I Wish The Real World Would Just Stop Hassling Me: Dealing with Regulators

Preventing Investigations—Effective Compliance Programs

Developing a Comprehensive Compliance Program:

Identifying Applicable Legislative and Regulatory Issues and Agencies

In June 2020, the DOJ updated its Evaluation of Corporate Compliance Programs guidance. That guidance is meant to assist prosecutors in making informed decisions as to whether and to what extent the corporation’s compliance program was effective at the time of the offense and is effective at the time of a charging decision or resolution, for purposes of determining the appropriate resolution. Factors considered by the DOJ include the following:

• Is the corporation’s compliance program well designed?
• Is the program being applied earnestly and in good faith?
• Is the program adequately resourced and empowered to function effectively?
• Does the corporation’s compliance program work in practice?

Potential Areas for Compliance Programs

• Product Safety
• Workplace Safety
  • OSHA
  • State OSHA
• Advertising and Promotion
• Interacting with Competitors/Trade Associations
  • Sherman and Clayton Act
  • Robinson Act
    • Section 5: Unfair Competition
  • Employment Practices
    • Harassment
    • Discrimination
    • Non-Compete and Non-Solicitation Agreements
  • Responding/Reacting to Whistleblowers
  • Ability to Control Employee Communications: Policies and Communications
    • Policies regarding use of platforms not controlled by the company and use of company servers for company-related matters (WhatsApp, texting from personal devices, etc.)
  • Document Retention Policies

Compliance Programs in Acquisitions

• Understanding New DOJ Guidelines for Acquisitions
  • Highlights of the Safe Harbor Policy include:
    • Timing: Companies must disclose misconduct that is discovered at the acquired entity within six months from the date of closing, whether the misconduct was discovered pre-acquisition or post-acquisition.
    • Remediation: Companies will have a baseline time period of one year from the date of closing to fully remediate the misconduct. Recognizing that not all deals are the same, both baselines are subject to a reasonableness analysis and, depending on the specific facts, circumstances, and complexity of a particular transaction, those deadlines could potentially be extended by prosecutors.
    • Aggravating factors: The presence of aggravating factors at the acquired company will not, in any way, impact the acquiring company’s ability to receive a declination. Unless aggravating factors exist at the acquired company at the time of acquisition, that entity can also qualify for applicable Voluntary Self Disclosure (VSD) benefits.
    • Recidivism: Misconduct disclosed under the Safe Harbor Policy will not be factored into future recidivist analysis for the acquiring company.
    • As with any VSD, the Safe Harbor Policy does not apply to misconduct that was otherwise required to be disclosed or already public or known to the Department.
• The policy will only apply to criminal conduct discovered in bona fide, arms-length M&A transactions. To that end, PADAG Miller warned that “our prosecutors will be scrutinizing every disclosure. Not only would a sham transaction not qualify, but it may even subject the disclosing company to additional criminal liability. For example, if we find out that a company improperly structured a transaction to avoid applicable reporting obligations, it would not qualify for the protections of the policy.”

Proactivity When Something Goes Wrong – Reporting Requirements

Consumer Product Safety Commission (CPSC)

Consumer Product Safety Act (CPSA) and Consumer Product Safety Improvement Act (CPSIA)

1. Children’s toys
2. Children’s Products
3. Clothing[i]

Most Penalties are Imposed for Failure to Report

• Obligated to report when a product:
• fails to comply with an applicable consumer product safety rule or with a voluntary consumer product safety standard upon which the Commission has relied under Section 2058 of this title;
• fails to comply with any other rule, regulation, standard, or ban under this chapter or any other Act enforced by the Commission;
• contains a defect which could create a substantial product hazard described in subsection (a)(2); or
• creates an unreasonable risk of serious injury or death
• Report required within 24 hours of learning of any of the above.[ii]
• “If a particular model of a consumer product is the subject of at least 3 civil actions that have been filed in Federal or State court for death or grievous bodily injury which in each of the 24-month periods defined in subsection (b) result in either a final settlement involving the manufacturer or a court judgment in favor of the plaintiff, the manufacturer of such product shall, in accordance with subsection (c), report to the Commission each such civil action within 30 days after the final settlement or court judgment in the third of such civil actions, and, within 30 days after any subsequent settlement or judgment in that 24-month period, any other such action.” [iii]

CPSC can Impose Fines for Failure to Report

• Recent examples
  • $19.065 million civil penalty against a fitness company related to potentially lethal defects in its treadmill.
  • $15.8 million penalty against a generator manufacturer for amputation and crushing hazards posed by its portable generators.
  • Appliance manufacturer was hit with a $11.5 million penalty for burn and fire hazards associated with electric cooktops.
  • $16 million penalty for consumer injuries caused by hot water leaking from defective clothing steamers.
• In each case a significant portion of the penalty in each instance was due to the company’s failure to timely report the product’s hazard to the CPSC.

Corrective Action (Recalls)

• Typically voluntary, but CPSC does have authority to compel corrective action[iv]
• Commission may order the manufacturer or any distributor or retailer of the product to take any one or more of the following actions:

(A) To cease distribution of the product.

(B) To notify all persons that transport, store, distribute, or otherwise handle the product, or to which the product has been transported, sold, distributed, or otherwise handled, to cease immediately distribution of the product.

