In her speech announcing the recent changes to the Evaluation of Corporate Compliance Programs (ECCP), Principal Deputy Assistant Attorney General Nicole Argentieri gave top billing to a focus on “how companies mitigate the risk of misusing artificial intelligence.” However, getting into the weeds, far more of the changes made to the ECCP (2024 Edits) relate to how companies use straightforward data collection and analytics to monitor, optimize and improve their compliance programs.

In the first article in this multi-part series, the Anti-Corruption Report spoke to experts in the field about the 2024 Edits regarding AI. This second part examines the new questions added that implicate how data is used in a compliance program to identify and mitigate risks, and how data analytics can be used to see how well the compliance program is working, providing value and improving company culture. A future article will discuss additional changes that touch on anti-retaliation, compliance resources and how companies should incorporate lessons learned into their compliance programs.

See “Thoughts From DOJ Experts on Using Data Analytics to Strengthen Compliance Programs” (May 22, 2024).

A Shift in Thinking

While the introduction of the term artificial intelligence was clear and bold, the edits related to data analytics were more understated, reflecting a subtle shift in thinking by the DOJ. The questions added as part of the 2024 Edits are the DOJ’s attempt to assess how a company is measuring the effectiveness of its compliance program through its day-to-day operations.

For example, in the section dealing with the accessibility of policies and procedures, a question has been added asking how the company confirms that “employees know how to access relevant policies.” In the section on risk-based training, a question has been added asking, “What analysis has the company undertaken to determine who should be trained on what subjects?” To determine the effectiveness of a company’s reporting mechanism, a question has been added asking how the company “assesses employees’ willingness to report misconduct.”

All of these questions get at whether a company is taking a rigorous approach to assessing whether each element of its compliance program is risk-based, tailored to the company’s unique risk profile and effective at preventing issues.

Still a Struggle

Understanding what data is available and what to do with it remains a challenge for many companies. “Compliance teams continue to struggle with corporate data,” Angela Crawford, a partner at Crawford & Acharya, told the Anti-Corruption Report. Companies have difficulty understanding what “data” means within their organization, where that data exists, who “owns” the data, and whether there are restrictions or prohibitions to data processing and access. “All these foundational questions must be addressed before compliance teams even can get to the point of accessing, utilizing and analyzing the data,” she said.

See “Lessons From HPE’s Anti-Corruption Purchase-Order Analytics on the Role for Humans in Data Interpretation” (Sep. 29, 2021).

Doubling Down on Data Analytics

Considering that many companies do not fully understand their data landscape, the DOJ’s focus on data in the 2024 Edits may be strategic. “The ECCP is implicitly making the business case for investing in data analytics,” Daniel Wendt, a member of Miller & Chevalier, told the Anti-Corruption Report.

As an example, Wendt noted that the 2024 Edits have added a new section on “Data and Transparency,” which includes the question, “Can the company demonstrate that it is proactively identifying either misconduct or issues with its compliance program at the earliest stage possible?”

“There is no longer the goal of simply detecting and remediating misconduct,” Wendt observed. Rather, companies are now encouraged to use data and transparency to identify misconduct “proactively” and “at the earliest stage possible,” which “presumably reduces all the related harms from the misconduct,” he suggested.

See “How Combining Approaches to Data Analytics Can Yield Powerful Insights” (Mar. 16, 2022).

Access to Data

In the revisions made to the ECCP in 2020 (2020 Edits) a new section was added regarding data resources and access. The 2020 Edits focused on whether the compliance team had access to sources of data and, if there were impediments to access, what the company was doing about them. In the 2024 Edits, the DOJ expanded its focus on access to data with the following detailed questions:

• Do compliance personnel have knowledge of and means to access all relevant data sources in a reasonably timely manner?
• Is the company appropriately leveraging data analytics tools to create efficiencies in compliance operations and measure the effectiveness of components of compliance programs?
• How is the company managing the quality of its data sources?
• How is the company measuring the accuracy, precision or recall of any data analytics models it is using?

Despite access to data being a DOJ expectation for more than four years now, it remains out of reach for many compliance teams. “In my experience, many compliance personnel do not have access to data, or they have access to data but without the resources to do much with it, or they get the data in a less-than-timely way through downloads and extracts at the end of a quarter or year,” Wendt reported.

Sophisticated Businesses Leaving Compliance Behind

Notwithstanding access struggles, companies are ever more reliant on data and analytics for the success of their businesses. “Some organizations are accessing and utilizing consumer and customer data for commercial, marketing, strategic, and financial purposes – but not for compliance purposes,” Crawford observed.

“There is a reasonable expectation that companies – at least in some industries – may be investing significant sums on data analytics for customer engagement or operational efficiencies,” Wendt said. He has seen various examples of companies with robust data science teams, but compliance may have difficulty in acquiring their time and attention.

From the DOJ’s perspective, excuses may not fly. “The DOJ is making clear, once again, that if a company can leverage its data to make money, it also must leverage it to address its compliance and regulatory risks and implement an effective compliance program,” Lila Acharya, a partner at Crawford & Acharya, warned.

See “Transaction Monitoring Tips From the Experts at Google” (May 29, 2019).

Using the ECCP As Leverage

To address problems accessing data, Wendt suggested that compliance teams should make a business plan or proposal to justify any expenses related to increasing access. “Compliance teams are well suited to work with their business partners across functions to message synergies and efficiencies associated with enterprise-wide data analytics,” Acharya said.

But, if compliance teams continue to meet resistance or delays in their access to data, “they can point to this guidance,” Ephraim (Fry) Wernick, a partner at Vinson & Elkins, told the Anti-Corruption Report.

The new language added to the ECCP “is meant to arm compliance personnel to raise a point with management that there should not be huge cliffs in data proficiency across a company, and that a manual compliance program is not optimal in a company that is otherwise embracing the benefits of data analytics and other technologies,” Wendt advised.

See “The Board’s Role in FCPA Compliance” (Mar. 31, 2021).

Holding Up a Mirror to Compliance Programs

While many of the changes related to data analytics get at making the compliance program work better by surfacing risks, the 2024 Edits also encourage companies to use data analytics as a mirror for the compliance program itself. In the “Continuous Improvement, Periodic Testing, and Review” section, two new subsections have been added that touch on this.

The first new subsection, titled “Measurement,” simply asks, “How and how often does the company measure the success and effectiveness of its compliance program?” Additionally, a new subsection on data and transparency has been added that asks:

• To what extent does the company have access to data and information to identify potential misconduct or deficiencies in its compliance program?
• Can the company demonstrate that it is proactively identifying either misconduct or issues with its compliance program at the earliest stage possible?

Commercial Success As a Sign of Strength

In addition to direct measures of success and effectiveness, the 2024 Edits also inquire about measures of the economic value of compliance. Under the section dealing with funding and resources, a question has been added asking whether the company has “a mechanism to measure the commercial value of investments in compliance and risk management[.]”

The added language demonstrates the DOJ’s view that companies with the most effective compliance programs “can show how investments into compliance translate into commercial value or success for the company, either through cost reduction or revenue growth,” according to Wendt.

There are several ways that companies could measure compliance program value. They can attempt to quantify the amount of financial loss prevented by the compliance function, Wernick suggested. A company could also look at instances where due diligence prevented the company from entering into bad business relationships, Wendt added.

The takeaway is that “the DOJ thinks it is important to consider how compliance programs can be additive within a company – not just a cost of doing business – and then marketing those aspects to promote the compliance program,” Wendt said.

See “Using Data Analytics to Boost Compliance Program Effectiveness” (Jun. 27, 2018).

Data to Improve Culture

The 2024 Edits also urge the use of data to assess company culture. In the introduction to Section III – which asks, “Does the Corporation’s Compliance Program Work in Practice?” – a sentence has been added. It states, “Prosecutors should also assess how the company has leveraged its data to gain insights into the effectiveness of its compliance program and otherwise sought to promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.”

Measuring culture is not easy, but periodic culture assessments and surveys can help. Wernick recommended gathering and analyzing metrics such as “awareness and use of hotlines, belief in the integrity of senior management and fear of retaliation.”

