective order or stipulation allowing the normal administration of systems and

records retention policies for sources and custodians not holding potentially relevant data and not covered by the preservation plan.

• Requiring key custodians, legal, and technology personnel to preserve data by leaving it in place

without any alteration. • Defining the difference between preservation and data collection. Opening and closing files, moving

them to subject matter folders or particular servers or even forwarding data to general or outside counsel alters data by changing dates and file attributes. Altering this metadata can contribute to spoliation of potentially evidentiary data. It can also create problems with the creation of privilege logs and redaction of documents when documents are moved into multiple locations.

• Suspending backup tape rotation and other standard operating procedures that may overwrite or

otherwise destroy relevant data. • Creating litigation-specific backups of the identified data in a forensically sound manner. The

backups may take the form of data copying or forensic “images.” The type of backup preservation method, such as forensic images, may depend on the specific case parameters.



Newly Created Data A discovery request may ask or imply that data created after a filing or notice date is preserved. The request to preserve newly created data is typical in cases where alleged harm is seen as continuing or information that appears to be useful to the requesting party continues to be created. Ongoing, open-ended preservation of data can be expensive. In some cases, the costs of discovery for data created during the historical dates alleged in a complaint are small compared to preservation of newly created information. The costs associated with never deleting files, performing daily backups, and periodically reviewing and producing on an ongoing basis can be substantial. Failure to preserve newly created data is a potential trap for sanctions, regardless if they are only requested for tactical reasons. Best practice approaches to dealing with ongoing preservation requests may include:

• Identifying a narrow list of candidates that are likely to create relevant data on an ongoing basis. A

stipulation or order for preservation of only these custodians or systems may be possible, as well as a protective order releasing all others.

• Clarifying and distinguishing requests for selected types of information that typically generate new

data (for example, consumer hotline, claims, compliance, or quality control data) versus requests encompassing all electronic business files.

• Secure third-party expert advice on costs and other burdens associated with preserving on-going,

newly created data, including any client or customers repercussions. It may be feasible to seek a protective order by arguing cost and burden against the likelihood or speculative value of data that has not yet been created.

Overlapping Litigation Holds Businesses may be faced with frequent or repetitive litigation that creates overlapping litigation holds, effectively requiring them to keep foreseeable future data they have or will create. The burdens and costs of multiple litigation holds can mount quickly creating both strategic business and technology infrastructure problems. Although no pancreas exist to eliminate such issues, some relief may be achieved on a case-to-case basis by some of the following best practice strategies:

• An aggressive preservation plan so that as little data as possible is at issue for as short a time as possible.

• Narrowing requirements for preserving newly-created data through protective orders or other legally

bound actions. • Compliance to record retention and destruction plans with hold policy safeguards, including timely

elimination of any data not subject to litigation. • Enforcement protocols and monitoring procedures for record retention compliance on an on-going

basis.



• Disposition policies and guidelines for the timely destruction of electronic files no longer subject to a hold and that are otherwise beyond the standard records retention dates.

Litigation preparedness with tips on avoiding preservation pitfalls encourages compliance with one of the most important requirements of the FRCP changes – the meet and confer conference. Meet and Confer The amendment to FRCP 26(f), known as “meet and confer,” adds an affirmative requirement that the parties discuss discovery and production of electronically stored information during their discovery planning conference. The meet and confer is required to be held within 69 days after a defendant has appeared, subject to stipulation for a time extension. Parties must include the meeting results in the electronic discovery plan that is filed with the court. Responding parties need to ensure that the investigation of electronic data is thorough; disclosures being made are complete and accurate; and promised data will be produced in a timely manner in the requested format. In preparing for the meet and confer conference, best practice strategies are dictated by early investigation and planning. Both are key advantages to tactical positioning. For example, prior to the meeting each party should have a complete understanding of the following:

• The content and location of potentially relevant electronic files.

• The desired format specifications for the production, including delivery media.

• Specific procedures that they would like to follow for inadvertent production. Issues to be addressed and agreed to by each party in the meet and confer should include at a minimum:

• Date Preservation Issues • Formats of Production • Privilege/Confidential Claims Protection • Litigation Hold Policy • Internal Technology - Forensic and IT

o Where is the data located? o How accessible it is? o If it is not accessible, why not?

Strategies for requesting electronic data might include:

• Specific and targeted requests. • Pre-identification of relevant custodians, dates, and types of data (e.g., email, spreadsheets, databases,

and financial/accounting systems). • Understanding the computer systems and kinds of data created and maintained.



• Considerations and suggestions for limiting review and production, such as date ranges or keywords, including how to devise, test, or negotiate a useful list of search terms or ontology.

Strategies for responding to a request for electronic data might include:

• Conducting custodian interviews with electronic data specifically in mind. • Assembling organization charts and mapping technological infrastructure and systems for data source

identification, including questioning business and technology staff. • Using charts and checklists to determine if sources of data have been overlooked. • Detecting early on what data is potentially responsive and what data, systems, or backup tapes are

not. • Preparing supportable reasons for any data exclusion. • Making clear, consistent offers of data based on custodians names, date ranges, and the use of search

terms. • Spending time analyzing and testing names, dates, search terms, and other collection criteria.

Once agreements have been reached regarding the parameters of the requested productions, data collection methodologies need to be employed that preserve the integrity of the information and provide legally defensible chain of custody information. Data Collection One of the most sensitive aspects of electronic discovery is the actual data collection process. Inherent to the acquisition are the problems related to the multiple file types, formats, generating software and systems, and the high susceptibility to change. Poor collection techniques and haste in collecting or “harvesting” electronic files can result in loss of original data, non-compliance to the production parameters, and possible sanctions. In data collection it is vital to keep in mind the following:

• Opening, closing, moving, and copying may change important metadata if not performed in a forensically sound manner. Simply forwarding relevant emails and loose documents to a centralized source changes the metadata by obscuring the original authors, recipients, dates, subject lines, reply chain, and routing information.

• Chain of custody is rarely kept at a document level, making it nearly impossible to trace or

authenticate back to the original electronic files without using specialized forensic software. • Over-collection to be on the “safe side” often results in magnitudes of unnecessary cost.



• Affidavits and testimony may be required concerning collection methods, completeness, and chain of custody authentication.

Although the legal team may be eager to start document reviews as soon as preservation notices are out and meet and confer specifications have been mutually agreed to, legally defensible data collection is not a simple process. Electronic data collection requires concerted planning and the use of specific forensic tools and techniques. Best practice strategies for harvesting data include:

• Applying a team approach that includes the legal, litigation support, and IT staff, as well as computer forensic and electronic discovery experts in planning the collection approach.

• Employing specialized software and other technology tools and protocols for electronic data

collection in a legal environment that preserve the original files (and metadata) and provide needed tracking for chain of custody purposes.

• Identifying in advance who will provide affidavits or testify if chain of custody or authentication

becomes an issue. • Minimizing data intrusion. Data collection rarely involves office-to-office searches or connection to

many individual computers. Much of the work can be done from a central location, such as a server room with access to the individual computers over a network.

• Leveraging on-site collection time and expense by collecting whole accounts, drives, and folders.

Individual files can be selected or de-selected from further processing once harvesting is complete. On-site culling on a single document file basis is typically too time consuming, intrusive, and ultimately more expensive.