(C) To notify appropriate State and local public health officials.

(D) To give public notice of the defect or failure to comply, including posting clear and conspicuous notice on its Internet website, providing notice to any third-party Internet website on which such manufacturer, retailer, distributor, or licensor has placed the product for sale, and announcements in languages other than English and on radio and television where the Commission determines that a substantial number of consumers to whom the recall is directed may not be reached by other notice.

(E) To mail notice to each person who is a manufacturer, distributor, or retailer of such product.

(F) To mail notice to every person to whom the person required to give notice knows such product was delivered or sold[v]

• Manufacturer or distributor may also be criminally prosecuted
  • In November 2023, a jury in Los Angeles, CA convicted two corporate executives of conspiracy to defraud the CPSC and failure to report information related to defective residential dehumidifiers that had been linked to multiple fires. Simon Chu, 68, of Chino Hills, California, and Charley Loh, 65, of Arcadia, California, were convicted of conspiracy to defraud the CPSC and failure to furnish information as required by the CPSA. The defective humidifiers sold by Chu and Loh’s companies were included in multiple recalls of dehumidifiers manufactured by Gree Electric Appliances, Inc. of Zhuhani (Gree Zhuhani) in China. According to the recall notices, more than 450 reported fires and millions of dollars of property damages have been linked to the recalled dehumidifiers.
  • Gree USA was sentenced to pay a $500,000 criminal fine after pleading guilty to failing to notify the CPSC about the problems with the dehumidifiers. That fine, along with provisions requiring payment of restitution to victims, was part of a $91 million resolution of criminal charges against Gree USA, Gree Zhuhai and several related companies.
  • “Companies and their employees should immediately report known dangerous consumer products to the Consumer Product Safety Commission so the products can be recalled as soon as possible,” said Principal Deputy Assistant Attorney General Brian M. Boynton, head of the Justice Department’s Civil Division. “The Justice Department will prosecute companies and their employees when they willfully put the public in harm’s way by failing to report known dangerous products.”
  • “It is critical to hold corporate executives accountable for misconduct,” said U.S. Attorney Martin Estrada for the Central District of California. “The importation and sale of defective consumer products can lead to injury and death, and this verdict sends a clear message that putting profits over safety will not be tolerated.”
  • “The safety of the American public is the top priority for HSI, and products like these can turn an ordinary purchase into deadly consequences.” said Special Agent in Charge Eddy Wang for Homeland Security Investigations (HSI) Los Angeles. “HSI Los Angeles will continue to work diligently to ensure our supply chain is safe from products that can harm consumers.”

National Highway Transportation Safety Administration (NHTSA)

• Typically voluntary
• NHTSA does have the authority to pursue recalls[vi]
  • When a motor vehicle or item of motor vehicle equipment (including tires) does not comply with a Federal Motor Vehicle Safety Standard
  • When there is a safety-related defect in the vehicle or equipment
    • The United States Code for Motor Vehicle Safety (Title 49, Chapter 301) defines motor vehicle safety as “the performance of a motor vehicle or motor vehicle equipment in a way that protects the public against unreasonable risk of accidents occurring because of the design, construction, or performance of a motor vehicle, and against unreasonable risk of death or injury in an accident, and includes nonoperational safety of a motor vehicle.”[vii]

Examples of Defects Considered Safety-Related:

• Steering components that break suddenly, causing partial or complete loss of vehicle control
• Problems with fuel system components, particularly in their susceptibility to crash damage, which result in leakage of fuel and may cause vehicle fires
• Accelerator controls that break or stick
• Wheels that crack or break, which may result in loss of vehicle control
• Engine cooling fan blades that break unexpectedly, causing injury to people working on a vehicle
• Windshield wiper assemblies that fail to operate properly
• Seats and/or seat backs that fail unexpectedly during normal use
• Critical vehicle components that break, fall apart, or separate from the vehicle, causing potential loss of vehicle control or injury to people inside or outside the vehicle
• Wiring system problems that result in a fire or loss of lighting
• Car ramps or jacks that may collapse and cause injury to someone working on a vehicle
• Air bags that deploy under conditions for which they are not intended to deploy
• Car seats and booster seats that contain defective safety belts, buckles, or components that create a risk of injury not only in a vehicle crash, but also in the nonoperational safety of a motor vehicle[viii]

Reporting Obligations

• “Each manufacturer shall furnish a report to the NHTSA for each defect in his vehicles or in his items of original or replacement equipment that he or the Administrator determines to be related to motor vehicle safety, and for each noncompliance with a motor vehicle safety standard in such vehicles or items of equipment which either he or the Administrator determines to exist.”[ix]
• “Each report shall be submitted not more than 5 working days after a defect in a vehicle or item of equipment has been determined to be safety related, or a noncompliance with a motor vehicle safety standard has been determined to exist.”[x]

Food and Drug Administration

Food Safety Modernization Act

Traceability

• The Food Traceability Rule mandates that businesses involved in manufacturing, processing, packing, or holding foods on the Food Traceability List (FTL) maintain records with key data elements (KDEs) for specific supply chain activities, which the FDA has defined as critical tracking events (CTEs). This information must be captured, stored and maintained for 24 months, and event data must be made available to the FDA within 24 hours upon request. Additionally, shipping events must be shared with supply chain partners.
• Compliance date: January 20, 2026