More broadly, “auditing, monitoring and other testing all serve the purpose of comparing whether company actions match company words,” Wendt observed. If there is a mismatch, the actions highlight the hollowness of the words. Data analytics can surface these issues and reinforce “a culture that is in fact committed to compliance with the law.”

See “Compliance 5.0: A Culture-Centered Approach” (Jan. 17, 2024).

Third-Party Due Diligence

DOJ prosecutors also will be probing companies about their use of data analytics in vendor management. In the section dealing with third-party management, the 2024 Edits added the following questions:

• Does the third-party management process function allow for the review of vendors in a timely manner?
• How is the company leveraging available data to evaluate vendor risk during the course of the relationship with the vendor?

Third-party risk management is an obvious place to introduce data analytics because it “remains the highest type of risk” for most companies, Wernick suggested. “Data analytics can be critical in helping to mitigate such risks.”

The data that companies can leverage to evaluate vendor risk varies from company to company. “Financial data can be informative as to vendor risk,” according to Acharya. For example, if a company has a key distributor in a country known for sanctions circumvention, a sudden sales spike is a red flag that should be investigated, she explained.

Companies might also look at hotline and investigations data, as they can provide insight into what countries or regions are subjectively risky for a company outside of objective measures such as the Corruption Perceptions Index, Acharya suggested.

“For vendors, relevant internal data could include payment amounts (any round dollar amounts, for example), mismatches between purchase orders and invoices, changes to company name, address, and/or bank account information, and more,” Wendt observed. “Available data” could also include publicly available information such as information regarding ownership, adverse media and litigation, he said.

No matter what information a company leverages, it should be reviewed regularly, “to inform compliance monitoring efforts, decisions about where to exercise third-party audit rights, and the internal audit team’s annual audit plan,” Acharya advised.

See “Continuous Spend Monitoring for End-to-End Third-Party Risk Management” (Dec. 11, 2019).

M&A

The 2024 Edits have introduced several new questions that relate to how companies integrate and upgrade their compliance programs after a merger or acquisition.

The subsection on post-transaction compliance programs has been almost entirely rewritten, changing from a single high-level question about what the company’s process has been in the past to a more detailed interrogation. The updated section asks:

• What is the company’s process for implementing and/or integrating a compliance program post-transaction?
• Does the company have a process in place to ensure appropriate compliance oversight of the new business?
• How is the new business incorporated into the company’s risk assessment activities?
• How are compliance policies and procedures organized?
• Are post-acquisition audits conducted at newly acquired entities?

Additionally, edits were made to the subsection dealing with integration, asking about the integration of enterprise resource planning (ERP) systems as well as the role that compliance and risk management functions play “in designing and executing the integration strategy[.]”

Integrating ERPs

The 2024 Edits get highly specific about ERP systems like SAP, asking, “Does the company account for migrating or combining critical enterprise resource planning systems as part of the integration process?”

The inclusion of this specific question continues the 2024 Edits’ focus on using data and data analytics to mitigate risk. ERP systems can include many different types of software that help run a business, but the DOJ is likely most interested in those that are used for budgeting, accounting and other financial management, Wendt suggested. If a newly acquired company uses a different ERP to conduct activities than the parent company, the parent company “is going to have a lot less visibility into specific transactions,” he said, which “increases the risk that someone may be able to successfully hide high-risk transactions or even improper payments.” Additionally, using multiple ERP systems may make any efforts toward data analytics costly or even impossible. “The DOJ may be emphasizing the importance of ERP decisions because it is so important for setting the stage for effective data analytics efforts,” Wendt concluded.

The M&A Safe Harbor

In October 2023, Deputy Attorney General Lisa Monaco announced a new program that provides leniency for companies that identify and remediate compliance issues after a merger or acquisition (M&A Safe Harbor).

Both additions to the ECCP regarding M&A “aligned with the M&A Safe Harbor policy expectations,” Amy Schuh, a partner at Morgan Lewis, told the Anti-Corruption Report. The role of compliance and risk management in the integration strategy “is critical to the company’s ability to integrate internal controls timely, which is an expectation of the Safe Harbor policy,” she said. The added question regarding who will oversee compliance at the new business “simply boils down to accountability,” she noted, which is also “critical to obtaining the benefit of that Safe Harbor.”

“In my mind, DOJ’s M&A Safe Harbor program is the most significant of the numerous policy proposals this Administration has put in place as it has the potential to truly incentivize self-reporting in the aftermath of a M&A deal,” Wernick observed. The 2024 Edits that touch on M&A are “a natural follow-through” from the Safe Harbor, he said, and will help to create an environment where compliance issues at a newly acquired entity can be identified and self-reported quickly.

However, the 2024 Edits do not incorporate all of the elements of the M&A Safe Harbor, which is interesting, Wendt said. One of the most controversial pieces about the M&A Safe Harbor is the tight timeline it requires for companies to avoid liability. “[T]o qualify for the Safe Harbor, companies must disclose misconduct discovered at the acquired entity within six months from the date of closing,” Monaco noted when announcing the program. The 2024 Edits make no mention of the appropriate timeline for integration. “Similarly, while there is general language about ensuring ‘compliance oversight,’ there is no specific language about encouraging the new employees to raise allegations of misconduct and/or for reviews of all existing allegations post-closing (when the buyer has full access to all information).”

See “Safe Harbor Policy Seeks to Encourage Self-Reporting of Issues in M&A Transactions” (Oct. 11, 2023).

During World War II, the U.S. Office of War Information launched a poster campaign with the slogan “Loose lips sink ships,” urging Americans to avoid careless talk that could jeopardize the war effort. Similar campaigns took shape in other countries. While some historians argue that these messages were designed to quell dissent rather than to prevent information leaks to the enemy, the phrase resonates powerfully in today’s corporate world, particularly for those of us conducting sensitive investigations.

In our modern context, “loose lips” can sink not ships, but entire investigations, careers and even companies. In this era of data breaches, messaging apps and social media, the challenge of maintaining confidentiality in corporate investigations has never been more critical or more complex.

Leaks of information can happen at any time: before an investigation is launched, during its course or after an investigation’s conclusion. Each stage presents unique challenges and requires tailored strategies to maintain confidentiality. And the landscape of confidentiality management continues to evolve rapidly, driven by technological advancement and changing workplace dynamics.

Additionally, the permanent shift of many companies toward hybrid and remote work environments has fundamentally altered the confidentiality landscape. Organizations now face the challenge of maintaining investigation secrecy across distributed teams and virtual workspaces. This new reality necessitates sophisticated approaches to maintaining confidentiality in investigations. In the last few years, virtual private networks, secure cloud storage and encrypted communication platforms have become essential tools rather than optional extras. Organizations must develop comprehensive policies that address the unique challenges of maintaining confidentiality when team members are physically dispersed.

This article explores best practices for protecting investigations from leaks, considers various factors that influence confidentiality measures and examines the role of emerging technologies.

See “Navigating U.S. Privacy Laws in Internal Investigations” (Aug. 28, 2024).

Protecting Against Leaks: A Holistic Approach

Effective confidentiality management rests on two fundamental pillars: robust systems and well-trained people. Neither is sufficient on its own; both must work in tandem to create a leak-resistant environment.

On the systems side, organizations would do well to implement a multi-pronged approach that incorporates:

• strong data encryption protocols for both data at rest and data in transit;
• access controls that operate on a need-to-know basis;
• secure communication channels for sharing sensitive information;
• regular security audits and penetration testing; and
• data retention protocols.

These technical measures create a foundation of security, but they are only as effective as the people who use them. The human element is often the most difficult for organizations to get their hands around. We will focus on a few key elements:

• clear policies and procedures for handling sensitive information;
• establishing and reinforcing easy-to-access reporting channels;
• comprehensive training programs; and
• a culture that values and rewards discretion.