Special attention also needs to be given to email and backup tapes during data collection. Email As exact or near duplicate emails have a propensity to be found in multiple locations from multiple sources, data collection methodologies may be needed to identify and minimize duplication either as part of the harvesting process or as a separate processing phase prior to review and production. The risk associated with eliminating non-duplicates using an inadequate de-duping approach can be high, and eliminated non-duplicates can go entirely unnoticed. In addition, a custodian’s individual email account is likely to contain only a small percentage of communications relevant to a specific matter. Irrelevant file reduction procedures, such as date and keyword filtering may also be needed. Emails typically reside in compressed, proprietary databases, and must be processed to isolate individual accounts and message attachment units. In addition, emails contain valuable hidden metadata that is typically not found via simple searching. The information normally seen in an email – author, recipient(s), subject line, date, message, and attachment – represent only a small portion of the dozens of available email database fields. For example, the email “header” or “message source” contains information about the timing and routing of individual emails that may be critical to a case. Other available email elements may include contact information, journals, activity logs,



contacts, message forwarding or reply history, blind copy information not otherwise viewable, address aliases based on familiar names, nicknames, email domains, and mailing addresses. As part of the data collection process, it is important for the assembled planning team to discuss what email information needs to be preserved, how it should be searched, and what, if any, should be produced. It is likely that metadata fields will be discussed during a meet and confer. Backup Tapes Electronic information may also be archived for long-term storage when it no longer needs to be immediately accessible or copies of active data may be made on a periodic basis, such as daily, weekly, or monthly for disaster recovery needs. Both types of information can be often found on backup tapes. Backup tapes use data compression for storage purposes, most often in non-standard format that cannot be directly read without specialized processing. Inventories of most backup tapes are sketchy at best. Information on backup tapes is increasingly being requested as the tapes usually contain a large volume of data. Although there can be valuable data on the tapes, the time and costs associated with their restoration can be extremely high. Backup tapes are also subject to high duplication if they are being stored for recovery reasons. Some backup tapes can be forensically inventoried for limited file identification information without restoring. Only desired segments, usually on a custodian basis, need be restored. Computer forensic experts should be consulted regarding backup processing, including what to preserve, what to review, and how to present a production plan to the court if warranted. Such experts can also provide the necessary documentation for backup tapes not being “reasonably accessible” as per the new rules. Dates contained in an allegation of a complaint or a discovery request often become a key issue with finding relevant information from among hundreds or thousands of backup tapes. Strategic approaches to handling such backup tapes may include:

• Appointing a team of legal, litigation, IT, and forensic specialists to work through the backup tape triage.

• Developing a list of key custodians, departments, or business functions whose backup tape electronic

information would most likely require production. Identifying the dates of service and the office locations of each of the custodians. Working with technology staff to identify what servers the custodians had access to over what period of time. It may be possible to determine what people sat in what offices and what servers they were connected to. This information is useful in determining what backup tapes selected information may appear and has the potential to narrow the universe of what backup tapes need be considered.

• Using server mapping information to isolate the backup tapes for those servers for specific time

periods. It may be necessary to catalog a sample of the tapes to ascertain what custodians appear in the library of tapes. With forensic assistance, cataloging can allow the team to look at the table of contents of a tape without fully restoring the tape.



• Creating a master log of tapes using all available information and, if feasible, reviewing the list for relevancy based on what is known. Restoring a sample of the tapes if required to assist in the effort.

• Using known information and samples to statistically extrapolate what tapes will yield an acceptably

high percentage of responsive data. Those that have a low threshold of expected relevant information may not require further attention. It is also important to conduct an analysis of the cost and time to restore the tapes. Such an analysis may provide the necessary information to argue they should not be processed or produced. This information may prove valuable during the meet and confer.

Electronic data collection regardless of the type, size, format, or volume of the collection must be acquired through forensically sound procedures that can ensure comprehensive data collection that maintains the original file integrity. Knowing when to call in outside computer forensic experts is an early strategic decision that needs to be made to ensure effective electronic discovery. Computer Forensic Experts “Computer forensics involves the preservation, identification, extraction, documentation and interpretation of computer data. It is often more of an art than a science, but as in any discipline, computer forensic specialists follow clear, well-defined methodologies and procedures, and flexibility is expected and encouraged when encountering the unusual.” Warren G. Kruse II and Jay G. Heiser, Computer Forensics: Incident Response Essentials, 2002 Computer forensics is an investigative discipline, unlike information technology, which is mainly a technical discipline requiring a skill-set orientated toward installation, operation, and maintenance of systems with the goal of keeping systems operational and end users productive. It includes not only the acquisition of the information, but the consultative expertise required to minimize the often exorbitant costs and time involved with the data collection phase of the discovery process. Computer forensics is an expertise that focuses on the identification, preservation, recovery, collection, analysis, and authentication of data, including electronic data that is thought to have been deleted or lost or may be hidden in digital storage. Computer forensics can often uncover data that a computer user or even a software application thinks has been “lost” or “deleted,” merely because the data ceases to be apparent in its predictable place or familiar format. These experts are particularly valuable in recovering files that have intentionally been covered up or concealed. Digital forensic experts are increasingly being asked to assist in litigation preparedness plans. With respect to data collection, they should be brought in as early as possible in the electronic discovery process. Areas of primary involvement include assisting with pre-collection and collection and giving expert testimony. They should also be well-versed in preparing affidavits. Few IT or related professionals have the background required to accurately and legally represent what transpired during the collection process.



Data is NOT Gone!

• Deleted files • Deleted email • Formatted hard drives • Deleted partition

It is a best practice strategy to bring in computer forensic specialists should there be a need to perform the following types of tasks in a legally defensible manner:

• Identifying electronic evidence that is present and apparent or has been deleted, lost, or hidden

and may be recoverable, including key custodian interviews which may reveal file sources of business information outside the office computer or network.

• Designing a plan and project associated with implementing costs for the preservation and

collection process.

• Determining the time and costs associated with recovering and authenticating files or fragments, including electronic information housed on backup tapes. Preservation and recovery costs should be compared against its potential value.

• Providing the best methodology and forensic tools to preserve and collect the files needed in a

time-efficient, cost-effective manner. This includes techniques to eliminate duplicates and filter out irrelevant information. For example, through use of a forensic disk or tape “bit stream image.” A disk image is a bit-by-bit or “mirror” image copy of the entire contents of a hard drive, not just the files disclosed by the operating system or software application. The image may contain potentially recoverable unknown or deleted files or fragments that may prove to be critical to a matter.

• Preserving and collecting the files in an efficient, non-intrusive manner without jeopardizing data

integrity or chain of custody tracking, including establishing forensic labs in worldwide locations.

• Providing objective, third-party affidavits and expert testimony as to the preservation, collection, recovery, and authenticity of the electronic evidence.

Forensic experts also play a valuable role in meeting many of the challenges posed by the changes in the FRCP, including performing the following:

• Overseeing the gathering and harvesting of discovery materials and producing those materials to the requesting party.

• Justifying a protective order sought by a party who is claiming that the production of discovery

from certain sources of information is unreasonable.



• Showing that electronically stored information was deleted in good faith as a part of the standard practice of the business and not as a means of avoiding the production of relevant discovery.

• Inspecting the electronically stored information of an adverse party through an “entry upon land”

motion. • Authoring and auditing the implementation of file-retention policies to ensure that they are

applied in an even-handed way and not as a means of avoiding the production of discovery. Experienced and qualified forensic specialists are seen as an extension of the legal team and take on collection risks that may not prudently be assumed by a client or counsel. It is also a best practice strategy to secure such expertise, whether in-house or from outside sources, to avoid spoliation and potential sanctions. Spoliation “The Courts continue to impose severe sanctions on lawyers and their clients for failing to properly preserve and disclose electronic evidence. This trend combined with the proliferation of text and instant messaging and new devices such as GPS and RFID tagging will increase the burden on law firms to effectuate ‘best practices’ to ensure the proper discovery, production and admissibility of electronic information. These ‘best practices’ will include aligning with qualified e-discovery specialists for assistance in the collection and processing of data for subsequent review.” Michael Arkfeld, Esq., Electronic Discovery and Evidence, 2006 Electronic information is everywhere - on servers, laptops, desktops, PDAs, Blackberries, cell phones, fax machines, grocery store check-out systems, inventory tracking tags on clothes – almost anywhere you look there is some form of electronic information being created and stored. Even in today’s mobile society, most everyone can get access to some form of digital information from virtually anywhere. People can now access email from home, work, or even on vacation via a virtual private network (VPN), PDA, or Blackberry, or simply via a web browser from anywhere using software like Outlook Web. With multiple sources and global access comes the problem in electronic discovery of how to find electronic data that may be of litigious value, how to access it, and how to preserve its value. Most important, what best practice strategies can be followed to avoid spoliation and potential sanctions in preserving what can often be changed from anywhere and at anytime.



Morgan Stanley Sanctions: Data Mismanagement

• The jury in Perelman’s fraud case against Morgan

Stanley awarded him $1.45B (compensatory and punitive damages).

• During discovery Morgan Stanley failed to search

backup tapes and produce emails in accordance with a court order.

• As a result, the judge instructed the jury to assume

that most of the facts that Perelman alleged were true. • The jury was also instructed to consider the discovery

abuses when calculating punitive damage awards. • Perelman had originally proposed a $20M settlement

offer to Morgan Stanley, which was rejected.