The Food Traceability List[xi]

Food	Description
Cheeses, other than hard cheeses, specifically:
Cheese (made from pasteurized milk), fresh soft or soft unripened	Includes soft unripened/fresh soft cheeses. Examples include, but are not limited to, cottage, chevre, cream cheese, mascarpone, ricotta, queso blanco, queso fresco, queso de crema, and queso de puna. Does not include cheeses that are frozen, shelf stable at ambient temperature, or aseptically processed and packaged.
Cheese (made from pasteurized milk), soft ripened or semi-soft	Includes soft ripened/semi-soft cheeses. Examples include, but are not limited to, brie, camembert, feta, mozzarella, taleggio, blue, brick, fontina, monterey jack, and muenster. Does not include cheeses that are frozen, shelf stable at ambient temperature, or aseptically processed and packaged.
Shell eggs	Shell egg means the egg of the domesticated chicken.
Nut butters	Includes all types of tree nut and peanut butters. Includes all forms of nut butters, including shelf stable, refrigerated, and frozen products. Examples include, but are not limited to, almond, cashew, chestnut, coconut, hazelnut, peanut, pistachio, and walnut butters. Does not include soy or seed butters.
Cucumbers (fresh)	Includes all varieties of fresh cucumbers.
Herbs (fresh)	Includes all types of fresh herbs. Examples include, but are not limited to, parsley, cilantro, and basil. Herbs listed in 21 CFR 112.2(a)(1), such as dill, are exempt from the requirements of the rule under 21 CFR 1.1305(e).
Leafy greens (fresh)	Includes all types of fresh leafy greens. Examples include, but are not limited to, arugula, baby leaf, butter lettuce, chard, chicory, endive, escarole, green leaf, iceberg lettuce, kale, red leaf, pak choi/bok choi, Romaine, sorrel, spinach, and watercress. Does not include whole head cabbages such as green cabbage, red cabbage, or savoy cabbage. Does not include banana leaf, grape leaf, and leaves that are grown on trees.  Leafy greens listed in § 112.2(a)(1), such as collards, are exempt from the requirements of the rule under § 1.1305(e).
Leafy greens (fresh-cut)	Includes all types of fresh-cut leafy greens, including single and mixed greens.
Melons (fresh)	Includes all types of fresh melons. Examples include, but are not limited to, cantaloupe, honeydew, muskmelon, and watermelon.
Peppers (fresh)	Includes all varieties of fresh peppers.
Sprouts (fresh)	Includes all varieties of fresh sprouts (irrespective of seed source), including single and mixed sprouts. Examples include, but are not limited to, alfalfa sprouts, allium sprouts, bean sprouts, broccoli sprouts, clover sprouts, radish sprouts, alfalfa & radish sprouts, and other fresh sprouted grains, nuts, and seeds.
Tomatoes (fresh)	Includes all varieties of fresh tomatoes.
Tropical tree fruits (fresh)	Includes all types of fresh tropical tree fruit. Examples include, but are not limited to, mango, papaya, mamey, guava, lychee, jackfruit, and starfruit. Does not include non-tree fruits such as bananas, pineapple, dates, soursop, jujube, passionfruit, Loquat, pomegranate, sapodilla, and figs. Does not include tree nuts such as coconut. Does not include pit fruits such as avocado. Does not include citrus, such as orange, clementine, tangerine, mandarins, lemon, lime, citron, grapefruit, kumquat, and pomelo.
Fruits (fresh-cut)	Includes all types of fresh-cut fruits. Fruits listed in § 112.2(a)(1) are exempt from the requirements of the rule under § 1.1305(e).
Vegetables other than leafy greens (fresh-cut)	Includes all types of fresh-cut vegetables other than leafy greens. Vegetables listed in § 112.2(a)(1) are exempt from the requirements of the rule under § 1.1305(e).
Finfish (fresh and frozen), specifically:
Finfish, histamine-producing species	Includes all histamine-producing species of finfish. Examples include, but are not limited to, tuna, mahi mahi, mackerel, amberjack, jack, swordfish, and yellowtail.
Finfish, species potentially contaminated with ciguatoxin	Includes all finfish species potentially contaminated with ciguatoxin. Examples include, but are not limited to, grouper, barracuda, and snapper.
Finfish, species not associated with histamine or ciguatoxin	Includes all species of finfish not associated with histamine or ciguatoxin. Examples include, but are not limited to, cod, haddock, Alaska pollock, salmon, tilapia, and trout. Siluriformes fish, such as catfish, are not included.
Smoked finfish (refrigerated and frozen)	Includes all types of smoked finfish, including cold smoked finfish and hot smoked finfish.
Crustaceans (fresh and frozen)	Includes all crustacean species. Examples include but are not limited to shrimp, crab, lobster, and crayfish.
Molluscan shellfish, bivalves (fresh and frozen)	Includes all species of bivalve mollusks. Examples include, but are not limited to, oysters, clams, and mussels. Does not include scallop adductor muscle. Raw bivalve molluscan shellfish that are (1) covered by the requirements of the National Shellfish Sanitation Program; (2) subject to the requirements of 21 CFR part 123, subpart C, and 21 CFR 1240.60; or (3) covered by a final equivalence determination by FDA for raw bivalve molluscan shellfish are exempt from the requirements of the rule under § 1.1305(f).
Ready-to-eat deli salads (refrigerated)