Clear Policies and Procedures for Handling Sensitive Information

Policies set the foundation of behavioral expectations. To be effective, policies (such as code of conduct, speak up, investigations, anti-retaliation, and others) should be concise, clear and easy to access. For handling of confidential information, policies should define confidential information and provide guidance on its handling. Procedures and protocols can be employed for more detailed, step-by-step instructions, such as where to store certain types of records. As with all policies and procedures, it is important to keep them updated and current to reflect new or changing risks and landscapes. It may also be wise to outline the consequences of a breach.

See “Balancing Legalese and Simplicity in Modern Privacy Policies” (Oct. 27, 2021).

Establishing and Reinforcing Internal Reporting Channels

One of the most effective ways to prevent external leaks is to ensure that concerns are reported internally. The overarching goal is to enable and encourage individuals to report issues to the organization. To do that, companies should design various avenues for reporting, from formal hotline channels managed by third parties to protocols for reporting within the organization internally. Best practices include providing:

• individuals with the opportunity to report anonymously;
• ways to report in whatever languages are prevalent in the workplace;
• the opportunity to report from different types of devices (e.g., via the intranet, phone, email or an app);
• the ability to report any time of day (or night);
• multiple reporting avenues (e.g., via a hotline, to a supervisor, to legal or compliance team members)
• prompt and professional handling of reports so that employees have confidence in the systems; and
• feedback (to the extent possible) to reporters to demonstrate that their concerns are taken seriously.

See “NAVEX Study Finds Record Level of Incident Reports and Substantiated Claims” (Jun. 5, 2024).

Comprehensive Training Programs

A necessary corollary to reporting channels is the training that enables and encourages employees to use the reporting channels. All company employees should receive training on how and when to report. They should also be trained on why reporting is essential to corporate compliance. And managers, often the first line for employee issues, should receive tailored training regarding how to appropriately handle and escalate issues.

It is equally important to train the individuals that will be tasked with receiving, triaging and investigating reports. Instructing them to “keep this confidential” is not enough; employees in different roles encounter different types of information, which requires tailored training. Function-specific training that incorporates scenario-based learning, with regular refreshers, can be very effective.

For example, a multinational technology company learned this lesson the hard way when it experienced a significant leak during a sensitive internal investigation. Despite having state-of-the-art encryption and access controls, the company failed to adequately train a new member of the human resources team on confidentiality protocols. This employee, not fully understanding the sensitivity of the information, discussed details of an investigation with a colleague over lunch at a local restaurant. The conversation was overheard by a journalist, leading to a damaging news story.

See “Tesco Is Making Big Strides With Little Learning Leaps” (May 25, 2022).

A Culture That Values and Rewards Discretion

Just as a culture of compliance is essential for a company’s program overall, so, too, is a culture of confidentiality essential to protect sensitive information.

Building a culture that respects confidentiality requires putting training to work and making sure that the messages are ingrained in the organizational culture. Management should consistently demonstrate the proper handling of sensitive information, through their own actions and reinforce the approach through verbal reminders as well.

But beware, this can be a double-edged sword. Too much emphasis on confidentiality could be perceived as undermining, or at least inconsistent with, messaging on the importance of reporting. It is a fine line!

See “Compliance 5.0: A Culture-Centered Approach” (Jan. 17, 2024).

The Information Pyramid: A Model for Limited Access

Initial decisions about who, outside of those involved in the investigation, has access to investigation information can prevent issues down the line. Implementing an information pyramid can help manage information sharing (and leaks) within an organization.

All Employees

According to this model, the bottom level of the pyramid refers to all company employees who could potentially receive basic, non-sensitive updates on wide-spanning investigations. Depending on the circumstances - including risk of leak or information getting to potential wrongdoers - the actual information shared at this level should be limited. Generally, the information shared at this level can be confidential but should not be of the sort that would create significant risk for the organization if shared externally.

Management

The middle of the pyramid - management - can receive more detailed reports. This may be customized for individual managers whose teams are involved in the investigation. Managers of employees assisting with the investigation will get different reports (e.g., “We expect 40 more hours of your team member’s time in support of investigation efforts.”) from managers of individuals involved in the underlying conduct (e.g., “We will need to interview your team members next week,” or “One of your team members needs to be put on administrative leave or should not have access to certain data.”).

Senior Management and the Board

Lastly, at the top level of the pyramid, senior leadership and the board should receive more thorough and ongoing information about the overarching status of an investigation, preliminary conclusions, if appropriate, and final conclusions. Senior leaders and board members may be given unfettered access to investigation findings. On a case-by-case basis, it may also be appropriate to provide detailed underlying data to these individuals.

Please note, this model assumes that none of the people receiving more than the minimum updates are implicated in the underlying misconduct or are suspected of leaking information. If either of those assumptions is not present, adjustments to the model should be made.

Further Considerations

There are many additional considerations when designing a confidentiality approach, such as psychology, company culture, the relevant industry, the company’s size and resources, the breadth of the investigation and whether there is public (or government) interest in the investigation. However, each organization’s approach to confidentiality must be tailored to the specific context of the investigation, and there may be other factors to consider.

Human Psychology

Columbia Business School professor Michael Slepian notes, “keeping secrets can lead to feelings of shame, isolation, uncertainty, and inauthenticity, which can generate anxiety and loneliness.” In order to combat these ill effects and increase the chance of confidentiality being respected, it can be helpful to provide individuals with an avenue for discussion. For interviewees, for example, offer that the investigations or compliance personnel remain available to them. For the investigators, remind them that a manager is accessible.

Culture

Culture plays a significant role in how confidentiality is perceived and maintained, which can impact both the substance of the investigative process itself and the ability to maintain confidentiality regarding the process and findings. In some cultures, sharing information might be seen as building trust, while in others, discretion is highly valued. Understanding and working within (or carefully changing) the existing culture is crucial.

See “Leveraging Policies and Culture: A Recipe for Success” (May 26, 2021).

Industry

Different industries have varying regulatory requirements and norms around confidentiality. For example, employees in the financial services industry, which is subject to strict regulations in the U.S. and many other countries, may be more familiar with the need to maintain confidentiality, than employees in the construction industry. Understanding and addressing industry-specific concerns is crucial in developing effective confidentiality measures.

Company Size and Resourcing

Depending on size and resourcing, a company may have more or less technical capabilities to help ensure confidentiality. Additionally, a company may need to rely to a greater or lesser extent on personal relationships and culture based on its context. For example, larger companies may need processes that are more formalized to reinforce expectations.

Investigation Size

It is often easier to maintain confidentiality over small, localized investigations. Large scale matters may require more sophisticated information protection and more significant efforts to ensure that all people touched by the investigation understand their confidentiality responsibilities.

Public Interest in Investigation

“Juicy” investigations are more likely to be leaked externally. When working on such investigations, stringent confidentiality measures are warranted, as is particular attention to various leak scenarios.

See “Internal Investigations in the Life Sciences Industry” (Jul. 8, 2020).

Emerging Technologies in Confidentiality Management

As threats to confidentiality evolve, so too must the tools to maintain it. Several emerging technologies are already instrumental in this regard. Password-protected data access, secure collaboration platforms and encrypted emails show promise in enhancing confidentiality measures.

AI

The hot-button topic of the day, artificial intelligence (AI), presents interesting opportunities from a confidentiality perspective. On the one hand, AI has long been leveraged in document review to narrow and limit the number of documents needing to be examined. This is helpful for confidentiality purposes because it often means fewer people need to be involved in the process of combing through potentially sensitive documents and/or fewer documents need to be reviewed. Advanced AI systems are also being developed to analyze communication patterns and identify potential confidentiality risks before they materialize. These systems can monitor information flow patterns, flag unusual access requests and help organizations prevent breaches rather than merely respond to them. As is the case with all technological advancements, AI also presents new challenges to confidentiality, including temptations to share confidential information with an AI program that is not a closed system.

See this three-part series on AI for anti-corruption compliance: “Foundations” (Oct. 28, 2020), “Building a Model” (Dec. 2, 2020), and “Five Workarounds for Asymmetric Data Sets” (Feb. 3, 2021).

Other Emerging Technologies

As other security-related technology continues to develop and become mainstream, they may likewise become relevant for investigations. For example, blockchain technology is emerging as a promising tool for securing sensitive information, offering immutable audit trails and enhanced access controls.