“Lawyers and courts use the term spoliation to refer to destruction of evidence relevant to a legal proceeding. The spoliation inference is a negative evidentiary inference that a finder of fact can draw from a party's destruction of a document or thing that is relevant to an ongoing or reasonably foreseeable civil or criminal proceeding….it may be reasonable to infer that the party had consciousness of guilt or other motivation to avoid the evidence. Therefore, the fact finder may conclude that the evidence would have been unfavorable to the spoliator.”2

Zubulake v. UBS Warburg, 220 F.R.D. 212 (S.D.N.Y. 2003) is generally considered the first definitive case in the U.S. on a wide range of electronic discovery issues, including spoliation. During 2003 and 2004, United States District Court Judge Shira A. Scheindlin issued five groundbreaking opinions in Zubulake. In this ongoing discovery dispute related to an employment discrimination case, the employee moved for sanctions against the employer for failing to produce backup tapes containing relevant emails and for failing to produce other relevant documents in a timely manner. The employee contended that the employer, who recovered some of the deleted relevant emails, prejudiced her case by producing recovered emails long after the initial document requests. Furthermore, some of the emails were never produced, including an email that pertained to a relevant conversation about the employee. As such, the employee requested sanctions in the form of an adverse inference jury instruction. Determining that the employer had willfully deleted relevant emails despite contrary court orders, the court granted the motion for sanctions and also ordered the employer to pay costs. The court further noted that defense counsel was partly to blame for the document destruction because it had failed in its duty to locate relevant information, to preserve that information, and to produce the information in a timely manner. In addressing the role of counsel in litigation generally, the court stated that “[c]ounsel must take

2 www.wikipedia.org Best Practices for Electronic Discovery Management Page 21


affirmative steps to monitor compliance so that all sources of discoverable information are identified and searched.” Specifically, the court concluded that attorneys are obligated to ensure all relevant documents are discovered, retained, and produced. Additionally, the court declared that litigators must guarantee that identified relevant documents are preserved by placing a litigation hold on the documents, communicating the need to preserve them, and arranging for the safeguarding of relevant archival media.

Spoliation

Destruction of records which may be relevant to an ongoing or anticipated litigation, investigation, or audit.

If it is discovered that there may have been potentially relevant data destroyed, the question of whether the evidence destruction was consistent with a standard policy of document retention is key. If the evidence is destroyed, but the destruction was not consistent with a standard policy of document retention, the question of culpability exists. Data is constantly being destroyed, either intentionally or by accident; by a person or computer process. Metadata, such as date and time stamps associated with a file, are changed or updated by simply opening or printing a file. Files are created, accessed, and changed even before a password is typed. Files that are changed can contain vital information to a case. Computer forensic experts trained in the collection of digital data will protect the original and make what is referred to as a forensic image of the hard drive. It is not a clone of the hard drive, but a bit-for-bit copy so that the image can be shown to be the same as the original without tampering. Three areas of that need to be considered from a spoliation perspective include the “litigation server,” deleted files, and backup tapes. The “Litigation Server” A common practice found in business is the use of a server to copy potentially relevant information to a “litigation server.” Custodians are asked to copy their potentially relevant files to that litigation server. If not done properly, simply copying a file changes the dates. In one recent case, a problem occurred when all the custodians copied all of their files and every one of the files wound up with the exact same date, the date the files were copied. Creating a forensic image preserves all of the original date and time stamps. Deleted Files Are Not Really Gone Deleted does not mean it is gone. Most “deleted” files can be retrieved. Deleted email, even after emptying out the deleted items, can still be found. Formatting a hard drive to remove all data does not mean it cannot be restored. The original must be preserved or data may be lost. Best Practices for Electronic Discovery Management Page 22


Backup Tape Probably Still Exist “Our policy is backups are retained for 30 days, so it’s gone.” It may be the policy, but the practice may not be followed religiously. It is not that uncommon to find a tape tucked away “just in case.” Investigative forensic interviews and other techniques can often uncover such hidden information. It is also a best practice strategy to always physically inspect offsite storage facilities, which might house boxes of tapes and data that no one thought still existed. As backup tapes are expensive to fully restore, it is a better practice to first have a forensic expert create a simple, inexpensive catalog of the tapes’ contents. The catalog can assist in determining what actually needs to be restored. Best practice strategies to avoid spoliation and possible sanctions include:

• Bringing a computer forensic specialist into the process as early as possible. • Making sure that everyone is aware of what and how files must be kept. • Making sure established record retention and hold policies are actually being followed and

monitored, with particular focus on communication. • Making forensic images of the key custodians’ entire hard drives. • Taking backup tapes out of the normal destruction cycle when a hold policy notice is issued. • Maintaining all files in secure locations. • Assigning a trusted and knowledgeable IT professional to the litigation team. • Collaborating in a team approach with legal, litigation support, records management, risk

managers, e-discovery, and forensic specialists. Although some spoliation may be unavoidable due to circumstances, well-executed strategies to avoid spoliation and sanctions can also help minimize tactical and financial sanctions that may be imposed. Sanction costs are one of four major cost categories in electronic discovery. Costs of Electronic Discovery Most businesses and legal staff only look at the hard costs associated with electronic discovery. That is, the costs associated with locating, preserving, collecting, reviewing, and producing electronic evidence. Costs can be generally divided into four categories: hard costs, soft costs, lost opportunity costs, and sanction costs. Soft costs are the most pernicious and often ignored. Lost opportunity and sanction costs are all but invisible in consideration, but can tally more than the hard and soft costs combined. Although the cost components of each of these categories may overlap, general parameters for each of these categories can be defined.



Costs of Electronic Discovery

• Hard costs • Soft costs • Lost opportunity costs • Sanction costs

Hard Costs The bulk of hard costs relate to the processing of electronic data; backup tape management, restoration, and review; and document review and production. Hard costs typically include negotiating the scope of the electronic discovery; discovery management planning and budgeting with internal litigation, IT personnel, and outside consultants; forensic investigation, preservation, and data collection; processing different types of electronic files to standardized formats for accessibility, including capturing meta- or system-generated related data; data culling, including de-duplication, filtering, and searching to reduce the initial data collection to potentially relevant materials; making the relevant data accessible in some form of repository (often web-based) for further analysis; and document review and production. It is estimated that in 2006 between $2-3 billion dollars will be spent in the U.S. alone in getting electronic data processed into a useful form. Soft Costs It is estimated that U.S. corporations spend close to $5 billion dollars a year to organize and analyze electronic data in preparation for production related to a litigation matter or regulatory investigation. This figure represents only those firms that have tracked costs and time associated with electronic discovery-related tasks. Soft costs are typically incurred internally prior to sending data to outside counsel. They are considered “soft” as most employees are not asked to separately account for tasks specifically related to an electronic discovery effort. Soft cost categories often include: costs associated with implementing a litigation hold policy, including “fire drills” to make certain employees understand and comply with current policies; time spent by a company’s internal IT personnel identifying, capturing, searching, and filtering potentially responsive data; and suspension of business when key custodians must stop working and identify relevant, key data with regard to a litigation hold. Lost Opportunity Costs Costs incurred with time spent away from doing “business as usual.” Although such costs are unlikely to be quantified, they add to the overall cost of electronic discovery. Sanction Costs Parties have a duty to preserve information that they know is relevant to ongoing or potential litigation and this duty overrides any and all document retention policies in place. Some courts have imputed constructive notice of the relevance of evidence and have found that a litigant knew or should have known that the material would be relevant in litigation. The courts may sanction destruction of evidence that results merely from the absence of an effective document retention policy, a litigation hold policy, and a proven record of training employees on these policies. The failure to take measures to safeguard information can equate to a willful indifference to the duty to preserve and high sanction costs. Sanction costs may also result from how the data was collected and processed, and possibly altered, during the discovery process. Consideration of these four cost categories serves only as a guide as to what contributes to the costs of electronic discovery. It is envisioned that consideration of these direct and indirect costs will soon become a best practice approach to determining legal strategy. Using technology to reduce time and costs associated primarily with hard and sanction costs is a major component of any best practice electronic discovery plan.



Technology Saves Time and Money Technology supports best practices in electronic discovery from preservation and collection to review and production. In order for technology to be effective in reducing the time and costs inherent to electronic discovery, a more detailed understanding of “computerese” is required by the legal staff.