Modernization of Cosmetics Regulation Act of 2022 (MoCRA)

• Requires that a “responsible person” must report serious adverse events associated with the use of cosmetic products in the United States to the FDA within 15 business days, and include a copy of the label on or within the retail packaging of such cosmetic product.
• Reauthorizes FDA authority to collect certain fees related to drugs, medical devices, and biosimilar biological products and modifies such fees, including the base fee amounts.
• Establishes that certain requirements related to obtaining market approval for a new drug or a biosimilar may be satisfied using alternatives to animal testing, such as in vitro tests.
• Authorizes the FDA to require that certain drugs be dispensed with a safe disposal system even if the system does not render a drug nonretrievable (current law requires such a system to render the drug nonretrievable).
• Establishes time lines for the FDA to respond to requests to determine whether a drug is a therapeutic equivalent to an approved drug.
• Modifies the accelerated process for approving products for a serious or life-threatening disease or condition and establishes an intra-agency coordinating council to ensure consistent and appropriate use of the process.
• Requires additional regulation of cosmetics, including by requiring manufacturers to register manufacturing facilities and each cosmetic product with the FDA.
• Requires dietary supplement manufacturers to provide to the FDA certain information, including a list of all ingredients, about each dietary supplement that it markets.
• Requires an in vitro clinical test to receive FDA premarket approval or a technology certification (or be otherwise exempted) before being introduced into interstate commerce.
• Requires the FDA to temporarily relax certain premarket requirements for a manufacturer that intends to market a new infant formula.

Federal Trade Commission

Recent Enforcement Focus

• Unfair Trade Practices (Robinson Act, Section 5)
  • FTC believes this extends far beyond reach of Sherman or Clayton Antitrust acts
• False or misleading advertising
  • Made in USA
  • $2,000,000 settlement with tractor maker Kubota North America Corporation
    • Unqualified U.S. origin claims should be substantiated by evidence that the product is all or virtually all made in the United States
  • Greenwashing
  • Right to repair under Magnuson Moss Act
    • The statute’s “anti-tying” prohibition – makes it illegal for a company to condition a warranty “on the consumer’s using, in connection with such product, any article or service (other than an article or service provided without charge under the terms of the warranty) which is identified by brand, trade, or corporate name.” In other words, companies can’t tell customers they will void a customer’s warranty or deny warranty coverage if the customer uses a part made by someone else or has someone other than the dealer repair the product.
    • There are two narrow instances where that prohibition doesn’t apply:
      • If the company has received a waiver in advance from the FTC after proving that the product will work properly only if a specific branded part is used.
      • If the warranty states that the company will provide the identified parts and services for free.
    • A manufacturer can’t avoid liability by providing free parts or services to repair or replace defective parts if its warranty conveys that customers must use a specific brand of parts or specific service providers in other situations. Put another way, if a company will replace certain parts for free – but will still void a consumer’s warranty for using another maker’s parts for other purposes – the company has violated the law.
  • Employment Practices
    • Non-compete agreements
    • Anti-poaching agreements (criminal prosecutions)
  • Dark matter on web sites
    • Negative options (default obligations and purchases)
  • Misleading customer reviews
  • Use of influencers–FTC Guides Concerning the Use of Endorsements and Testimonials in Advertising (“the Guides”)
    • Filtering poor reviews
    • Ability to moderate content
    • Obligation to monitor paid influencers for compliance
      • Manipulated or distorted reviews
      • Paying for positive reviews (even if payment is disclosed)

Ability to Impose Fines and Penalties

• AMG Capital Management, FTC can no longer obtain equitable monetary relief, such as restitution or disgorgement, in federal courts under Section 13(b) of the FTC Act — a provision the Commission had frequently employed to seek monetary and injunctive relief.
• Regulations allow for civil penalties under Telemarketing Sales Rule (TSR), the Restore Online Shoppers’ Confidence Act (ROSCA), the Children’s Online Privacy Protection Rule (COPPA) and the Made in USA Labeling Rule.
• On November 21, 2023, the Federal Trade Commission (“the FTC”) announced its approval of an omnibus resolution authorizing the use of compulsory process for nonpublic investigations concerning products or services that use artificial intelligence (“AI”). Compulsory process refers to information or document requests, such as subpoenas or civil investigative demands, for which compliance is enforceable by courts.
  • Recipients who fail to comply with compulsory process may face contempt charges.
  • Before issuing compulsory requests, FTC Staff (“Staff”) must typically seek a resolution from the Commission. This omnibus resolution streamlines Staff’s ability to issue compulsory requests to companies offering products or services involving AI and will be in effect for ten years. By reducing the administrative “red tape” associated with issuing a compulsory request broadly related to AI, this omnibus resolution appears to allow the FTC to more easily issue compulsory process to companies using or offering AI that it believes have information of interest to its competition or consumer protection investigations.