However, integration of these tools into investigations requires careful consideration of cross-platform security and compatibility issues. Organizations must balance the benefits of integrated solutions against the potential risks of consolidating sensitive information within single systems.

See “Privacy and Security Considerations of Blockchain Technology” (Dec. 7, 2022).

Key Takeaways

The maintenance of confidentiality in investigations represents an ongoing commitment that requires constant vigilance and adaptation. Organizations must regularly assess their confidentiality measures against both technical systems and human elements. This assessment should lead to concrete actions, including implementing regular “confidentiality health checks,” reviewing access controls, updating trainings and actively seeking feedback from stakeholders about the effectiveness of current measures. Even incremental improvements in confidentiality management can prevent significant damage to investigations, careers and organizational reputation.

• Confidentiality Management Is a Two-Pillar System
  • Success depends on both robust technical systems and well-trained people.
  • Neither element alone is sufficient; they must work in tandem.
• Information Access Should Follow a Pyramid Model
  • Implement tiered access based on need-to-know principles.
  • Customize information sharing based on stakeholder roles and responsibilities.
  • Adjust access immediately if leaks are suspected or individuals are implicated, and frequently check the access rights of the individuals at each level.
• Other Factors Matter
  • Consider industry norms, company size, and the cultural context.
  • Address the psychological burden of maintaining confidentiality.
  • Provide appropriate support systems and outlets for those involved.
• Training Must Be Comprehensive and Ongoing
  • Function-specific training is more effective than general guidance.
  • Regular refreshers are essential.
  • Include scenario-based learning for practical application.
• Technology Should Enable, Not Replace, Human Judgment
  • Leverage emerging technologies like AI for document review.
  • Stay current with technological advances while being mindful of new vulnerabilities.

Remember, in the realm of confidentiality, complacency is our greatest enemy. By staying vigilant, adaptable and committed to continuous improvement, we can rise to the challenge of keeping our ships afloat.

 

Ann Sultan is the vice chair of the international department at Miller & Chevalier, where she focuses on internal and government investigations, international corporate compliance, and white-collar defense related primarily to workplace misconduct and anti-corruption and anti-money laundering laws and regulations. She advises clients, including public companies and senior executives, on a wide range of topics, such as compliance assessments, due diligence, risk management, DOJ and SEC enforcement actions, and interacting with external auditors in the context of accounting and financial reporting matters.

Ian Moolman is an ethics and business integrity manager at Emirates Global Aluminium (EGA). He has over 20 years of experience spanning compliance, risk management and supply chain operations in global commodities trading. An advocate for corporate ethics and compliance, Moolman serves as the Middle East ambassador for the Commodity Trading Club and is an International Compliance Association partner across multiple regions. The views Moolman expresses in this article are his own and do not represent those of current or previous employers.

The SEC’s announcement in October 2024 that U.S.-based aerospace and defense company Moog, Inc. (Moog) had settled allegations of books and records and internal accounting controls provisions violations of the FCPA might be easy to overlook. The deal does, after all, involve a relatively modest sum (just under $1.7 million in all) compared to headliner settlements in the hundreds of millions of dollars. It also involves relatively small-scale bad behavior like the payment of bribes that resulted in India-based subsidiary Moog Motion Controls Private Limited (MMCPL) winning a contract for about $34,000.

Still, even a $1.7‑million slap on the wrist can sting, and the settlement may yet enlighten the broader regulated community on subsidiary liability, third-party risk, and the pros and cons of self-reporting.

“It is clear that U.S. authorities have heightened their compliance expectations for all companies with cross-border operations and supply chains – and especially for companies whose products, operations, or supply chains potentially raise national security concerns,” Adam Goldberg, a partner at Pillsbury, told the Anti-Corruption Report.

Indeed, the SEC’s action against Moog “highlights the need for issuers operating internationally to have appropriate compliance and internal accounting controls over third parties and third-party payments, as weaknesses in those systems heighten corruption risk,” said Charles Cain, Chief of the SEC Enforcement Division’s FCPA Unit, in a press release issued at the time the settlement was announced.

The SEC’s pursuit of the matter at all is interesting. “Here, the infractions appeared relatively minor, and the connection of the Moog parent entity to the underlying misconduct was fairly attenuated,” Geoffrey Atkins, a partner at Ropes & Gray, told the Anti-Corruption Report. “Still, Moog paid a penalty, albeit a relatively modest one,” he continued.

See “Loose Practices and Imprecise Recordkeeping Prompt SEC Scrutiny, Even When Investors Are Unharmed” (Jan. 3, 2024).

Bribery in India

The SEC determined that employees at Indian subsidiary MMCPL bribed foreign officials in India to win business between 2020 and 2022. The same employees also offered bribes to foreign officials in India in an effort to cause public tenders there to favor East Aurora, N.Y.-based Moog and to exclude its competitors. Moog, which has sales, engineering and manufacturing facilities in 26 countries, is traded on the New York Stock Exchange.

Improper payments, funneled through third-party agents and distributors, were falsely recorded as legitimate business expenses and were not detected because of deficient internal accounting controls, according to the cease-and-desist order (Order) issued by the SEC against Moog.

Employees at Moog’s subsidiary in India “freely discussed their misconduct, which reflected a prevailing culture to win business at any cost, including improper means,” according to the Order. This widespread misconduct “reflected a breakdown in internal accounting controls, training, compliance, and tone at the top of the subsidiary.”

The language in the Order is strong, but the misconduct at issue seems to be relatively small-scale. “It is true that the settled FCPA books-and-records violations were relatively minor, apparently reflecting the mischaracterization in company records of just two payments totaling around $30,000 in connection with the procurement of relatively small contracts,” Goldberg said.

At the same time, “the SEC purports to have identified a corporate culture where bribery schemes at Moog’s subsidiary were discussed regularly and openly without being detected or challenged by Moog,” Goldberg cautioned. The Order chronicles the creation of invoices by third parties that MMCPL employees knew included improper payments to government officials, but which were recorded as legitimate contractor services.

“The SEC has characterized this conduct as a significant breach of Moog’s internal controls obligations under the FCPA accounting provisions,” Goldberg noted. The SEC has “long sought to investigate and penalize FCPA internal controls failures at the foreign affiliates of U.S.-listed companies even in the absence of anti-bribery charges,” he continued.

Companies subject to SEC jurisdiction, and “which fail to maintain proper compliance oversight at their foreign subsidiaries and controlled affiliates, do so at their own peril,” Goldberg cautioned.

See “China and India Pose Compliance Challenges With Legal Shifts” (Apr. 24, 2024).

The Deal

The SEC ordered Moog to pay disgorgement of $504,926, prejudgment interest of $78,889 and a civil penalty of $1.1 million, for a total of $1,683,815.

In opting to accept Moog’s settlement offer, the SEC considered remedial acts “promptly undertaken” by the company, cooperation in the investigation by identifying and producing pertinent documents and sharing witness statements, remediation, and partial self-reporting.

How exactly Moog’s decisions to self-report misconduct at its India-based subsidiary and to cooperate with the SEC likely influenced the settlement outcome remains, in some measure, beyond the veil. The Order “acknowledges that Moog voluntarily disclosed ‘certain misconduct’ to the DOJ in the first instance and cooperated with the SEC’s investigation, but it is impossible to decipher how these actions are reflected in the final penalty of $1,683,815 in civil fines and disgorgement,” Goldberg said.

Although the SEC “routinely reduces sanctions based on cooperation and self-reporting,” Atkins observed, the benefits of self-reporting “can be ambiguous.” Unlike the DOJ, the SEC “has not provided standard guidance for cooperation credit,” he said. Rather, the regulated community – and its lawyers – are “mostly left to interpret the facts of individual enforcement actions.”

“It is quite difficult to assess how the SEC calculates FCPA penalties, including with respect to how cooperation is credited,” Goldberg explained. “Penalties are not usually calculated with specificity in public settlement documents,” he said, “and even private settlement discussions with the SEC rarely include detailed discussions of penalty and credit calculations.”