Understanding Computerese or ComputerESI

• Native file • Legacy data • Unallocated/free space • Slack space • Deleted file • Link file • Image file • Internet cache file • csdrvmap.dat • Deduplication

A good educational reference source to acquire this new language is “The Sedona Conference Glossary For E-Discovery and Digital Information Management” available at www.thesedonaconference.org/publications.

Technology Supports Best Practice

• Computer forensics • Full-text searching techniques • Culling (De-dupe and filter) • Concept searching • On-line data reviews • Automated production tracking

capabilities

Of significant importance are those technology tools that reduce the voluminous universe of electronic discovery potential to a single copy of those that are of the highest relevancy to the matter. Tools that allow the files to remain in electronic format for online relevancy and production reviews also play a vital role in the process. Reducing the Collection

Technology can reduce costs by eliminating duplicates and narrowing the collection of electronic files to a subset of potentially high value. As a best practice strategy, consideration should always be given to using technology to identify and possibly eliminate duplicates as well as to tools that can further reduce the collection. Collections can



often be reduced by a simple review of file types, or by further full-text searching using keywords in-text or metadata date ranges. Concept searching, based on natural language and the meaning of words as opposed to their actual appearance, is also becoming more commonplace. Concept searching utilizes technology to perform semantic, pattern, statistical, and Boolean searches. Acceptance of keyword searches as a means to limit production and review is one of the single most important developments in electronic discovery in recent years. It is anticipated that the use of mutually agreed to keywords and concepts to limit production will be a major point of discussion during meet and confer conferences. Courts are also looking at search technology as in the case of Wiginton v. CB Richard Ellis, Inc., 2004 WL 1895122 (N.D.Ill). Aug. 10, 2004. Online Reviews Second to data reduction is the use of technology in providing centralized online review systems. The electronic data is kept in electronic format. Current technologies for review are fast, secure, and cost-effective. Advantages of using the technology include:

• Reducing the cost of supplying paper copies of files already in electronic format. • Providing a controlled, decentralized review forum. • Allowing for 24/7 access to clients, co-counsel, and off-site attorneys. • Allowing simultaneous access to multiple users from almost any location. • Enhancing accuracy by allowing for pre-determined pop-up lists of defined review categories. • Taking advantage of keyword searching and Boolean logic. • Facilitating case management through collaborative process of sharing notes, calendars, and other

information. • Accommodate changes and last-minute decisions more efficiently. • Tracking production history. • Keeping production options open. • Reducing review and decision recording time by an estimated 30% – 50%.

As a best practice strategy legal, litigation support, and IT staff, as well as computer forensic experts need to be aware and up-to-date on what technology tools are available, and whether the tools will help them meet their particular requirements for time and cost savings in electronic discovery management.



Summary Best practice strategies for electronic discovery management are collective in nature. Those suggested are not exhaustive and can be easily added to. One addition might pertain to company-wide education and compliance courses on litigation preparedness, while another might focus on more stringent email policies. Regardless of the components, the best practice strategy for electronic discovery management is to plan ahead. In the planning, it is essential to keep in mind that:

• Electronic information is just as discoverable as paper information.

• Electronic evidence must be preserved as soon as a client reasonably anticipates litigation.

• Deleting electronic information that may be relevant to an emerging legal matter is unlawful.

• Duty to preserve evidence trumps the client’s standard information retention/destruction policies.

• Using appropriate computer forensic software, personnel, and expertise necessary to preserve all relevant electronically stored data in a forensically sound and legally defensible manner is no longer optional.

• All requested electronic information responsive to discovery requests must be identified and located.

• Complete electronic information must be produced; “scrubbing” metadata or “locking” data on

spreadsheets is not allowed.

• An electronic information preservation policy is needed before a legal dispute emerges.

• Established electronic information retention and deletion policies must be in place and followed.

• Train personnel to handle litigation requests for electronic discovery; employees must know what to do when a “litigation hold” is imposed.



Essential Considerations for Successful E-Discovery Management

• Create an Electronic Information Preservation Policy before litigation; discuss new tools

• Preserve and collect in a forensically sound and

legally defensible manner early on

• Identify locations of electronic information responsive to discovery requests

• Make certain employees know how to respond to

the “Litigation Hold Policy”

• Understand that duty to preserve trumps a Document Retention Policy

The process of setting goals, developing strategies, outlining tasks, and developing implementation schedules for electronic discovery management is no longer an option. The new changes in the FRCP have given the legal community imputes to assess current electronic discovery practices and more opportunity to refine and develop new best practice strategies. The points touched on in this paper are intended to highlight areas in which best practice strategies can make a positive difference in the electronic discovery process.


http://www.investorwords.com/2187/goals.html

Financial Advisory Services

Our SolutionThe Forensic Accounting Investigations team of

Deloitte Financial Advisory Services LLP (“Deloitte

FAS”) has helped companies around the world

analyze and understand difficult events and issues

and take steps to deal with them. We offer a

broad range of services to help our clients uncover

wrongdoing and operate in a manner to help

deter, detect, and prevent fraud, including:

• ForensicAccounting, which combines

financial accounting, document and

transaction analysis, and witness and

third-party evidence to help analyze,

reconstruct or explain financial events.

Often, we assist attorneys in developing

their strategies by gathering and interpreting

complex financial data and solving financial

puzzles.

• CorporateInvestigations that focus on

helping to uncover accounting irregularities

and patterns of conduct. Typically, a large

volume of hard copy and electronic evidence

must be identified, organized, analyzed,

managed and supplemented by personal

interviews with employees and others with

specific knowledge of the transactions. We

often assist companies and their counsel in

conducting investigations to address formal or

informal SEC inquiries.

• AssetTracing&Recovery on behalf of banks,

trusts, wealthy individuals, corporate and

public sector entities and other parties whose

assets have been misappropriated or hidden as

a result of fraud, bankruptcies, restructuring or

other methods.

Your IssueAccording to the Association of Certified Fraud

Examiners’ 2006 Report to the Nation on

Occupational Fraud and Abuse (ACFE Report),

U.S. organizations lose 5% of their annual

revenue to fraud. Applied to the estimated 2006

United States Gross Domestic Product, this 5%

figure would translate to approximately $652

billion in fraud losses. Furthermore, one-quarter of

the frauds in the ACFE Report caused losses of at

least $1 million, while nine cases caused losses of

$1 billion or more.*

Could fraud be occurring within your

organization? An in-depth forensic accounting

investigation may provide the detailed analysis

necessary to help uncover essential facts and

insights, as well as the information you need to

protect your business interests.

Searching For Truth Forensic Accounting Investigations

Illustrative Examples of Our Work

• Deloitte FAS was engaged by outside

counsel to assist a publishing company’s

Audit Committee investigate the methods

employed to inflate reported circulation

at a national newspaper and quantify the

circulation overstatement. The investigation

entailed conducting interviews, performing

document analysis and utilizing computer

forensic tools. Because certain documents

were unreliable, we utilized regression

analyses to help forecast circulation. Our

professionals helped quantify the possible

financial statement exposure to the publishing

company and assisted in the quantification

of possible advertising remediation amounts

resulting from the circulation overstatement.

Deloitte FAS then assisted outside counsel in

presenting the investigation findings

to the Audit Committee, regulators

and select advertisers.

• Deloitte FAS was engaged by outside counsel

to assist with an internal investigation of an

automotive component parts manufacturer.

We helped investigate specific allegations

of potential accounting irregularities at

a particular division of the manufacturer.

Our professionals conducted interviews of

accounting and financial reporting personnel,

analyzed critical accounts and documentation

and performed computer forensic procedures

including hard drive imaging, email text

searches and recovery of deleted files. During

the investigation, the Division Controller

admitted to misstating operating results,

prompting the manufacturer to perform

an independent analysis to restate financial

information for relevant periods. Deloitte

FAS completed the investigative procedures

associated with the initial allegations and

subsequently assisted in analyzing and

evaluating the financial information used by

the company to restate its earnings to help

assess whether indicators of erroneous or

inaccurate data remained.

*2006 Report to the Nation on Occupational Fraud

and Abuse, Association of Certified Fraud Examiners

Diving deep into business and financial recordsto help uncover facts and mitigate fraud

The Deloitte FAS Difference• AnomalyDetectionTechnology

Deloitte FAS has developed anomaly detection

software that can be used to proactively

analyze a complete data set to identify

potential fraud indicators.