FTC Guidelines for Use of Influencers

• What triggers investigation
  • Whistle blowers
  • Statutory protection
    • Dodd Frank
    • Other federal protections
    • State examples
    • New York Labor Law 740
  • An employer shall not take any retaliatory action against an employee, whether or not within the scope of the employee’s job duties, because such employee does any of the following:
    • (a) discloses, or threatens to disclose to a supervisor or to a public body an activity, policy or practice of the employer that the employee reasonably believes is in violation of law, rule or regulation or that the employee reasonably believes poses a substantial and specific danger to the public health or safety;
    • (b) provides information to, or testifies before, any public body conducting an investigation, hearing or inquiry into any such activity, policy or practice by such employer; or
    • (c) objects to, or refuses to participate in any such activity, policy or practice
  • More whistle blowers are going straight to hot lines and social media

Securities and Exchange Commission (SEC)

Recent Focus

• Whistleblower protection under Dodd-Frank
  • $18 million sanction against JP Morgan for Rule 21F-17(a) violations
  • In September, the agency fined D.E. Shaw $10 million for violating Rule 21F-17(a) through restrictive non-disclosure agreements
• Greenwashing (misrepresenting environmental impact)
• AI washing/misrepresenting AI capabilities
  • Technology only qualifies as AI if it exhibits some level of learning, adapting, or autonomy.

Enforcement Data

• The SEC announced that it filed 784 enforcement actions during its 2023 fiscal year, a 3% increase over the previous year, including:
  • 501 original enforcement actions, an 8% increase year over year
  • 162 “follow-on” administrative proceedings seeking to bar or suspend individuals from certain functions in the securities markets based on criminal convictions, civil injunctions, or other orders
  • 121 actions against issuers who were allegedly delinquent in making required filings with the SEC
  • 133 individuals barred from serving as officers and directors of public companies – the highest number in a decade
• The enforcement actions covered a wide range of violations, including but not limited to insider trading, accounting fraud, disclosure failures, and market abuse. Notably, the SEC has been vigilant in addressing emerging issues such as cybersecurity concerns and digital asset compliance.
  • The SEC secured significant monetary sanctions in its enforcement actions, reporting orders for $4.9 billion in financial remedies, the second highest amount in its history. The financial remedies comprised $3.4 billion in disgorgement and prejudgment interest and $1.6 billion in civil penalties. Both the disgorgement and civil penalties ordered were the second highest amounts on record. The SEC also obtained orders barring 133 individuals from serving as officers and directors of public companies, the highest number of officer and director bars obtained in a decade.
  • In addition, the SEC distributed $930 million to harmed investors in fiscal year 2023, marking the second consecutive year with more than $900 million in distributions.
  • In its results, the SEC highlighted the value of cooperation in its enforcement efforts. Companies and individuals who cooperated with investigations were acknowledged, and the whistleblower program continued to play a crucial role in identifying and addressing violations. Fiscal year 2023 was a record-breaking year for its Whistleblower Program, and whistleblower awards totaling nearly $600 million were issued, the most ever awarded in one year, including a record-breaking $279 million awarded to one whistleblower.

Record–Breaking Year for Whistleblowers

• The SEC continues to encourage whistleblowers to report potential securities violations. According to the enforcement results, the SEC received 18,000 whistleblower tips in FY23 – an all-time high and approximately 50% more than were received last year. In total, the SEC received more than 40,000 tips, complaints and referrals (a 13% increase from FY22). The SEC issued whistleblower awards of almost $600 million, the highest amount ever awarded in one year. These awards included a record $279 million award that went to one whistleblower.
• The SEC also highlights its protections of whistleblowers. As an example, the SEC settled charges against a major registered investment adviser for raising impediments to whistleblowing, and charged firms for using employment and separation agreements that violated the whistleblower protection rule.

Rewards for Meaningful Cooperation and Self-Disclosure

• The SEC continues to reward meaningful cooperation “to efficiently promote compliance” across the industry. According to the enforcement results, “[r]ewarding parties that cooperate encourages other firms to proactively self-police, self-report, and remediate potential securities law violations and to provide meaningful cooperation with the Division’s investigations.” To that end, in FY23, the SEC rewarded cooperation in cases against public issuers, private companies and advisory firms in matters involving a wide range of violations – including material misstatements, recordkeeping violations, undisclosed perquisites and violations of whistleblower protection rules.
• The enforcement results highlighted several actions in which companies promptly self-reported conduct to the SEC, undertook affirmative remedial measures and provided substantial cooperation. Such cooperation included the provision of “detailed financial analyses and explanations and summaries of factual issues” during the investigation, “proactively identifying key documents and witnesses,” and responding to several SEC requests without the need for a subpoena. As a result, in those matters no civil penalties were ordered, or the penalties ordered were significantly lower than are typical for the violations at issue.
• As in prior years, the SEC reiterated that “[i]ndividual accountability remains a pillar of the SEC’s enforcement program.” Approximately two-thirds of the SEC’s cases in FY23 involved charges against one or more individuals, and, as mentioned above, the SEC obtained orders barring 133 individuals from serving as officers and directors of public companies. The enforcement results highlighted several fraud-related cases in which officer and director bars were imposed (among other remedies) – including cases against a former Wells Fargo executive, who was charged with fraud for misleading investors about “the success of Wells Fargo’s core business,” and the former CEO of McDonald’s, who was charged with making false and misleading statements about “the circumstances leading to his termination from McDonald’s.”

