It faces mounting challenges to ensure that internal inquiries remain covered by the right. State regulators like the United States In investigating the boundaries of privileged information, the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC) have become more proactive, emboldened by recent rulings in which courts not only consider but actually order demands for disclosure of investigative materials in the civil discovery process. It is now more important than ever for organizations to consider the security steps they should take to maintain these rights and safeguard against potential attacks in the face of this changing environment.
The possibility of leakage of investigative materials is illustrated by two events:
Capital One disclosed in July 2019 that it suffered a data breach that allegedly compromised over 100 million people’s personal data and information. Immediately, Capital One faced regulatory scrutiny and class action. During the class action, plaintiffs discovered that a third-party cybersecurity consulting firm had been hired by Capital One to investigate the July 2019 incident, and requested the forensic report of that company. Capital One believed the forensic report of the company was covered under the doctrine of the work-product. Nevertheless, the Eastern District of Virginia ordered publication of the report on the ground that it was not prepared “because of” the danger of litigation, but rather, regardless of the litigation, it would have been prepared in substantially the same form. See In re: Violation Litigation on Capital One Customer Data Protection., No. 1:19-MD-2915, Dkt. No. 641, 641 (E.D. Va. June 25, 2020). The court based on the pre-existing partnership and fee structure of the consulting company with Capital One for significantly similar services and on the broad dissemination of the study in drawing this conclusion.
In 2013, the audit committee of RPM retained outside counsel to conduct an internal review of accrual-related issues that had been the subject of an SEC investigation. The outside counsel for RPM then shared the investigation’s conclusions with the SEC on the express understanding that there was no waiver. Notwithstanding that arrangement, in a subsequent compliance action, the SEC requested the investigative documents of outside counsel, including witness interview memoranda, and the D.C. Their development was directed by the District Court. Comm’n v. RPM Int’l, Inc., No. 1:16-cv-01803-ABJ, Dkt. See Sec. and Exchange No. 81, 81 (D.D.C. Feb. 12, 2020). The court found that the internal investigation was carried out because without an investigation and not because of the SEC compliance action or expected litigation, the auditor of RPM would not sign the company’s form 10-K. The court therefore ruled that the inquiry was not a matter of right. In addition, the court also concluded that by disclosing the contents of interview memos with both its auditor and the SEC, RPM had waived any arguable privilege.
By laying a strong basis for attorney-client privilege and work-product confidentiality during an internal audit, businesses can minimize the likelihood of future disclosure. Key considerations to consider in order to construct the shield include the following:
It is important to demonstrate that the inquiry was carried out for a legal purpose rather than for commercial purposes or in order to meet regulatory or contractual obligations. The object of contact and work should be recorded clearly and unambiguously.
The investigator’s oversight is important. Routine, company, or regulatory-focused events tend to be investigations conducted through enforcement or internal audit. In comparison, inquiries undertaken or managed by in-house and outside lawyers appear to entail higher business risks and greater legal liability potential, raising the possibility of privileged treatment of relevant communications.
Third-party emails, press or publicity materials, public notices, company and technical documents and communications between non-lawyers only constitute lightning rods in disputes over rights. Consider who is involved in the preparation or discussion of such documents, why they are involved, what they contribute to the materials, when and how the materials are produced, and to whom they are revealed, whether the content is privileged.
Any previously exchanged or even summarized privileged information with outside parties-auditors, regulators, and compliance agencies-are particularly vulnerable to challenge. This involves sharing information in exchange for “cooperation credit” in conjunction with inquiries by the government. Confidentiality and non-waiver arrangements with the government may not be binding by the appropriate body against future civil litigants or even a change of mind.
With recent cases showing that the government challenges the applicability of the privilege to investigative documents, and the courts endorse such attacks, during the course of the internal investigation, organizations should be diligent in establishing and retaining the safeguards offered by both the privilege of attorney-client contact and work product doctrine.