Perhaps your computer system was hacked. Maybe you opened a container to find goods in it that did not belong to you (thank goodness they were not dangerous) or perhaps no goods but evidence people lived in the container while it was en route to the U.S., or you found sizable payments made to questionable parties in odd locations in the world when you checked your records. Perhaps the adverse event is a major product defect. It might also be a significant employment dispute. Whether faced with these serious issues or others equally compelling, once management has been presented with a “situation,” the first step is to figure out what happened and then what to do about it. This article contains best practices for conducting an internal investigation, but really the first question to address is when do you call in counsel? This may seem a self-serving question, but, in fact, whether you have in–house counsel or rely on outside counsel, it is in the company’s best interest to protect the investigation by cloaking it with the attorney-client privilege to sort out what happened, and to then address such important questions as:

1)      Are there government agencies to which we are obliged to give notice about what happened? If so, is there a specific time frame under which we must act?

2)      What do we tell our customers/clients and when?

3)      What do we tell our staff and when?

4)      Who on our staff was involved and what punishment is merited? Is our only choice to fire the people involved?

5)      When do we tell our Board? Shareholders?

6)      Should we report what happened to law enforcement? If so, to what agency and when?

7)      If a vendor was involved, must we change vendors? If so, how quickly? Can we afford to cut off that vendor?

Until you are ready to answer all of these questions, and the many more that arise, it is best to keep the investigation confidential under the attorney-client privilege. For purposes of this article, we will frame the investigation as having to do with a cybersecurity breach, but these recommendations apply in any context where the company finds itself facing serious challenges.

Cloaking The Investigation With Privilege.

Best practice is to immediately engage outside counsel, have him/her lead the investigation, and include him/her on all communications from the start. While relying on in-house counsel alone may be sufficient to establish the privilege, it increases the risk that certain communications may fall outside of the privilege, based on whether the in-house counsel was using his or her “lawyer hat” or “business  hat” for the particular communication. See Wellpoint Health Networks v. Superior Court, 59 Cal. App. 4th 110, 120 (1997). Having cloaked the investigation in privilege, it is equally important to be conscientious, both during the investigation and in its aftermath, to avoid any subsequent waiver.  Generally, sharing a privileged communication with a third party will destroy the privilege. Pac. Pictures Corp. v. United States Dist. Court, 679 F.3d 1121, 1127 (9th Cir. 2012). While the rule appears simple, in the context of an investigation, complexities are likely to arise that readily complicate application of this rule.

Sharing information with the government, for instance, also presents a waiver dilemma. In California, there is a split of authority over whether, and in what circumstances, voluntary sharing of privileged documents with the government constitutes a waiver, whether during the investigation or after its conclusion. Compare McKesson HBOC, Inc. v. Superior Court, 115 Cal. App. 4th 1229 (2004) (disclosure of the results of an internal investigation to the U.S. Attorney and the Securities and Exchange Commission resulted in waiver); Regents of University of California v. Superior Court, 165 Cal. App. 4th 672 (2008) (results of privileged investigation produced to federal Corporate Fraud Task Force pursuant to subpoena did not waive the privilege; although Appellants could have refused to produce the results of the privileged investigation, cooperation with the federal agencies did not waive the privilege “because each defendant believed there would be severe regulatory or criminal consequences if it was labeled as uncooperative by the government”).

Moreover, the majority federal view is that such “selective waiver,” even with a confidentiality agreement in place, may not preserve the privilege. See, e.g., In re Pacific Pictures Corp., 679 F.3d at 1128-29; In re Columbia/HCA Healthcare Corp. Billing Practices Litigation, 293 F.3d 289, 302 (6th Cir. 2002); In re Qwest Communications Intern. Inc., 450 F.3d 1179 (10th Cir. 2006).

Accordingly, if faced with having to make a disclosure to the government, it would be wise to carefully frame the disclosure, including signing a confidentiality and joint-interest agreement, if possible, to strengthen arguments against waiver. However, having done so, there still remains a high degree of risk that any disclosure to any government entity constitutes a waiver.

The possibility of reliance on the investigation in future litigation may also raise issues regarding waiver. Typically, asserting reliance on an investigation or advice of counsel waives the privilege. See Wellpoint Health Networks, 59 Cal. App. 4th at 128 (“If a defendant employer hopes to prevail by showing that it investigated an employee’s complaint and took action appropriate to the findings of the investigation, then it will have put the adequacy of the investigation directly at issue, and cannot stand on the attorney-client privilege or work product doctrine to preclude a thorough examination of its adequacy.”). However, the privilege is waived only if and when the issue actually arises in a pending lawsuit, not at some point where there is only a possibility or likelihood that it will be raised. Id. at 129.

The key points to why you engage outside counsel from the outset are a company’s self-interest in controlling information regarding an adverse event and the legal interests protected by the involvement of counsel. The same is true when promptly bringing in-house counsel into the picture, but relying strictly on in-house counsel leaves the company vulnerable to the side issue of what “hat” counsel was wearing with each communication. If it is a business hat, the information exchanged is not privileged, and who wants to go through the nightmare of that collateral issue when the company is facing such serious challenges?

Best Practices for Conducting the Actual Internal Investigation

When setting out to investigate a cybersecurity breach, the company should first determine whether the investigation should be conducted by an “inside” human resources representative or attorney or an “outside” investigator or attorney. When selecting an investigator, in addition to the privilege considerations discussed above and below, consider whether the proposed investigator possesses the skills to properly conduct an investigation that could require technical knowledge of the systems affected.