• IndustryFocused

We leverage the in-depth knowledge of our

industry specialists which is based on years of

experience and hundreds

of engagements.

• GlobalReachandMultidisciplinary

Approach

We are able to draw from the deep intellectual

capital of the 135,000 professionals within the

Deloitte Touche Tohmatsu member firms and

their affiliates worldwide. Access to this broad

base of knowledge enables our professionals

to address a broad range of issues including

people, process and technology. Our services

are scalable and can be tailored to your

industry and specific needs.

Local ContactsTo learn more please contact:

Byron SpruellMidwest Regional Managing Principal Deloitte Financial Advisory Services LLPChicago, Illinois Tel: 312-486-2244 e-mail: [email protected]

Corey MartensPartner Deloitte Financial Advisory Services LLPTel: 312-486-2136 e-mail: [email protected]

Karen SchakSenior Manager – Business Development Deloitte Services LPChicago, Illinois Tel: 312-486-3244 e-mail: [email protected]

www.deloitte.comAbout Deloitte

Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms and their respective subsidiaries and affiliates. As a Swiss Verein (association), neither Deloitte Touche Tohmatsu

nor any of its member firms has any liability for each other’s acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names “Deloitte”, “Deloitte & Touche”,

“Deloitte Touche Tohmatsu” or other related names. Services are provided by the member firms or their subsidiaries or affiliates and not by the Deloitte Touche Tohmatsu Verein.

Deloitte & Touche USA LLP is the U.S. member firm of Deloitte Touche Tohmatsu. In the United States, services are provided by the subsidiaries of Deloitte & Touche USA LLP (Deloitte & Touche LLP,

Deloitte Consulting LLP, Deloitte Financial Advisory Services LLP, Deloitte Tax LLP, and their subsidiaries), and not by Deloitte & Touche USA LLP.

As used in this document, the term “Deloitte” includes Deloitte & Touche LLP, Deloitte Consulting LLP, Deloitte Tax LLP, Deloitte Financial Advisory Services LLP.

Copyright © 2007 Deloitte Development LLC. All rights reserved.

Member of

Deloitte Touche Tohmatsu


Our SolutionThe key to managing huge volumes of data in a

litigation or litigation hold context is to identify

which data is potentially important, responsive,

and non-responsive. The Analytic & Forensic

Technology (“AFT”) practice of Deloitte Financial

Advisory Services LLP (“Deloitte FAS”) collects,

organizes, catalogs, and provides data for review

by attorneys, accountants, and analysts. We

provide computer forensic, electronic discovery,

and data management/analysis services for clients

involved in complex litigations, probes,

and investigations.

Deloitte FAS operates computer forensic labs

across the United States and through the

resources of the Deloitte Touche Tohmatsu

member firms and affiliates, Deloitte FAS has

access to labs in Canada and in several hubs

around the globe allowing us to manage client

data wherever our client or project team is

working. In these secure labs, AFT professionals

analyze and decipher electronic evidence,

including files and data that may have been

deleted or hidden from conventional detection.

Deloitte FAS has invested heavily in proprietary

technology that allows us to:

• Pinpoint data anomalies that might reveal

potential criminal activity

• Precisely search and retrieve information

from electronic documents and data

• Detect patterns of network usage to

understand who’s sending what to whom and

what they’re saying

Your IssueMost of today’s companies wouldn’t be in

business without the technology that allows them

to instantly create, send, search, retrieve, and

store data. However, this benefit can also be a

burden, particularly when it comes time

to manage that data in the course of litigation

or investigations.

Numerous legal surveys and reviews have

placed “electronic discovery” at the top of

their list of issues in modern litigation. This

process of collecting, reviewing, and producing

electronic or hard copy documents in response

to a subpoena is exceptionally high risk, and

mitigating those risks and managing the process

can be exceptionally high cost. An entire business

dispute or multimillion-dollar litigation may hinge

on identifying when a tiny piece of data was

generated—or altered or deleted—by whom, and

under what circumstances. Companies ultimately

feel the impact of electronic discovery in their

wallets through case outcomes, penalties for

non-compliance, and professional fees to outside

counsel and suppliers.

Apart from formal litigation response, the

sheer volume of data also makes it difficult to

investigate and uncover wrongdoing. While the

truth about illegal acts, bad business practices, or

fraud may reside in the data, revealing it can be a

daunting, costly task.

A Closer Look Analytic & Forensic Technology

Today’s business environment generates vast amounts of data. We help you manage it.


• We were retained by outside counsel on

behalf of a client in order to investigate

whether the client’s web site had been

improperly accessed and whether sensitive

client information had been removed. In

response, we analyzed media images,

including application servers, database

servers, and workstations. We also analyzed

1.5 million web log transactions to determine

evidence of malfeasance, including evaluating

patterns of activity for known and unknown

IP addresses. To verify access alternatives,

we evaluated web site functionality at the

time of the improper access, a process that

required backup tape restoration and imaging.

The results of our work confirmed the nature

and likely extent of the hacking. Shortly after

we relayed our findings, the client settled on

favorable terms with the alleged offender.

• One of the nation’s largest manufacturers

regularly faces a multitude of electronic

discovery requests that reach into all parts

of its organization. Before the company

retained Deloitte FAS, existing processes

were ad hoc, driven by in-house or outside

counsel, with little control or consistency

over the process of collecting and processing

the data. This created redundancy and risk

(“what did we produce for whom?”). We

worked with the client to assist them in

developing a streamlined process to manage

electronic discovery. We helped the client

identify issues within its current process and

assisted in identifying a solution, from data

collection to processing, hosting, reviewing,

and producing. We also provided guidance

in developing an application to help manage

and report on this process.

The Deloitte FAS Difference• ProprietaryToolsandTechnology

Deloitte FAS professionals are armed

with deep technical know-how

as well as proprietary software

and cutting-edge methodologies.

• DedicatedForensicsProfessionals

Deloitte FAS brings a team of diverse

professionals to your table with extensive,

specialized technical, legal, and business

knowledge. We have attorneys, CPAs, Certified

Fraud Examiners, statisticians, Oracle and SQL

database specialists, and computer forensic

specialists. We also employ former senior

law enforcement officials and former agents

from the FBI, Justice Department, and other

government agencies.

• IndustryFocused

Deloitte FAS leverages in-depth knowledge

of specific industry sectors based on years of

experience.

• GlobalReachand

MultidisciplinaryApproach







people, process, and technology. Our services



We help clients handle a broad range

of data-related issues, including:

• DataAnalysisas part of a forensic

investigation. This most frequently involves

analyzing transactional data from any

number of sources, such as bank records, fax

transmissions, contracts, insurance claims,

inventory, sales records, stock trades, and

many more.

• AnomalyDetection to identify and detect

anomalies within data that could indicate

potential wrongdoing.

• ComputerForensics that analyze IT systems

for evidence of potential malfeasance, such

as information deletion, policy violations, or

unauthorized access.

• ElectronicDiscovery to help clients faced

with significant data-gathering requirements

due to probes, investigations, or class

action litigations.

• RecordsManagementto help clients develop

strategies that seek to reduce the risk and

cost associated with maintaining excess or

unnecessary data, particularly electronic data.

• ClaimsAdministrationServices to help

companies relieve the administrative burden of

the claims process.

• The United Nations’ Independent Inquiry

Committee, which was convened to

investigate the UN Oil for Food Program

(“OFFP”), hired Deloitte FAS to assist in the

investigation. As part of our role, we:

- Brought together disparate data from

several different countries, banking

institutions, companies, government

agencies, and the United Nations

themselves. We then analyzed the data

to identify any patterns and trends in the

humanitarian goods and oil prices that

might indicate evidence of kickback and

surcharge schemes.

- Performed data analysis on the UN General

Ledger to help identify accounting issues

with the OFFP.

- Created user interfaces to help the

investigators review, search, and analyze the

various data sources.

- Summarized and reported on companies,

countries, and individuals involved

in the OFFP.

- Used visual anomaly detection tools

to create several different diagrams

that showed the investigators, and the

Committee, relationships between key

companies and individuals that may not

have otherwise been reviewed or identified.


