I have facilitated Martindale Counsel to Counsel forums all over the world since 2000. These discussions are "best practice" exchanges by corporate counsel and law firm lawyers about a particular topic. Consistently, they are the best received CLE programs by buyers of legal services and senior law firm partners of any I've seen.
Yesterday's program in New York was a popular one - it always is, given the regulatory climate in a post-Enron world. All particpants (17 corporate counsel and 6 law firm partners - 2 each from co-hosts Andrews Kurth, LeClair Ryan and Morvillo, Abramowitz) were well prepared and shared a 5-minute best practice based on real-world experiences. We heard war stories from the trenches of legal departments about compliance concerns, enforcement challenges and next steps in their thoughtful compliance planning and handling.
I thought I'd include my introductory remarks here - it's a good primer on what's on the minds of sophisticated buyers of high-end corporate legal services.
A special thanks to my co-chairs for the program: Vanessa Vargas-Land, Vice President and Assistant Compliance Officer, Archer Daniels Midland, and Gregg Formella, Senior Attorney, American Airlines.
Here is my introduction:
Lexis Nexis/Martindale has sponsored Counsel to Counsel forums around the world since 2000, and I have facilitated many of them since the very beginning. The purpose is to bring corporate counsel and law firm lawyers together in open and candid discussions around many of the hottest issues and concerns of the day.
How many of you are new participants to Counsel to Counsel? As you see with our table set-up today, this forum is the antithesis of a “talking head CLE.” The best Counsel to Counsel forums are those where participants are interactive, open and candid. So, get comfortable, ask questions, share opinions—even when you disagree. Don’t be shy about sharing your war stories and experiences.
Having said that, today’s forum is “off the record.” Some of you will be contacted about sharing your best practice as an article. And others will be posted in the legal articles database at martindale.com. But nothing will be done or shared without your review and approval.
Now, let me briefly set the stage for our discussion. In my research for today, I found several conditions and developments that impact corporations and how they do business in the U.S. and abroad.
1. Since 2007, regulators and commentators have touted each year as a new record-breaking year for FCPA enforcement. 2010 saw a record-breaking year in corporate fines and prison terms for individual defendants.
The number of FCPA enforcement actions increased by 85% from 2009 to 2010.
As of June 30 this year, 17 actions have been filed, and 2011 is poised to yield a record number of trials and defendants to challenge FCPA charges. Even Corporate America is playing its part, with the first ever FCPA trial of a company.
2. The monetary penalties assessed against corporations in 2010 were also astounding in their magnitude. In total, companies paid a record $1.8 billion in financial penalties to the DOJ and SEC in 2010. Of the top 10 biggest FCPA settlements of all time, eight of them were reached in 2010.
3. In just one 2011 case (and there are several notable ones, including IBM and Tyson), in April of this year, Johnson & Johnson agreed to pay $77 million in combined penalties related to improper payments to government officials in Poland, Greece and Romania. According to every report I read, Johnson & Johnson was very forthcoming, and admitted responsibility for its actions and subsidiary company actions in these countries, as well as in Iraq.
4. In countries with socialized medicine, every doctor in the country may be considered a government official. Doctors’ research payments or even travel and entertainment payments to induce product or pharmaceutical purchases may violate the statute.
5. As troubling as the government actions, financial penalties and reputation damage are to a company, there are new civil threats from enterprising plaintiffs seeking to capitalize on FCPA misconduct: derivative claims, securities fraud actions, tort and contract law claims, employment lawsuits, and private actions under RICO statutes.
6. The FCPA Law blog regularly publishes the “corporate investigations list.” The last list I could find was published in January 2011 - it listed 71 companies (nearly all of them issuers) that are known to be the subject of an ongoing and unresolved FCPA related investigation. With social media and blogs, it is nearly impossible to keep such investigations quiet, even in their earliest stages.
7. Dodd-Frank introduced more than 2,000 pages of new regulations and provisions. As a result of the new Whistleblower rules under Dodd-Frank, companies are fearful of more of whistleblowing occurring, more lawsuits, more fines and a much higher cost of compliance. The new rule doesn’t require Whistleblowers to report violations internally to qualify for an award under the SEC’s program. How do you establish a spirit in your company that encourages your employees to invest in your compliance protocols before they go to the SEC?
In most cases, the SEC will not consider information that was obtained through a communication that was subject to the attorney-client privilege. This is one more reason to ensure that privilege isn’t needlessly eroding in your companies.
A final note about Dodd Frank – it included an obscure provision called “Conflict Minerals” where U.S. companies have to report whether certain minerals, such as gold, are used in their products – even trace amounts – and whether those minerals came from the Congo and adjoining countries. Even though it isn’t illegal to use them, companies will be required to audit and report on where the minerals they use come from. The idea is that shareholders and consumer groups will put pressure on companies to stop using anything from the Congo because of its human rights violations.
It isn't finalized yet, but nearly 6,000 U.S. companies are expected to be affected by this provision as of Jan. 2012.
8. With the blurring of one’s personal life and professional life – because of the ubiquitous nature of social media and proliferation of Smart Phones and other devices that we use in the workplace – corporate compliance and controls have the potential of eroding every day.
Security experts say that employees are easy targets for security breaches because we readily and enthusiastically post volumes of information about ourselves and our jobs online. Blogs and social media sites like LinkedIn are very useful sites for criminals – since many of us share details about our roles at work.
In May, a Hewlett-Packard executive accidentally exposed the company’s cloud computing strategic plans on LinkedIn by updating his profile with details about what the company was building. Bloggers and probably competitors quickly noticed it before the executive could take it down. This was an executive!!
9. How many of you use Gmail for your personal email? In June of this year, Google shut down a phishing attack that targeted the personal Gmail accounts of what it described as senior U.S. Government officials, Chinese and South Korean political activists and others who were communicating through Gmail instead of through their official, secure email accounts of their organizations.
10. The challenge for compliance officers and the legal department is that social media is inherently decentralized. Social media amplifies and broadcasts our personal bad decisions and our bad judgment.
11. Carrying and using SmartPhones and tablets carries the risk of introducing unknown security holes inside the corporate networks. And senior executives in your companies are often the most guilty of leaping on the latest gadgets!
12. As we all know, when it comes to compliance, people are the weak link in every organization. Another thing that well intentioned employees do is share their corporate login and password with employees inside the company – after receiving an email requesting them. Hackers have figured out how to have such a request appear as though it’s coming from an internal, trusted account, such as the IT dept. The answer from a compliance standpoint? Have a policy where employees NEVER share their login credentials and passwords with anyone in your company. Not even your CEO. If you get such a request – notify the appropriate IT compliance person.
13. Gregg and others of you will talk about the increasingly important role of IT in your compliance program. I’m wondering if you have gone so far as to have IT security experts assigned to the compliance dept?
14. In 2010, 662 organizations publicly disclosed data breaches – and the number is likely much higher because countless companies don’t disclose it.
A final thought before I turn it over to the co-chairs: Challenging times in the world of business signal an opportunity to rethink things—from ethics and compliance guidelines to business models. For the in-house/outside counsel relationship, there is an opportunity to get creative, focus on cementing the best relationships and locking in value, and look at how outside services are priced, handled and managed.