Continued Focus on ESG, Crypto, and Other Disclosures

• Consistent with SEC Director Gurbir Grewal’s recent statements at the 2023 Berkeley Fall Forum on Corporate Governance, the enforcement results emphasize the increased importance of environmental, social and governance (ESG) issues to investors, resulting in an increased focus on related public company disclosures. In FY23, the SEC brought several enforcement actions addressing ESG issues, including charges against companies for making materially misleading statements about ESG-related controls and failure to maintain disclosure controls and procedures regarding employee complaints about workplace misconduct.
• The SEC also continued its focus on crypto assets and expanded into non-fungible tokens (NFTs), filing its first actions against issuers of NFTs. The enforcement results highlighted charges alleging “massive crypto frauds” brought against multiple high-profile companies. The SEC also flagged multiple cases where “influencers” allegedly unlawfully “touted” crypto assets without disclosing that they were compensated to do so.
• The report also shows a number of other major areas of enforcement actions, including recordkeeping, cybersecurity, and ESG.

Commodity Futures Trading Commission (CFTC) Enforcement Data

• The CFTC’s enforcement results included “a record setting number of digital asset cases, actions to hold registrants to their regulatory obligations, manipulation and spoofing actions, and precedent-setting court decisions in complex litigations.” In total, the CFTC filed 96 enforcement actions resulting in over $4.3 billion in penalties, restitution and disgorgement. Both metrics showed an increase year over year, when the Commission initiated 82 enforcement actions, imposing more than $2.5 billion in fines.
• The CFTC also noted the importance of its whistleblower program, reporting that it granted nearly $350 million in awards to 41 whistleblowers during the year and imposing more than $3 billion in total sanctions from whistleblower-related enforcement actions.

Department of Justice (DOJ) Encourages Self-Disclosure

• In March, DAG Monaco ordered every Department component engaged in corporate criminal enforcement to adopt a voluntary self-disclosure policy. Under that policy, if a company makes a qualifying VSD, it may receive resolutions under more favorable terms than if the government had learned of the misconduct through other means.
• In November 28, 2023 remarks at the New York City Bar Association’s International White Collar Crime Symposium, PADAG Miller emphasized that the “value proposition of voluntary self-disclosure extends with particular force to the mergers and acquisitions (M&A) space, where the disclosing company is essentially operating as a corporate whistleblower, diming out illegal conduct that took place at a different entity – the M&A target.” To that end, speaking at the Society of Corporate Compliance and Ethics’ 22nd Annual Compliance & Ethics Institute on October 4, 2023, DAG Monaco announced a Mergers & Acquisitions Safe Harbor Policy. She explained that “[i]n a world where companies are on the front line in responding to geopolitical risks – we are mindful of the danger of unintended consequences. The last thing the Department wants to do is discourage companies with effective compliance programs from lawfully acquiring companies with ineffective compliance programs and a history of misconduct. Instead, we want to incentivize the acquiring company to timely disclose misconduct uncovered during the M&A process.”
• Highlights of the Safe Harbor Policy include:
  • Timing: companies must disclose misconduct discovered at the acquired entity within six months from the date of closing, whether the misconduct was discovered pre- or post-acquisition.
  • Remediation: companies will have a baseline of one year from the date of closing to fully remediate the misconduct. Recognizing that not all deals are the same, both baselines are subject to a reasonableness analysis and, depending on the specific facts, circumstances, and complexity of a particular transaction, those deadlines could be extended by prosecutors.
  • Aggravating factors: the presence of aggravating factors at the acquired company will not impact in any way the acquiring company’s ability to receive a declination. Unless aggravating factors exist at the acquired company at the time of acquisition, that entity can also qualify for applicable VSD benefits.
  • Recidivism: misconduct disclosed under the Safe Harbor Policy will not be factored into future recidivist analysis for the acquiring company.
  • As with any VSD, the Safe Harbor Policy does not apply to misconduct that was otherwise required to be disclosed or already public or known to the Department.
• The policy will only apply to criminal conduct discovered in bona fide, arms-length M&A transactions. To that end, PADAG Miller warned that “our prosecutors will be scrutinizing every disclosure. Not only would a sham transaction not qualify, but it may even subject the disclosing company to additional criminal liability. For example, if we find out that a company improperly structured a transaction to avoid applicable reporting obligations, it would not qualify for the protections of the policy.”

Response to Investigations—Knowing Where to Go

Identifying the Primary Point Person (General Counsel, Chief Compliance Officer)

• Register with appropriate agencies in advance
• Develop a clear chain of communication
• Develop a clear chain of command
• Develop an inquiry flow chart
  • Where does Legal/Compliance go for information and background?
  • Where there is turnover, who is the historian?

Building a Contact List

• Legal
• Investigation
• Audit
  • Financial
  • Other Conduct
• PR/Communications
• All of the above need to be in place before anything goes wrong

Crisis Management—Knowing What to Do

When the Letter Arrives

• Prompt notification through chain of command
• Identifying who needs to know
• Containment/ PR
• Establish investigation hold
  • Documents
  • Emails
  • Other materials
• Establish the company knowledge base (Did we do “it”? Was “it” lawful? Who knew what and when?)
  • What do we know?
    • Making sure appropriate people know it
  • What don’t we know?
    • Develop internal investigation plan
      • Role of GC, Compliance Officers
      • Role of external

Gathering Relevant Information and Records

• Internal servers
• External
• Identifying relevant searches

Developing Initial Strategy

• Cooperation
• Confrontation

What is Our Story

• With investigating agency
• With clients/public

Attorney Client and Work Product Privileges:

When Do the Privileges Apply to Internal Investigations?