Just as the DOJ “has gone to great lengths in recent years to emphasize the importance of voluntary self-disclosure, the SEC has also stressed that companies can receive significant leniency for full cooperation,” Goldberg noted. Nevertheless, it “can be challenging for companies to anticipate how the SEC will quantify the value of self-reporting and cooperation – and the SEC retains significant discretion to withhold available credit.”

A Tough Decision

Which is the better approach to self-reporting – confess to a full-scale violation in the hope some measure of mercy will be meted out by enforcers, cop to a relatively minor infraction to signal one’s overall virtue, or wait and see if the U.S. government will figure out what transpired?

“With respect to the FCPA, companies are not often convinced that self-reporting is sufficiently advantageous,” Goldberg observed. “This is especially true for minor infractions, although the SEC presumably would not characterize the Moog internal controls infractions as minor,” he continued.

Whether “wait and see” might be the way to go depends on to whom the company voluntarily self-discloses. “Voluntary disclosure considerations can vary significantly between enforcement agencies,” Goldberg said. For example, the Office of Foreign Assets Control and Bureau of Industry and Security voluntary disclosure procedures relating to civil U.S. sanctions and export controls violations are well-established – and companies frequently use these channels to manage risk in the case of both inadvertent violations and misconduct, he added.

In contrast, the DOJ has been less successful in encouraging companies to come forward. Despite significant efforts to clarify the benefits of bringing potential violations of the FCPA, U.S. sanctions, export controls and national security laws, the DOJ “retains significant discretion under current policies not to grant available credit for disclosures,” Goldberg emphasized.

Even with the uncertainty inherent in self-reporting, it can be a wise move in certain circumstances. The considerations will always be case- and fact-specific, Goldberg noted, but some relevant examples might include:

1. A company believes that it is likely to qualify for meaningful credit that would not be available without self-reporting.
2. The government seems likely to learn of potential misconduct, e.g., because a whistleblower has come forward or because conduct could be subject to mandatory reporting requirements or other public disclosure.
3. A company needs to shape the external narrative or optics of the situation for legal or commercial reasons.
4. A company wants to reinforce its culture of compliance internally by sending a clear signal to employees that misconduct will be reported and not tolerated.
5. A company has an ongoing relationship with government regulators or government customers, and it wants to earn goodwill or maintain trust with such parties.
6. A company operates in a sector known to be under enforcement scrutiny, e.g., if competitors have been investigated.

See also “SEC Enforcement Director Grewal Emphasizes Benefits of Cooperation” (Sep. 25, 2024).

Standard and Robust Remediation

Moog undertook significant remediation, according to the Order, including:

• termination of employees and third parties involved in the inappropriate behavior;
• enhancement of internal account controls over third-party payments;
• strengthening of the company’s global compliance organization;
• enhancement of policies and procedures related to due diligence and the use of third parties;
• increasing the frequency of audits and monitoring of distributor and intermediary activities;
• mandating management approval for all distributor and reseller agreements;
• creation of new positions to address potential risks; and
• increasing training of employees on anti-bribery issues and tender-specific procedures.

“At a high level, these all appear to be proper, standard steps that a company might take to address the kinds of compliance issues identified in the order,” Goldberg said, noting that the Order does not explain the listed activities in detail.

The company does appear to have made “robust improvements to its third-party controls in particular,” Atkins observed. “The majority of FCPA cases continue to involve misconduct by third parties,” he noted. “Moog’s adoption of more frequent audits and monitoring of distributors and intermediaries, combined with additional management approval requirements for distributor and reseller agreements, is noteworthy.”

See “Deputy Assistant AG Miller Discusses Robust DOJ Anti-Corruption Efforts, Stressing Individual Accountability, Self-Reporting, Remediation and Cooperation” (Mar. 1, 2023).

Long COVID

Interestingly, the inappropriate activities at issue at Moog’s subsidiary occurred between 2020 and 2022 – in other words, during peak pandemic.

“The challenge of keeping commercial operations running during a period of unprecedented business disruptions perhaps distracted some companies’ management and put added pressure on employees to achieve commercial goals through improper means,” Goldberg said, while acknowledging that he does not know how the pandemic affected Moog specifically. “Many companies faced a more challenging global compliance environment during that time,” he continued.

During the pandemic, “it became difficult to ensure that organizational culture – including compliance culture – permeated every office or geography,” Atkins said. “It was harder to visit colleagues; conduct in person trainings, investigations, and audits; to get person-to-person feedback on issues that the business was facing in local markets; to have the kinds of routine interactions that establish a culture,” he recalled. “All of those things can have an impact.”

There are some proactive steps companies could take now to strengthen their compliance programs and internal controls to avoid similar issues, especially as they relate to legacy pandemic-era challenges and remote work.

“U.S. authorities have repeatedly emphasized the importance of FCPA, export controls, sanctions, and national security compliance in recent years,” Goldberg observed. Companies with multinational operations and supply chains “should focus on ensuring that their compliance programs are evolving accordingly,” with robust compliance programs that are “adequately resourced, monitored, effective in practice, and improved over time,” he said. At a high level, he continued, the most important steps for companies to take are:

1. periodic risk assessments;
2. periodic compliance program reviews to ensure that existing policies, procedures and internal controls are reasonably designed to detect and prevent violations given existing risk levels;
3. regular testing to ensure that the compliance program is working in practice;
4. appropriate messaging from the board of directors and upper management (“tone at the top”) and middle management (“tone at the middle”) regarding the company’s commitment to compliance; and
5. the appropriate remediation of any identified issues, including an assessment of whether identified conduct reflects compliance program gaps that must be addressed.

See “Post-COVID Compliance Strategies: Dealing With Persistent Heightened Risks” (May 26, 2021).

Compliance Culture

The Moog matter “demonstrates the importance of organizational culture,” Atkins stressed. It is important “for a business’s leaders across functions, including sales and commercial functions, to openly demonstrate a commitment to compliance as a priority.” Compliance messaging cannot come only from compliance, he cautioned.

“Implementing an effective compliance program takes long-term commitment and investment,” Goldberg noted. Merely having an FCPA policy is not enough. “A company must put in the work to ensure that its policies are implemented, overseen, tested, and evolve over time as compliance risks change,” he maintained. To that end, compliance team members “must have appropriate experience, seniority, and independence,” he continued. Violations must also be remediated properly.

At the same time, fostering a robust compliance culture can be a challenge, “especially in countries where bribery is a more regular feature of commercial dealings,” Goldberg acknowledged.

The aerospace and defense industries in particular may want to pay attention to the Moog settlement. These are “highly regulated sectors that have long been subject to robust anti-corruption, antitrust, export controls, sanctions, safety, and other enforcement scrutiny,” Goldberg said. The U.S. government’s heightened focus in recent years on “national security, sanctions, and export controls enforcement is likely to mean that companies in the aerospace and defense industries will receive still more enforcement scrutiny than in the past,” he predicted. “They should be revisiting their compliance programs with this heightened risk in mind.”

See “Fewer Individual Charges and More Focus on Third Parties in 2023’s FCPA Enforcements” (Feb. 28, 2024).

In the past two decades or so, the number of ways humans can communicate with each other has multiplied exponentially. Moving well beyond letters, faxes, phone calls and emails to the realm of app-based communication, the options for sharing information are dizzying. As a result, involvement in a government investigation, where prosecutors want to see all relevant evidence, has become more and more complicated along with the advances in technologies.

During the Society for Corporate Compliance & Ethics’ 2024 Compliance & Ethics Institute, a panel discussion focused on this convergence of technology and compliance-related investigations. This article distills insights from speakers Christian Nauvel, Deputy Chief Counsel for Corporate Enforcement at the DOJ, Venable partner Matt Murphy and Johnson & Johnson senior counsel Nick Connor on how companies can get out ahead of investigations.

See “Compliance Challenges in Records Management” (Aug. 16, 2023).

When Investigators Come Knocking

Companies can find themselves involved in an investigation for a number of different reasons. What role the company plays in the investigation will impact what is expected of it in terms of producing communications and data.