Jack WalkerSenior Manager Deloitte Financial Advisory Services LLPChicago, Illinois Tel: 312-486-3149 e-mail: [email protected]


Karen SchakSenior Manager – Business Development Deloitte Services LPChicago, Illinois Tel: 312-486-3244 e-mail: [email protected]

. . . Our Solution Continued









Member of



• Technologyspecialists

• Forensicinvestigators

Ourservicesincludethefollowing:

• ComplianceProgramsandControlSystems

designedtoassistinthemanagementof

regulatoryrisk,suchas:

–Accountopeningandclosing

–Customerriskrating,duediligence,and

accountmonitoring

– Internalcontrolsandsystems

–Assessmentsandindependenttestingof

existingAMLcomplianceprograms

–Assistanceinrespondingtoregulatory

enforcementactions

• “Know Your Customer” and Enhanced

Due Diligenceviaonlinedatabaseresearch,

on-sitepublicrecordssearches,field

interviewingandfactgathering,including

directcontactwithgovernment,industry,

andothersources.Theseservicesassistour

clientsintheireffortsto(1)identifybeneficial

ownersofaccountrelationships,(2)pierce

theveilsofsecrecythatmoneylaunderers

usetoavoiddetection,and(3)achieveahigh

levelofawarenessandunderstandingoftheir

customerbase.

• TransactionalAnalysisinareassuchas

retail,privatewealthmanagement,and

correspondentareas,bothproactivelyand

pursuanttoregulatoryorders.Ourwork

includesidentifyingrelevanttransactions

toaddresssuspiciousactivityandcurrency

Your IssueTheanti-moneylaundering(AML)regulatory

andlawenforcementlandscapeisundergoing

significantchange.Recenthigh-profilemoney

launderingcasesandtherecentupdatetothe

BSAManual,amongotherthings,haveproduced

morestringentriskassessment,“knowyour

customer”(KYC)andtransactionmonitoring

standards.Positioningyourinstitutiontorespond

tothesenewstandardsisacriticalcomponent

ofeffectiveriskmanagementtoassistyour

organizationinprotectingitsreputation,revenue,

andcapital.Inordertoidentify,monitor,report,

andpreventmoneylaunderingactivities,

organizationsmustnowadoptanewrisk-based

approach.Theapproachshouldencompassan

enhanced,enterprise-wideprogramofcontrols,

processes,andsystems.

Our SolutionDeloitteFinancialAdvisoryServicesLLP(“Deloitte

FAS”)hasassembledateamofdedicatedAML

practitionerstoassistyouinyoureffortsto

enhanceyourAMLprogram.Theseprofessionals

haveextensiveknowledgeoffinancialservices

andAML-relatedknow-how,aswellas

experienceinperformingriskassessmentsand

complianceoverviews;providingforensic,fraud

andinvestigativeservices;andassistingclientsin

implementing/selectinginformationtechnology

solutions.OurteamofAMLspecialistsis

comprisedof:

• Formerfederalprosecutorsandlaw

enforcementagents

• Formerfederalandstatebankregulators

• Seasonedfinancialservicesexecutives

Who Are You Really Doing Business With? Anti-MoneyLaunderingServicesActive detection and compliance programs can help businesses in their efforts to prevent crime and address regulatory requirements


• DeloitteFASconductedacomprehensive

analysisofafinancialholdingcompany’s

AMLprograminlightoftheUSAPATRIOTAct

(“PatriotAct”)andotherrecentregulatory

requirements,includingthoseproposed

bytheSecuritiesandExchangeCommission

(SEC)andtheNationalAssociationof

SecuritiesDealers(NASD)regarding

broker-dealeroperations.Thisanalysis

includedanassessmentofthemoney

launderingriskforeachoftheenterprise’s

businesslines.Theassessmentidentified

operationalgapsforeachbusinessline,

includingforeachitemitsriskpriority,the

basisforthatriskdecision,andrecommended

correctiveaction.

• DeloitteFASandDeloitteConsultingLLP

weresubcontractorsengagedbyadivisionof

theU.S.governmenttobuild,pilottest,and

deploythePatriotActCommunicationSystem

(PACS).PACSisdesignedtoprovideU.S.

financialinstitutionswithasecure,Internet-

basedsystemforfilingCurrencyTransaction

Reports(CTRs)andSuspiciousActivityReports

(SARs),indiscreteandbatchmode.CTRs

andSARsaretwooftheprimaryformsused

bytheU.S.governmenttotrackmoney

launderingandotherfinancialcrimes.

• DeloitteFASassistedwiththeimplementation

ofaprogramtoadoptrisk-basedsupervision

processesandproceduresforaninternational

bankingsystem.Aspartofthisprogram

DeloitteFAScarriedoutregulatorycompliance

assessmentsof13majorbanksandmajor

foreignbankbranchesunderanoutsourcing

program.Thebanksincludealargeprivate

commercialbank,alargerecapitalized

commercialbankcurrentlyrun

bymanagementcontracttoamajor

internationalbank,andalargestate-owned

bankwithawidenetworkofvillage-based

branchesengagedinmicro-financeandsmall

businesslending.

• Technology Solutionsthatexamine

theinformationtechnologyenvironment

andoperatingstructure,andrecommend

technicalandcasemanagementsolutions.

Ourimplementationservicesarecustomfitto

thesesolutionstoprovidetailoredtransaction

monitoringprotocolsandsuspiciousactivity

detectionsystems.Ourtechnologysolutions

havebeenusedfortransactional“lookbacks”

aswellas“businessasusual”transaction

monitoringsystems.

The Deloitte FAS Difference• Global Reach and Multidisciplinary Approach

Weareabletodrawfromthedeepintellectual

capitalofthe135,000professionalswithinthe

DeloitteToucheTohmatsumembersfirmsand

theiraffiliatesworldwide.Accesstothisbroad

baseofknowledgeenablesourprofessionals

toaddressabroadrangeofissuesincluding

people,process,andtechnology.Ourservices

arescalableandcanbetailoredtoyour

industryandspecificneeds.


DeloitteFASoffersadiverseteamof

committedprofessionalswithextensive,

specializedAMLknowledge,includingformer

federalprosecutors,formerSECenforcement

attorneysandaccountants,CPAs,certified

fraudexaminers,statisticians,database

administrators,andcomputerforensic

specialists.Ourteamalsoincludesformer

seniorlawenforcementofficialsandagents

fromtheFBIandotherfederal,stateandlocal

governmentagencies.

• Proprietary Tools and Technology

DeloitteFASprofessionalsarearmedwith

deeptechnicalknow-how,proprietary

software,andcuttingedgemethodologies.

reportingrequirementsandassistingcounselin

developingtheoriesofdefenseinthecontext

ofcriminalandcivilinvestigations.Lessons

learnedfromthetransactionalanalysesare

usedtohelpmodifyandimprove“businessas

usual”transactionmonitoringprotocolsand

managementreporting.

• RiskandControlServicesthatassess

theinternalcontrolenvironmentandrisk

managementprocessestoidentifythoseareas

and/oractivitiesthataremostvulnerable

tomoneylaundering.Wealsoassessand

documentcorebusinessunitoperationsand

makerecommendationsforenhancements.We

canassistyouinestablishingreportinglines

andescalationprocedurestohelpkeepsenior

managementandboardsofdirectorsinformed

ofregulatoryrisks.

• ComplianceTrainingrelatedtoglobalAML

requirementssuchasthePatriotAct,aswellas

internationalorganizationalprotocolssuchas

FinancialActionTaskForce(FATF).Wedevelop,

customize,anddelivercomprehensivetraining

programstoaddressthequantityofrisk

inherentinanorganization’sproducts,delivery

channels,operations,andcustomerbase.

• IndependentTestingtotesttheeffectiveness

ofthetotalAMLregimewithinaninstitution,

includinginternalcontrols,policiesand

procedures,andITmonitoringsystems.The

resultsofthetestingwillhelpdocumentany

gapsbetweenexistingpracticesandregulatory

requirements/soundindustrypractices.

Remedialprogramswillbedesignedtohelp

correctanyobserveddeficiencies.

• InternalInvestigationstohelpanswerthe

who, what, when, where, why, and how

questionsthatgiverisetoaninquiry,whether

self-initiatedorresultingfromaregulatory,

judicial,orlawenforcementrequest.