Common Misconceptions

• Does not include all communications in presence of counsel
• Does not include all communications to/from counsel
• Must relate to securing or providing legal advice
  • Higher level of scrutiny for in-house counsel especially where in-house counsel has additional titles or responsibilities
  • Complicates question of legal vs. business advice

Criteria for Privilege to Apply

• Asserted holder of the privilege is or sought to become a client
• Person to whom the communication was made
  • is a member of the bar of any court or his subordinate or a person reasonably perceived by the client to be one, and
  • in connection with this communication is acting as a lawyer
• The communication relates to a fact of which the attorney was informed
  • by his client
  • without the presence of strangers
  • for the purpose of securing primarily either
    • an opinion on law or
    • legal services or
    • assistance in some legal proceeding, and not
    • for the purpose of committing a crime or tort; and
  • The privilege has been
    • claimed and
    • not waived by the client

Primary Purpose

• Primary purpose must be to secure or provide legal advice as opposed to:
  • Business advice
  • Personal advice, or
  • Policy advice (government context)
• Investigative reports do not become privileged merely because they were conducted by or sent to an attorney
• Lawyer’s communication is not cloaked with privilege when lawyer is hired for business or personal advice, or to do the work of a non-lawyer

Assessing Primary Purpose

• Should be assessed dynamically and in light of the advice being sought or rendered
• Consider relationship between the advice that can be rendered only by consulting legal authorities vs. advice that can be given by non-lawyers
• General Counsel often wears multiple hats
  • At board meetings
  • Other meetings, events
  • Finance, business strategy
• Key Takeaway: Overuse of the privilege designation can jeopardize even the privileged communications

Confidential Intention

• Communication must have been intended to be kept confidential
• Courts have consistently refused to apply privilege to information that the client intends or understands may be conveyed to others.

Kept Confidential

• Communication must have been in fact kept confidential
• There are some inconsistent rulings on use of work email
  • Ex: Emails sent from employer’s computers not protected even though employee used web-based email system.

Common Mistakes

• Failing to separate legal from business advice
• Use of staff or AI without adequate supervision
• Failing to properly designate privileged communications
• Over-designating non-privileged communications
• Excessive reliance on 3^rd parties
• Not educating client recipients about the above

Solutions

Separating Legal vs Business in Written Communications

• Segregate requests for legal advice; address with separate memo or email; use separate heading
• Use proper subject matter designations and explicitly state need for confidentiality
• Avoid rubber stamping designation
• Use designations selectively
• Maintain confidentiality by restricting circle of recipients

Maintaining Proper Supervision

• Privilege can extend to support staff and outside investigators provided they are working under adequate supervision of counsel
• Non-attorneys may conduct interviews and other activities, as long as counsel oversees overall investigation
• Communications made by and to non-attorneys serving as agents of attorneys in internal investigations are routinely protected by the attorney-client privilege
• ABA Model Rule 5.3(b): Responsibilities Regarding Nonlawyer Assistance
  • A lawyer having direct supervisory authority over the non-lawyer shall make reasonable efforts to ensure that the person’s conduct is compatible with the professional obligations of the lawyer
• Counsel needs to make sure:
  • Product is accurate and reliable
  • That AI program is reasonably secure

Limiting Internal Circulation

• Must relate generally to employee’s corporate duties
• Some courts acknowledge that one non-attorney employee can forward to another
• Shift away from need-to-know test to “proper circle of confidentiality”

Educating Recipients

• Brief them on basic rules:
  • What cannot be shared
  • With whom attorney-client privilege cannot be shared
  • Consequences of over-sharing to company
    • For board members – may be breach of fiduciary duty

Careful Use of Outside Entities

• Public relations firm
• Accountant
• Auditor
• Broad view: Was the communication for the purpose of obtaining or providing legal advice?
• Financial advisor who did not have primary responsibilities for company functions, or close and continuous relationship with company principals was not agent
• Independent contractor who secured tenants and worked with architect, etc. was functional equivalent

Third Party Assistance to Counsel

• Accountant or other agent may be necessary to help attorney understand client’s situation
• Two approaches to S. v. Kovel:
  • Narrow view: third party role must be comparable to that of a translator
  • Broad view: as long as presence of third party facilitates attorney’s ability to render legal advice
• Role must be “highly useful” as opposed to convenient
• Does not extend to regular financial counseling
• Audit firm hired to examine contracts for cost saving and bolstering bottom line not within scope of privilege
• Limited to where attorney is relying on third party “to translate or interpret” client information
• Consulting firm’s analysis and classification of data from surveys not privileged because attorney could have done that without assistance