Subject/Target/Witness

Government investigators use different terms to denote the role assigned to a company or person in an investigation. But a company’s role may shift depending on the information that comes to light – and on how the company handles questions.

• Subject: A “subject” is an entity that has desirable information, or whose conduct is somehow within the scope of an investigation, Nauvel said. The definition of this term is “very broad,” he added.
• Target: A “target” of a criminal investigation is “a putative defendant,” he continued. This word may start applying once investigators have a prosecution memo drafted. “It is when a prosecutor or a grand jury has a lot of incriminating information” that a person or company becomes a target, he said.
• Witness: A person or company may also be of interest merely as a “witness” because they have relevant information, but there is no suspicion of wrongdoing.

Investigators try to let companies know what role they have been assigned, when secrecy rules allow, Nauvel asserted. “We have to be careful about what we reveal, but pretty quickly we work to give companies as much information as we can,” he said. Investigators are generally able to clarify whether an entity is just a witness or a subject, he noted.

A legal professional helping a company navigate an investigation should try to ascertain which of these designations applies to their client as soon as possible, Connor suggested.

Moving Between Categories

Just because a company starts off in one category does not mean it will stay there. There is a “fluidity between subject, target, witness,” Murphy noted, and companies are well advised to try to avoid becoming a target.

A company can turn into a target “quicker than one might think,” Nauvel warned. He described this as a “dreaded situation” and said it can result merely from a buildup of evidence against the company. But it can also result from a company’s choices in dealing with the government, such as failing to have data ready for investigators in response to their requests.

If investigators gain the impression that a company’s compliance program is “woefully understaffed, under-resourced, disorganized,” they can quickly conclude that it does not have a functional compliance program, Nauvel said. “Compliance plays a huge role” in how investigators view a company, he stressed.

If a company actively conceals information, perhaps in hopes of protecting certain executives, the results can be even worse, Nauvel cautioned. Luckily, “it does not happen very often nowadays,” he said.

See “Designing and Implementing Effective Press and Social Media Policies to Mitigate Reputational Harm From Anti-Corruption Investigations” (May 29, 2013).

Expensive Even for the Innocent

Even with a clean operation and a robust compliance program, involvement in a government investigation in any form is burdensome.

A government investigation can affect a company even if it is not likely to be charged with misconduct, Murphy said. “Any company of a certain size, especially if it engages in a highly regulated industry or has a lot of international business,” should anticipate that it will sometimes come into contact with “bad actors,” Connor asserted. “Even companies with spotless records are going to get inquiries,” he said.

If investigators reach out to a company, they are likely building a case against someone, even if the target is unclear. “They are looking for people involved, documents, anything that can be used in evidence,” Nauvel explained.

The information that investigators ask companies to submit can be expansive to obtain and produce, Connor said. Sometimes investigators are seeking a “discrete piece of information,” he noted. However, “subpoenas can be very broadly drafted,” Nauvel confirmed.

Additionally, the government generally wants information fast, Nauvel stressed. If investigators do not find the company’s external or in-house counsel convincing, and “initial conversations do not go well,” he said, they may seek to accelerate the process. The statute-of-limitations clock may be running, adding urgency from investigators’ point of view, he pointed out.

See “Strategies for Preserving Data Before and During an FCPA Investigation” (Nov. 14, 2012).

Tech Takes Many Forms

New types of messaging technology render government investigations – and companies’ navigation of them – more complicated. Even a company’s management may not know what technologies employees are using, Connor said. “Every company has complex data used to do different things,” he noted.

Not long ago, a government subpoena seeking a company’s communications would essentially require emails, a request that “was relatively easy” to fulfill, Murphy said. However, the use of text messages is emerging in investigations, as they are “ubiquitous” and “easier and quicker than email,” he added. Employees should not be exchanging text messages on substantive business issues, Connor emphasized. “The government will see that employees were texting each other about work on personal phones.”

Communications via applications such as Slack and WhatsApp are also routinely of interest in the government’s corporate investigations, Nauvel said. “The government is interested in any and all communication with information that is business related,” he explained.

See “Retaining Business Records in an Era of Disappearing Messaging Apps” (Nov. 14, 2018).

Privacy Concerns

While the list of communications government investigators want to collect continues to grow, privacy considerations often make it challenging for companies to procure everything investigators ask for. “We see it becoming a problem for privacy reasons. Companies are struggling sometimes to get that information,” Nauvel acknowledged.

Assembling data gets very complicated when a company has international operations, Connor said. Because of privacy laws in some countries other than the U.S., there is a risk of a “foreign government potentially prosecuting a company if it does provide the information the U.S. government is asking for,” he remarked.

Companies facing this issue should mention concerns around conflicting privacy obligations early if they come under investigation, Connor said. “Bringing that issue to the U.S. government’s attention early on can be helpful,” he noted.

See “Foreign Attorneys Share Insight on Data Privacy and Privilege in Multinational Investigations” (Jun. 29, 2016).

Not the Government’s Problem

While enforcers may understand the difficulties around gathering communications from multiple sources, the onus is on the company to provide the information required, Nauvel said. “I realize it is a complicated problem, but with my government hat, it is not my problem.”

Imposing strict policies on employees’ business use of personal devices or email accounts is one way companies can address the problem preemptively, Nauvel noted. Some companies make employees carry two devices, one for personal and one for professional use, he added.

Connor dubs himself “a strong advocate for a two-phone policy,” explaining that “it solves innumerable complex and difficult issues.” In addition, companies should maintain “a firm policy that text message is not an acceptable way for conducting business,” he said. Even when conveying routine information like the timing for a meeting, staffers are better advised to send an email via their smartphone than to text. But a company ban on texting to conduct business is insufficient unless backed up with enforcement, which means “disciplining people,” he commented.

As for recording meetings, it is natural today that some employees will do this if they cannot attend, Connor said. This underlines the need for a company policy in the matter, he noted.

See “Disclosure of Exculpatory Evidence in ‘Parallel’ Civil and Criminal Investigations” (Apr. 28, 2021).

The Easy Way, or the Hard Way

If a company fails to provide records the government wants, enforcers can obtain them in other ways. “The government has other means of collecting this information, and sometimes we do,” Nauvel warned. Investigators who are aware of relevant communications having been exchanged through personal accounts will not hesitate to get a search warrant, bypass the company and requisition those messages, he stressed.

However, it is more comfortable for employees if a company complies when investigators seek business communications sent through personal devices and accounts, Connor said.

“A subpoena seeking communications and a request to image devices is the nice way of asking,” Connor stressed. The alternative is that investigators seize the information themselves, he said.

According to Murphy, part of the reason it is in a company’s own interest to take action is that it gives managers the chance to see what sensitivities it might have. They can see if an email “was worded in an unfortunate way” and “talk to the people about the real stories,” he noted.

Additionally, company managers can give an employee more leeway to separate personal from business communications in company accounts, Nauvel said. “A search warrant means everything.”

In this situation, some employees panic and delete emails, Connor warned. Rather than reducing the incrimination, this can lead investigators to conclude that obstruction is taking place, he said.

See “Insiders Tsao, Soltes and Kahn Share Insights on Investigations” (Jan. 4, 2023).

Targeting Specialists

Investigators do not always reach out to the leaders of a company or counsel when seeking information, choosing instead to target people who can give them quicker access.

Sometimes, the government first contacts a frontline employee who is close to the information it wants, Connor noted. Other times, investigators will seek a conversation with the employee who best knows the relevant system, Nauvel stated.

In the past five or so years, it has become more common for a government investigation – even in its initial stages – to delve right into a company’s data systems, Connor said. The government will request an interview with someone at the company who knows how information is tracked and how it flows, he outlined. This avoids what he dubbed a “game of telephone,” with a top manager promising to seek information from the IT department and relay it back to investigators.

Nauvel explained that he and his colleagues at the DOJ often find communicating with the company’s defense counsel less effective because they are not best placed to provide insight into the company systems.