A few additional things to keep in mind when conducting the investigation:

  • Jump in right away. The investigation should be conducted promptly, even if certain evidence is not immediately available or certain witnesses are unavailable or uncooperative. Any necessary delays in the investigation should be well documented.
  • Preserve all available evidence as soon as possible and before meeting with witnesses. Once it becomes clear an investigation is going to be conducted, people may alter or destroy electronic (or other) evidence purely out of self-preservation interests. Consider whether interim measures should be taken to preserve information; and, if so, what is available, how can it be done, and who should be involved in that effort?
  • Chase down all reasonable leads, regardless of where they might take you, ask the tough questions, and be flexible. In order to conduct a complete investigation, and in order to later defend the integrity of the investigation, the company must be able to show the investigation was fair, comprehensive and not biased.
  • Document witness interviews appropriately. The investigator should keep notes for each interview that capture both questions and answers and note the date and time of the interview and the people present. These notes may be essential support for the investigator’s conclusions and any resulting employment action taken. If appropriate, getting signed affidavits from the concerned parties may be a wise option.
  • Don’t jump to conclusions. There is almost always another side to the story. Make sure the investigator has reviewed all potentially relevant data and versions of what occurred before coming to any conclusions.
  • Once you have the outcome, take prompt but reasonable action. Once the source and scope of the problem are identified, take timely but prudent action and do not delay in doing so. The more serious the problem, the more reason to document everything that was done and why.

We mentioned above how best to protect the investigation – i.e., to cloak it in the attorney–client privilege. To illustrate the reason for that recommendation, one of our best practice recommendations was to preserve all available evidence and do so promptly. This is both a sensitive area and also one where applying the privilege can become complicated. The issue is sensitive because management wants to make sure it has all the evidence and knows the positive and negative about the situation. But, for the employee put in charge of the investigation, one of the first principles of such an effort is to keep those in the know to a small group, at least until the source and extent of the breach are known. If the investigation is started without counsel being involved, all those efforts are fair game for inquiry in any government investigation, employee action, or other litigation, including by whistleblower and class action plaintiffs. On the other hand, if counsel is involved from the start, the actions of the staff and even outside experts are protected from disclosure unless and until the company decides to voluntarily disclose any information.

Another point we raised is the investigator. It is important to keep in mind that often the skills needed to conduct the investigation are specialized, and so hiring outside experts can be necessary and prudent. The expert should work for the lawyer so there is no question that the expert is acting at the direction of the lawyer, and, thereby, those efforts are cloaked in the attorney-client privilege.

Another area where things can get complicated is when employees are interviewed. If not handled correctly, the company could end up with a whistleblower on its hands. So sensitivity during the interview process is key, but also making clear the attorney works for the company and not the employee is critical to the validity of the outcome.

The current situation with General Motors (GM) and its recall dilemma are a good example of how convoluted things can become. On the other hand, it is likely GM conducted an internal investigation about the ignition switches. From press reports, it seems possible GM had an inking of the problem several years ago and so an investigation of some sort was probably conducted back then. On the one hand, GM likely wants to keep the results concealed for a variety of plausible reasons. For example, it wants its customers to see the company as compassionate and feel confidence in GM as its weathers the storm. GM also wants the regulators to see the company as compliant and this malfunction as an aberration. Further, GM wants its employees and shareholders to see it as a good, solid, and caring company. In short, quite understandably, GM wants to protect it good name and brand. Whether GM will be able to shield the results of any old investigations (or even a current one) remains to be seen, but depending on their results, GM may decide it is better served to waive the privilege and share those findings.

Exactly how the GM situation turns out will be some time in happening. A final and more public example is the dilemma Boeing found itself in a few years back when it hired someone from a competitor in order to gain an advantage in a government contract bidding process. Because it failed to conduct due diligence in the hiring and retention of that employee, it paid $615 million to settle criminal and civil charges. After the case was resolved, a member of the Boeing legal team spoke publicly about other consequences to the company. Among them were the following: senior executives being forced to plead guilty, serve time in a federal prison, pay a fine of $250,000, and forfeit approximately $5 billion in equity-based compensation; denial of export licenses; potential loss of security clearances; resuspension or debarment; potential prohibition of the use and possession of explosive devices (needed for actuators on airplane doors); future impacts on contractor integrity scoring; defense of the Boeing competitor’s lawsuit; loss of $1 billion of launches and being suspended from the launch business for 20 months; employees fired or indicted; loss of the U.S. Government tanker market; and being forced to recompete certain projects. But the biggest damage was to the company’s reputation. Did people still want to work there? How can employees and others see the company in a good light?

While certainly there is not a lot of detail available even now about the specifics of any internal investigation Boeing conducted, it is reasonable to expect there was one. The question is when was it conducted? It would also be critical to know how far into the investigation was the government when it was completed? Given the severity of the penalties on Boeing and its staff, there is reason to think the results of any internal investigation might not have been a great bargaining chip. While this is admittedly speculation, when you look at the situation, the question you have to ask is, if you were faced with a similar situation, how would you conduct the investigation? What is the team you would bring together to help you? Wisdom suggests managers should have these questions answered before the situation explodes rather than being reactive. Are you ready?