Media/PR Consultant

• Can include advice on media response
• Advising client on how to respond to media inquiries has important legal implications when client will issue public statement about employee.
• Recognition that cases are often won or lost in the media, well before trial???
• Ordinary media campaign strategy is “not a litigation strategy”
• Is it intertwined with legal issues?
  • Common interest privilege not extended to communications with PR consultant hired by petitioner’s attorney to wage social media campaign while lawsuit was pending where petitioner failed to prove that communications were necessary for attorney’s representation

Communications Not Covered

• Communications/advice from licensed attorney in capacity as management consultant in compliance with federal & state wage & hour laws
• Documents with headings referring to “compliance advice”
• General advice from outside counsel concerning antitrust compliance compelled for production
• Communications about joint business strategy between/among different entities even if communication happens to include concern about litigation
• Governmental Investigation Cooperation: SEC v. Herrera
  • Magistrate held law firm waived WP protection over interview notes/memos when it voluntarily provided oral downloads of same to SEC
  • Briefings considered “functional equivalent” of sharing underlying interview notes with adversary, thereby waiving protection
  • Case addresses situation closely related to common practice of white-collar bar to provide summaries of facts discovered during witness interviews to regulators in name of cooperation
  • Herrera does not hold that all cooperation will lead to waiver, but underscores need to carefully preserve privilege when sharing factual information
  • Cosmetic product manufacturer received inquiry from FDA about consumer complaints of injury allegedly associated with hair care product
  • Manufacturer responded to FDA in writing to advise of tests/studies commissioned on product “as part of legally privileged review” of consumer complaints
  • Letter listed and summarized conclusions of 13 studies
  • In later products liability litigation, class action plaintiffs argued both letter and studies subject to discovery
  • Court compelled production of un-redacted written response to FDA wherein manufacturer had disclosed AC privileged/WP protected info
  • Voluntarily disclosing privileged docs to 3^rd parties will generally destroy privilege, even when 3^rd party is the government
  • FDA was investigating consumer complaints and was therefore an adverse party
  • FDA and manufacturer cannot reasonably be said to have common interests against common adversary
  • Court did not compel production of 13 studies
  • Declaration from GC established studies were WP
  • Even if studies were performed for “dual purpose” and not prepared exclusively for litigation
  • Studies were prepared or obtained “because of” the prospect of litigation
  • WP standard does not consider whether litigation was primary or secondary motive behind creation
• Affirmative reliance on protected studies/docs would create substantial need or constitute waiver
• Identifying each study and summarizing each study’s conclusions in response letter did not constitute waiver. Brief summaries did not provide “sufficiently detailed information”
• Kellogg Brown & Root
  • Contract with Department of Defense
  • DOD requires Compliance Program including Code of Business Conduct (COBC), which KBR implemented
  • KBR learns of possible fraud and kickbacks involving overseas subcontractor
  • Conducts internal investigation pursuant to COBC
  • Legal delegated certain investigative work, including witness interviews, to non-attorney investigators
  • Interviewees signed confidentiality forms, acknowledging that investigation was “sensitive” and that unauthorized disclosures could have adverse impact on Company
  • At end of investigation, non-attorney investigators sent final memo to Company’s general counsel’s office.
  • Circuit Court held correct test = whether one of the significant purposes of the Company’s internal investigation was to obtain or provide legal advice
  • Also observed that Upjohn does not hold or imply that involvement of outside counsel is necessary predicate for privilege to apply
  • Lawyer’s status as in-house counsel does not dilute the privilege
  • Non-attorneys may conduct interviews and other activities
  • As long as counsel oversee the overall investigation
  • Communications made by and to non-attorneys serving as agents of attorneys in internal investigations are routinely protected by the attorney-client privilege
  • Interviewed employees need not be expressly informed that purpose of interview is to obtain legal advice

Nothing in Upjohn requires company to use magic words to its employees in order to gain benefit of privilege for inter

[i] Consumer Product Safety Act, § 9, 15 U.S.C. § 2056(b); Consumer Product Safety Improvement Act of 2008, Pub. L. No. 110-314, § 106, 122 Stat. 3016, 3033-35.

[ii] 15 U.S.C. § 2064(b).

[iii] 15 U.S.C. § 2084(a).

[iv] 15 U.S.C. § 2064(c).

[v] Id.

[vi] Motor Vehicle Safety Defects And Recalls, National Highway Traffic Safety Administration, https://www.nhtsa.gov/sites/nhtsa.gov/files/documents/14218-mvsdefectsandrecalls_041619-v2-tag.pdf (last visited July 24, 2024); Understanding NHTSA’s Regulatory Tools, National Highway Traffic Safety Administration, https://www.nhtsa.gov/sites/nhtsa.gov/files/documents/understanding_nhtsas_current_regulatory_tools-tag.pdf (last visited July 24, 2024).

[vii] 49 U.S.C. § 30102(a)(9).

[viii] Motor Vehicle Safety Defects And Recalls, National Highway Traffic Safety Administration, https://www.nhtsa.gov/sites/nhtsa.gov/files/documents/14218-mvsdefectsandrecalls_041619-v2-tag.pdf (last visited July 24, 2024).

[ix] 49 C.F.R. § 573.6(a).

[x] 49 C.F.R. § 573.6(b).

[xi] Food Traceability List, U.S. Food & Drug Administration, https://www.fda.gov/food/food-safety-modernization-act-fsma/food-traceability-list (last visited July 24, 2024).