Contacts:

Michael ZeldinPrincipal Deloitte Financial Advisory Services LLPWashington, D.C. Tel: 202-378-5025 e-mail: [email protected]

Alison ClewPrincipal Deloitte Financial Advisory Services LLPBoston, Massachusetts Tel: 617-437-3059 e-mail: [email protected]



www.deloitte.comAboutDeloitte

DeloittereferstooneormoreofDeloitteToucheTohmatsu,aSwissVerein,itsmemberfirmsandtheirrespectivesubsidiariesandaffiliates.AsaSwissVerein(association),neitherDeloitteToucheTohmatsu

noranyofitsmemberfirmshasanyliabilityforeachother’sactsoromissions.Eachofthememberfirmsisaseparateandindependentlegalentityoperatingunderthenames“Deloitte”,“Deloitte&Touche”,

“DeloitteToucheTohmatsu”orotherrelatednames.ServicesareprovidedbythememberfirmsortheirsubsidiariesoraffiliatesandnotbytheDeloitteToucheTohmatsuVerein.

Deloitte&ToucheUSALLPistheU.S.memberfirmofDeloitteToucheTohmatsu.IntheUnitedStates,servicesareprovidedbythesubsidiariesofDeloitte&ToucheUSALLP(Deloitte&ToucheLLP,

DeloitteConsultingLLP,DeloitteFinancialAdvisoryServicesLLP,DeloitteTaxLLP,andtheirsubsidiaries),andnotbyDeloitte&ToucheUSALLP.

Asusedinthisdocument,theterm“Deloitte”includesDeloitte&ToucheLLP,DeloitteConsultingLLP,DeloitteTaxLLP,DeloitteFinancialAdvisoryServicesLLP.

Copyright©2007DeloitteDevelopmentLLC.Allrightsreserved.

Memberof



a control environment that promotes ethical

behavior; designing and implementing antifraud

control activities throughout the organization;

sharing information with employees and

communicating the company’s philosophy and

policies about fraud; and monitoring the quality

and effectiveness of antifraud programs and

controls over time.

Our SolutionAlthough many organizations’ antifraud

programs possess some components of the

COSO recommendations, some organizations

lack a framework for assessment, evaluation

and adequate documentation. That’s where we

can help. Deloitte Financial Advisory Services LLP

(“Deloitte FAS”) has the experience and tools

to assist management in the design,

implementation, and assessment of antifraud

programs and controls.

Specifically, we can work with you to:

• AssessFraudRisk

By conducting a fraud risk assessment, we

can help management understand where your

business is potentially vulnerable to fraud and

make resource allocation decisions to help

address those vulnerabilities.

• DeveloporImproveExistingPractices

We can assist management in examining the

observations and recommendations resulting

from the fraud risk assessment to help

design a remediation plan that addresses the

organization’s needs and objectives. We can

also help in the design and implementation of

remediation activities.

Your IssueIn the wake of high-profile financial reporting

scandals, the SEC and other regulatory bodies

introduced comprehensive legislation and

rules concerning corporate governance and

internal controls. Stated explicitly within these

new regulations and guidance is the need for

controls related to the prevention, detection and

deterrence of fraud. Any entity that is audited,

whether public, private, or non-profit, is subject to

certain antifraud requirements.

Under today’s more stringent laws, directors

and managers face enhanced responsibility in

connection with fraud, error, corruption,

non-compliance, and unethical behavior. If

antifraud programs and controls designed to

prevent, detect, and deter fraud are not in

place or operating effectively, directors and

management may be held personally liable

when fraud occurs and face civil and criminal

prosecution.

Fraud can have a devastating impact on

organizations in other ways as well.

In addition to potential revenue leakage,

corporate fraud can have a negative impact on

a company’s reputation, employee morale, and

investor confidence.

Antifraud programs encompass a wide range

of activities and policies. The Committee of

Sponsoring Organizations (COSO) of the Treadway

Commission’s Internal Control—Integrated

Framework recommends that management

consider meeting its antifraud responsibilities

by: performing fraud risk assessments; creating

The Threat of Fraud . . . Are Your Defenses in Place?Antifraud Programs and Controls

The impact of fraud upon an organization can be devastating.


• For a global manufacturer of precision

engineered flow control equipment, we

provided antifraud consulting services

that included a fraud risk assessment,

documentation of fraud risks and controls

and history of fraud at significant locations

in over 20 countries, an entity-wide

assessment of antifraud programs, and an

analysis of fraud risk factors. Additionally,

we assisted the client with remediation

efforts at an entity-wide and process

level, which included enhancing the Code

of Business Conduct, developing and

launching a global ethics communication

campaign, implementing a new third-party

whistleblower provider, and other significant

remediation activities.

• For a leading global supplier of pumps,

valves, seals, automation, and services to

the power, oil, gas, chemical, and other

industries, we provided antifraud program

consulting services, including program

benchmarking, design, implementation,

remediation, and documentation. Our work

included performing a management fraud

risk assessment for each operating division

and subsidiary within the company.

• We provided antifraud program consulting

services, including program benchmarking

and documentation, to the U.S. sales and

marketing arm of a multibillion dollar

manufacturer. The company plans to

incorporate the results of its management

fraud risk assessment into its annual internal

audit plan.

• TrainEmployees

An employee awareness program is an

essential element of an antifraud program. Our

highly experienced fraud training facilitators

can assist you by designing and delivering

fraud awareness training tailored to your

organization that educates employees about

their critical role in fraud prevention, detection,

and deterrence and gives them the skills to

help meet their fraud control responsibilities

and conduct business ethically.

• ConductInternalInvestigations

Investigation of alleged and suspected fraud

is a critical component of any organization’s

antifraud program. From planning the

investigation to conducting witness interviews

to analyzing electronic evidence, you can

leverage our vast experience in conducting

internal fraud investigations.

• PerformFraudMonitoringandDetection

We can assist management in its fraud

monitoring efforts through data mining.

Applied to databases such as accounts payable,

expense reporting, and vendor maintenance,

our algorithms and scoring methodology

produce a risk-ranked set of anomalous

transactions to be investigated for

potential fraud.


Bill PollardPartner Deloitte Financial Advisory Services LLPChicago, IllinoisTel: 312-486-3524 e-mail: [email protected]

Scott ShafferPartner Deloitte Financial Advisory Services LLPChicago, IllinoisTel: 312-486-4755e-mail: [email protected]

Karen Schak Senior Manager – Business Development Deloitte Services LPChicago, IllinoisTel: 312-486-3244e-mail: [email protected]

The Deloitte FAS Difference• ExperiencedTeamwithStrongSkills

Deloitte FAS brings a team of diverse

professionals to your table with extensive,

specialized knowledge, including attorneys,

CPAs, Certified Fraud Examiners, statisticians,

database administrators, and computer

forensic specialists. We also employ former

senior law enforcement officials and agents

from the FBI, Justice Department, and other

government agencies. We bring an in-depth

knowledge of industry practices and the latest

regulatory requirements to each engagement.

• ProprietaryTechnologyandAlliances

Deloitte FAS professionals are armed with deep

technical know-how as well as proprietary

software and cutting-edge methodologies.

These analytical tools are based on marketplace

experience, regulations, and professional

standards. They incorporate industry-specific

risks and controls and can be tailored for your

needs. We also maintain alliances with key

technology providers to help you manage

antifraud programs and controls more

easily and achieve consistency across your

organization.

• GlobalReachand




















Member of




FAS”) has developed a proprietary, customizable,

technology-based anomaly detection

methodology. DTectSM helps organizations analyze

their vendor, employee, and financial transactional

data to proactively identify indicators of fraud,

waste, and abuse.

DTect can help organizations with the following:

• Takingstepstouncoveractiveorpast

fraud an organization didn’t know existed

• Analyzingmassiveamountsof

transactionaldata, such as vendor payments,

employee payroll and expense reimbursements,

purchase card transactions, and the like, which

can indicate fraud, waste, or abuse

• Analyzingvendorsandtheiraddresses

by comparing internal data against

third-party information

• AnalyzingemployeeSocialSecurity

numbers for anomalies that could indicate

problems ranging from data inaccuracies

to fraud

• Identifyingundisclosedrelationships

between employees and vendors that may be

potentially illegal or unethical

• Testingforavarietyofschemesandfraud,

such as kickback schemes, fraudulent expense

schemes, ghost employees, fictitious vendors,

and others

Your IssueAlmost every organization is susceptible to fraud,

waste, and abuse. According to the Association

of Certified Fraud Examiners, organizations lose

5 percent of their annual revenues to operational

fraud and abuse every year. That amounts to

about $652 billion.*

Until recently, finding where and how these

problems occur has often been subject to

chance—companies stumble upon them or

are alerted by employees. Internal auditors are

challenged by the sheer volume of electronic

data generated by business operations, whose

magnitude makes detailed data analysis very

difficult for most internal audit departments. This

is no longer acceptable under today’s stricter

regulations and guidelines concerning corporate

governance and internal controls. SAS 99,

Sarbanes-Oxley Section 404, PCAOB Standard

No. 2, and the Federal Sentencing Guidelines

contain requirements related to identifying risks

and implementing controls designed to identify

fraud and reduce the prospect of criminal

conduct. Compliance with these standards is not

an option; it’s the law.