One way to get out ahead of this is to reach out to investigators and offer inner details that might not be obvious to an outsider, Connor said. “Do not assume that everyone knows everything. That includes the government. They may have a lack of familiarity with how things work, in a regulated industry especially,” he cautioned. Companies can volunteer to explain to investigators how their compliance system works in broad terms, helping to pave the way for more specific questions further down the road, he suggested.

See “How to Effectively and Efficiently Respond to Parallel Investigations” (Jul. 24, 2019).

Compliance Takeaways

A cooperative attitude and good policies on preservation can help a company weather a government investigation.

Cooperation Counts

An important takeaway for compliance professionals is that accepting the investigation, and cooperating with it, is beneficial.

“A government investigation is disruptive and causes anxiety and diverts resources. But this is the nature of a government investigation, and it is not going away,” Connor said.

From the initial stages of involving a company in an investigation, the government is interested in ascertaining how cooperative the company is, Nauvel stressed. The cooperative actions investigators ask for, such as fast responses on a subpoena, are for the company’s benefit, he argued. “It gives us some time to build trust and to get me what I need.” As the investigation proceeds, a company that has been prompt in cooperating from the beginning can have more time to tell investigators its own version of the story. Without cooperation, “I am going to go on my merry way and do what I think best,” he added.

Even if a company has committed misconduct, it may not end up being indicted, as “there is always prosecutorial discretion,” Nauvel said. Its attitude toward the investigation is one factor in that decision, he underscored. “That is where cooperativeness comes into play.”

Companies should respond quickly to an investigation by identifying the people best equipped to provide the sought information, Connor said. This will help “avoid an innocent misunderstanding that might look like obfuscation to the government,” because investigators might “think they asked a simple question.” By turning over the required evidence to investigators, a company is contributing to its own defense case, he argued. Being able to show compliance is among “the sharpest arrows in my quiver” to legally defend a company, he maintained.

If It Exists, Preserve It

A strong data preservation policy is important for any company hoping to emerge relatively unscathed from a government investigation.

“If it exists, it needs to be preserved” is “a good rule of thumb,” Murphy suggested. Upon receiving a subpoena from investigators, companies are well advised to issue a notice to all staffers to refrain from deleting anything that might be relevant, he said.

“Having a playbook in place for how to handle government inquiries is super important,” Connor affirmed. When the government says it needs information from a company, the company leadership needs “to lock down everything that is out there,” he said. “The company must ensure there is a process for getting those data to the appropriate folks,” he stressed.

Systems and processes can be among the things companies must preserve, Connor pointed out. “Often, preservation does not just mean letters and simple computer files or emails, but systems, processes, and the teams that control those processes,” he said.

Analyze Data Before the Government Does

Companies can avoid running afoul of investigations by scrutinizing their own data before investigators do.

“Make the gains in the off season,” Nauvel suggested. When the government is not at the door is the right time for a company’s compliance professionals to preemptively analyze anything that might attract scrutiny.

Company leaders should talk with their legal teams “early and often” about concerns, or any changes in company systems, Connor recommended.

If companies appear to be well-informed about their business, the government will have a strong expectation that they will act appropriately on that information, Connor said. Data analytics tools often promise the ability “to assess risk to business units in real time,” he noted. With such tools in place, a company may face a less understanding attitude from the government if problems arise. The government will ask why a company did not act on the risks if it had such access to information about them, he added.

The government expects companies to act on data about possible risks, Nauvel confirmed. Companies should be “taking close looks at their own data and picking up on those potential problems before the government does,” he advised.

See “Thoughts From DOJ Experts on Using Data Analytics to Strengthen Compliance Programs” (May 22, 2024).

As employers increasingly turn to automated tools to monitor and collect information on employees to increase efficiency, assess safety issues, streamline candidate screening and assess performance, federal and state regulators are examining privacy issues unique to such practices. Companies should understand the types of surveillance tools available to them as well as the risks and benefits of their use.

Counsel from the California Privacy Protection Agency (CPPA), Sidley Austin and Center for Democracy & Technology (CDT) delved into workplace monitoring trends and issues at IAPP’s Privacy.Security.Risk. 2024 conference. This second article in a two-part series distilling their insights examines the legal and regulatory landscape applicable to employee privacy and offers compliance considerations. Part one discussed the types of employee data that companies are collecting and how and why they collect it, as well as employees’ concerns and how to navigate them.

See “Privacy and Data Security Regulators Discuss Enforcement Priorities and Collaborative Efforts” (Jul. 31, 2024).

Legislative and Regulatory Landscape

Companies need to be aware of the evolving regulatory attention being paid to workplace privacy issues at both the federal and state level.

California is the only state in which there are “limits on employers’ ability to collect that data and share it with third parties or sell it to third parties,” according to Matthew Scherer, CDT senior policy counsel, workers’ rights and technology. However, there are other state laws on the horizon and federal regulators are focusing on employee privacy issues as well. “This is not just California anymore,” he said.

CCPA Classes Employees Among Consumers

Under the California Consumer Privacy Act (CCPA), the definition of “consumers” is all-encompassing, CPPA senior privacy counsel and advisor Lisa Kim explained. “It applies not only to employees, but it applies to job applicants, independent contractors – anybody who is a human in California,” she said. The law used to have an exemption precluding its application to employee monitoring, but that expired in January 2023, she recounted. As a result, “basically all the rights and all the obligations that are set forth in the CCPA would also apply to employees.”

Purpose and Amount Limitations

The CCPA lays out limitations on the purposes for which data can be used and calls for a minimization of the data collected, Kim said.

Employers can only collect, use or retain an employee’s personal information for purposes that are reasonable, compatible with the employee’s expectations or that the employee has agreed to, Kim explained. And, she added, consent “cannot be obtained through the use of dark patterns and has to be explicit, specific, clear.”

The days of an “employer who decides to collect as much data as possible, without any articulated or explicit reason,” are in the past in California, according to Kim.

In addition to restricting the purposes of data collection, minimizing the amount of data collected is a principle enshrined in the Californian law, Kim stressed. This principle holds that any collection, use and retention of personal data must be proportionate to serve the purpose for which it was collected.

The state’s rules about purpose limitation and data minimization are set forth in California Civil Code § 1798, starting at section 100, and are described in detail in regulations that are set forth in the California Code of Regulations title 11 starting at § 7000. “I would strongly encourage looking at § 7002, because it goes into detail as to the factors of determining what is reasonably necessary and proportionate,” Kim advised.

Notice at Collection

Among the many requirements around disclosures, the CCPA mandates “notice at collection,” meaning that “notice is to be provided at or before the collection of the personal information,” Kim noted.

Companies must tell affected employees what information they intend to collect, what purpose it will serve, and whether it will be sold or shared, Kim continued. Moreover, there must be an opportunity for the individual to opt out of that sale or sharing of the data.

Because the CCPA applies to a range of individuals whose data might be collected, a company may have distinctive “notice at collection” procedures for different types of people, Kim observed. The typical procedure for employees will differ from how the company addresses this requirement with customers, she noted.

“LOCKED”

As laid out by the CPPA, CCPA consumer rights can be summarized with the acronym LOCKED, Kim shared, which stands for the following.

L: There is a right for employees to limit the use and disclosure of their sensitive personal information. CCPA § 7027 goes into detail about this right, Kim said.

O: Individuals have the right to opt out of the sale and sharing of their personal information.

C: Individuals have the right to correct inaccurate personal information that a business has about them.

K: Individuals have the right to know, also described as “the right to access” the personal information collected about them and how it is shared, according to Kim.

E: California provides a right to equal treatment. Businesses cannot discriminate against individuals for exercising their CCPA rights.

D: Individuals also have a right to delete personal information a business has collected from them. “Obviously there are some exceptions to that right to delete,” Kim clarified.

See “Employee Data Under the CPRA: Rights Requests, Privacy Policies and Enforcement” (Sep. 14, 2022).

Warehouse Worker Laws

Several states have passed legislation on the surveillance of warehouse workers, requiring that companies provide more transparency about the quotas workers are expected to fulfill, Scherer noted. In some cases, those state laws regulate the methods employers can use to monitor such quotas, he said. However, the CCPA is the only privacy law that applies to employees’ privacy in the workplace and “requires some level of transparency from employers about surveillance,” he clarified.

Proposed California Regulations

Further regulations around employee privacy have been proposed in California, Kim noted. California’s Civil Rights Council (CRC), which promulgates regulations to implement the state’s civil rights laws, has initiated rulemaking to protect against discrimination in employment resulting from the use of artificial intelligence (AI), algorithms and other automated decision-making systems (ADMT), she reported. This rulemaking process is “quasi-legislative in the sense that there is a publishing of the draft regulations that are set forth in the notice of register,” she said, pointing out that a round of public comment has already been completed.

Separately, the CPPA is engaged in pre-rulemaking activities relating to ADMT, Kim continued. This is expected to yield regulations that pertain to the right to access and opt out of ADMT and “requirements for businesses to conduct a risk assessment” in instances of ADMT use, she explained. The CPPA’s process is “in the pre-rulemaking stage.” The rules are in a draft form. The CPPA has published materials regarding ADMT rulemaking.

The CRC regulations address discrimination of applicants and employees through the use of ADMT. The CPPA’s proposed regulations apply to consumers more generally, even outside of the employment context, and require businesses to provide pre-use opt-outs of the ADMT where applicable.

State, City, Federal Attention to AI Use

Other state and city laws that have been passed address the use of AI in the workplace. Colorado’s AI Act, which goes into effect in the beginning of 2026, will require developers of “high-risk” AI systems to protect consumers from risks of algorithmic discrimination. Most companies must grapple with the requirements for high-risk AI simply because they are employers.

New York City Local Law 144 of 2021 regulates the use of ADMT in the workplace, prohibiting its use unless it has been tested in a bias audit and candidates or employees are given notifications.

Other states are considering workplace privacy legislation related to monitoring, AI and ADMT use as well. Maryland passed a 2020 bill on notice and consent for the use in job interviews of facial recognition technology.

Illinois, which already has the Biometric Information Privacy Act, has adopted legislation requiring employers to disclose the use of AI in examining applicants’ interviews.

On the federal level, the U.S. Equal Employment Opportunity Commission launched an initiative in 2021 to see whether AI used in hiring and employment decisions complies with civil rights laws.

Moreover, the U.S. Department of Labor has shown an interest in AI’s use in the workplace, with its publications on Artificial Intelligence and Worker Well-being: Principles for Developers and Employers, Artificial Intelligence and Automated Systems in the Workplace under the Fair Labor Standards Act and Other Federal Labor Standards, and Artificial Intelligence and Equal Employment Opportunity for Federal Contractors.

FTC Focus on Workplace Privacy

Employee data privacy is very much in focus for the FTC. The Commission has received many comments around employee data as a result of its advanced notice of proposed rulemaking regarding commercial surveillance, Sidley Austin counsel Sheri Porath Rockwell said, referencing slides that were provided by FTC Division of Privacy and Identity attorney David Walko, who was unable to attend the panel.

Some of the FTC’s employee privacy concerns are set forth in its reports and statements. The Commission’s 2023 Policy Statement on Biometric Information addresses unfairness in potentially harmful collection and use of information, as well as deceptive statements about collection.

In a 2022 staff report on Combatting Online Harms Through Innovation, Porath Rockwell noted that the FTC identified potential issues arising from the use of AI in the workplace, such as bias and discriminatory outcomes. Along with the FTC, other federal agencies also are focusing on workplace issues related to AI, she said.

The FTC’s 2022 Policy Statement on Enforcement Related to Gig Work discusses how the use of non-transparent algorithms can amplify issues of uneven bargaining power with workers, Porath Rockwell added. Issues highlighted include lack of control over schedules, transparency and the value of their work, she pointed out. The statement notes that unfair or deceptive practices by “an automated boss” can impact workers’ pay and performance ratings and could lead to firms deploying surveillance technology without transparency. “Again, unfairness is what the FTC is looking at,” she stressed.

Underscoring the FTC’s concerns about AI use in the workplace, it has entered into memoranda of understanding with bodies including the National Labor Relations Board and the U.S. Department of Labor, looking into the impacts of algorithmic decision making on workers.

The use of AI monitoring in tracking workers’ time is one problem area under scrutiny, Porath Rockwell emphasized. An AI tool could fail to take account of a hotel cleaner being slower to service a room because a guest is late checking out, or to make allowances for a staffer needing to go off site on an employer’s request, she noted.

See our two-part series “FTC Signals Stricter Children’s Enforcement in NGL Labs Settlement”: Key Violations and Settlement Terms (Oct. 9, 2024), and Compliance Lessons (Oct. 23, 2024).

Compliance Considerations

The proliferation of regulatory attention to workplace surveillance and employers’ use of AI and ADMT brings mounting challenges for companies. They must evaluate and address privacy issues relating to these technologies and learn how to implement best practices for compliance.

“My prediction is that, in most states, there is going to be some form of meaningful transparency-for-workplace-surveillance law in place in the next five to ten years,” Scherer proffered. In terms of business planning, this is not a long timeframe, he cautioned. Companies that get ahead and start being transparent and thoughtful about surveillance “are the ones that are going to have the highest level of employee satisfaction when that legislation starts coming down the pipeline,” he said.

In California, where employee privacy laws are already in effect, the CPPA regularly receives complaints from employees regarding workplace surveillance, Kim stressed. “We have a robust complaint system,” she said, with several thousand complaints that have arrived. “Those complaints do inform some of our investigations,” she affirmed.

Communicate and Train Across Functions

Compliance professionals should communicate more closely with their companies’ human resources departments to help stay on the right side of the law in employee monitoring matters, Porath Rockwell suggested.

It is very important for businesses to impress privacy concerns upon the personnel dealing with employee data, be it the human resources team or someone else, Kim said. Leaders must be familiar with state and federal laws in the field.

Training company officers to adhere to privacy norms is a legal requirement under the CCPA, Kim pointed out. “The CCPA explicitly says that there is an obligation of businesses to ensure that those handling consumer data are aware of the law and the rights,” she said. For larger-scale cases – where a business is handling at least 10 million individuals’ personal information – the CCPA even calls for an “explicit documented training policy that is implemented and documented,” she added.

See “Tesco Is Making Big Strides With Little Learning Leaps” (May 25, 2022).

Ensure Notice and Consent Align With Actual Use

With the best of intentions, companies could be using employee data for different purposes than those for which they originally obtained consent. Companies should consider and communicate all purposes for which employee data will be used to ensure compliance with requirements such as California’s notice at collection, Porath Rockwell highlighted.

Porath Rockwell offered examples of failure to use employee data as communicated. In one such instance, a company’s employees had agreed to swipe badges when entering the office, for security purposes, but executives then wanted to use that information to track whether individuals were showing up to work. In another instance, a company used its employee data to procure pet insurance at a discount rate for its staff.

To comply with “purpose-based limitation” requirements, companies must bear in mind “the reasonable expectation of the employees,” Porath Rockwell advised.

Apply Well-Established Principles

“Purpose limitations, data minimization, transparency, fairness are all principles that we are familiar with and that can be applied in the workplace,” Kim said. While there may not be explicit rules for every context, established privacy principles can guide compliance professionals, she argued.

When a regulator comes knocking, Kim offered, companies are in a better position to defend their collection of employee data if they can show they understand and have applied established privacy principles.

See “Navigating U.S. Privacy Laws in Internal Investigations” (Aug. 28, 2024).

Shook, Hardy & Bacon has expanded its government investigations and white collar practice by adding Jay Schleppenbach as a partner in Chicago. He arrives from Dechert.

With more than two decades of experience, both in private practice and government, Schleppenbach’s practice focuses on white-collar matters, internal investigations and complex litigation. He counsels companies, their boards and committees, senior executives and other individuals, advising on issues related to public corruption, environmental regulations and accounting matters, as well as alleged violations of U.S. securities laws and the FCPA.

Schleppenbach most recently served as a white-collar criminal litigator at Dechert. Earlier in his career, he spent nearly five years as an Assistant AG in Illinois, where he briefed and argued six cases before the Illinois Supreme Court.