Our SolutionIn response to the dramatic increase in reported

economic crimes over the last several years and

to help clients address their compliance needs,

the Forensic and Dispute Services practice of

Which of These Things is Not Like The Others?DTectSM


• For a Fortune 200 client, we amassed

30 GB of data representing 50 million records,

including: 22 million payroll records; 600,000

vendor accounts; six million invoices; and four

million payments accounting for $25 billion in

disbursements. We uncovered:

- More than 2,000 payments issued before

the date on the invoice

- More than 4,000 duplicate payments, each

in excess of $100,000

- More than 2,500 employees receiving

regular payroll disbursements after their

dates of termination

- Employees paid overtime in excess of 50

percent of their regular salaries

- Payments for personal vacation and

day care service expenses submitted by

employees in violation of company policy

• For a Fortune 100 client, we examined:

eight million invoices; four million payments;

150,000 vendors; 120,000 employees; and

$30 billion in disbursements. We found:

- $17 million in overpayments to vendors

- A payroll scheme involving 21 ghost

employees with losses in excess

of $1 million

- Numerous instances of serious

ethics/conflict of interest violations involving

employees with undisclosed financial

interests and other relationships with

company suppliers

- An ongoing ghost vendor scheme involving

$3.3 million in false invoices and $3.1

million in payments on those invoices

*2006 Report to the Nation on Occupational Fraud

and Abuse, Association of Certified Fraud Examiners

Proactive Detection of Anomalies and Potential Fraud Indicators

• PeriodicTestingtoRe-EvaluateResults

The results of an in-depth or smaller-scale DTect

analysis often prompt companies to implement

corrective actions. To evaluate the effectiveness

of process improvements, DTect testing and

analysis may be applied to a wide range of sizes

of data sets periodically to identify whether

problems have been corrected and results are

on track.

• Built-InRiskRanking

DTect incorporates our proprietary risk-scoring

methodology to help identify potential high-

risk vendors, employees, and transactions. This

helps our clients understand where to focus

further investigation and mitigation efforts.

• BeyondDataTesting

More than just data testing, we also include

a fraud and forensic analysis by forensic

accountants and professionals experienced in A/

P, vendor, employee, and other types of fraud.

We can also help our clients relate test failures

to control weaknesses to better understand

where fraud prevention and mitigation efforts

are breaking down.

The Deloitte FAS Difference• ExperiencedTeam,GlobalService

The Deloitte FAS DTect team has an extensive

track record in the specialized and emerging

market of electronic data anomaly detection.

Our experience has helped us understand

various subtleties and nuances of detailed data

testing—knowledge we apply to every new

engagement. We work with our colleagues

within the Deloitte Touche Tohmatsu member

firms and their affiliates around the world to

address client needs, with particular focus

on the United States, Europe, South Africa,

Australia, and Canada.

• In-DepthAnalysis,Customizedto

ClientNeeds

Rather than conducting a limited analysis

based on sample data, DTect allows for broader

and deeper testing, analysis, and forensic

investigation of an organization’s transactions

over a defined period, typically 24 months.

This approach is more wide-ranging and

helps promote a more systematic detection of

irregularities. We can customize test algorithms

targeted to our client’s needs. We can also

integrate data from external sources, enabling

analysis of vendor addresses and employee

Social Security numbers.

• FasterAnalysisforClientswith

SmallerNeeds

In addition to the in-depth analysis described

above, DTect is scalable to client needs. For

companies with smaller data sets or smaller

budgets, we can provide targeted analysis of

specific data without the fraud and forensic

analysis component. Under this approach,

we obtain data, run a predefined grouping of

analytical tests, and can quickly provide the test

results back to our client.

Local ContactsTo learn more, please contact:

John KulaDirector Deloitte Financial Advisory Services LLPChicago, IllinoisTel: 312-486-2560e-mail: [email protected]


Karen SchakSenior Manager – Business Development Deloitte Services LPChicago, IllinoisTel: 312-486-3244e-mail: [email protected]









Member of



Our SolutionThe Forensic & Dispute Services practice of


FAS”) has helped some of the world’s leading

companies navigate FCPA risk. Our clients seek

our assistance on a broad range of FCPA-related

matters, including:

• ForensicAccountingInvestigationsof

allegedFCPAviolations

Our forensic accounting specialists analyze

electronic and hard copy financial records

and assist clients in conducting interviews

of relevant personnel to help identify and

understand the scheme, assess the scope of

the violation, and report on our findings.

• TransactionalDueDiligence,

whetherbuyingorselling

If buying, we can assist in investigating the

acquiree to help your organization identify

potential FCPA issues and risks of potential

successor liability. When selling, we can help

avoid surprises by testing your company’s FCPA

compliance program.

• ComplianceProgramImplementation

andAssessment

We can assist clients with developing or

refining ethics and compliance programs that

can help protect against FCPA violations.

• FCPA“HealthChecks”

A Deloitte FAS diagnostic tool that helps

enable organizations to be more proactive in

identifying potential FCPA risks.

Your IssueDo you currently do business outside the U.S.

or are you considering it? If so, you need to

be aware of the Foreign Corrupt Practices Act

(“FCPA”) and its potential impact on your

company.

The FCPA prohibits bribery of foreign government

officials by U.S. companies and requires U.S.

companies to maintain accurate books and

records and a system of internal controls designed

to identify suspect payments.

Since 2001, a surge in FCPA enforcement actions

by the Department of Justice and the SEC has

resulted in criminal convictions of companies and

individuals, substantial fines, disgorgement of

profits and reputation damage to numerous

U.S. multinationals.

Virtually every organization of even modest

size and complexity doing business overseas,

particularly those in “high risk” countries (e.g.,

China, Russia, Indonesia, and Nigeria, among

others) is potentially vulnerable to FCPA risk.

At RiskCompliance with the Foreign Corrupt Practices Act

Is your company at risk of violating this closely monitored legislation?


• We have helped investigate alleged

FCPA violations in 40 countries in

Europe, Asia, Latin America, and

the United States on behalf of a

multinational manufacturing company.

• We conducted a comprehensive

50-country analysis, with visits to 28

countries, in connection with the

proposed sale of an oil, gas, and

petrochemical division of a large

multinational company.

• We performed a substantial due

diligence investigation of accounts and

records on behalf of a large defense

contractor engaged in the proposed

purchase of a multinational company

with several locations in Latin America.

Our due diligence investigation revealed

pervasive FCPA compliance issues within

the acquiree.

• We assisted several U.S. multinationals

and overseas clients in conducting

FCPA risk assessments.

• We assisted several U.S. multinationals

in implementing FCPA

compliance programs.

The Deloitte FAS Difference • ExperiencedTeam

Deloitte FAS professionals have been engaged

by our clients to assist on some of the largest

and most sophisticated FCPA enforcement

actions in the last several years.


Deloitte FAS offers a diverse team of

committed professionals with extensive,

specialized FCPA knowledge, including former

federal prosecutors, former SEC enforcement

attorneys and accountants, CPAs, certified

fraud examiners, statisticians, database

analysts, and computer forensic specialists.

Our team also includes former senior law

enforcement agents from the FBI and other

federal, state and local

government agencies.

• GlobalReachand











• ProprietaryToolsandTechnology

Deloitte FAS professionals are armed with deep

technical know-how as well as proprietary

software and cutting-edge methodologies.


Pat BradyPrincipalDeloitte Financial Advisory Services LLPChicago, IllinoisTel: 312-486-2980e-mail: [email protected]


Karen SchakSenior Manager – Business DevelopmentDeloitte Services LPChicago, IllinoisTel: 312-486-3244e-mail: [email protected]









Member of
