To paraphrase what Ben Franklin may have been alluding to nearly 300 years ago in his famous quote, often the best approach when it comes to reducing the risk of litigation and government enforcement proceedings is to take proactive steps to prevent them before they even happen. The following are suggestions and ideas that general counsels should consider in order to minimize the likelihood of these events occurring, specifically accounting for recent noteworthy developments:
1. Develop and implement effective compliance policies: Rarely will two compliance policies look the same. They differ across companies for a variety of reasons including industry, location, and number of personnel — and they require careful attention in order to tailor the policy to a company’s particular lines of business and areas of risk. Nonetheless, certain concerns cut across almost all industry sectors and company types and should be considered for inclusion (either as a stand-alone policy or as part of a broader global policy) in order to establish a baseline of expectations, guide personnel on the rules of the road, and mitigate the risks associated with the current regulatory environment:
- Anti-corruption: A comprehensive anti-corruption policy can help ensure that the company complies with applicable anti-bribery laws and regulations, such as the U.S. Foreign Corrupt Practices Act (FCPA) and the UK Bribery Act. The policy should include procedures for due diligence, training, monitoring of third-party relationships, and gifts and entertainment guidelines.
- Anti-discrimination and anti-harassment: A comprehensive anti-discrimination and anti-harassment policy can help prevent workplace discrimination and harassment and demonstrate the company’s commitment to maintaining a respectful and inclusive workplace. The policy should include clear procedures for reporting complaints, protecting complainants and witnesses, and assurances that the company will take prompt and appropriate remedial action against violators. The company should also have — either within or as part of a separate policy — detailed procedures for investigating such matters.
- Data privacy and security: With the increasing importance of data privacy and security, it is crucial to have a clear policy outlining the company’s obligations under relevant data protection laws and regulations, such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). The policy should also include procedures and training for preventing and reacting to data breaches and cyber-related issues, as well as a clearly defined incident response plan.
- Environmental, health, and safety: An environmental, health, and safety policy can help ensure that the company complies with applicable environmental, health, and safety regulations and standards, and minimizes the risk of accidents and injuries in the workplace. The policy should also outline procedures for risk assessments, training, and emergency response.
- Ethics: An ethics policy should define the company’s expectations for standards of conduct by and among its employees, including areas such as the avoidance of conflicts of interest, how to handle ethical dilemmas, and fostering the appropriate tone throughout the organization. The policy should also outline procedures for reporting suspected violations of law, and protecting whistleblowers who may do so. Again, the company should also have — even if not published broadly — procedures for accepting, reviewing, and investigating reports of wrongdoing.
- Fraud, Anti-Money Laundering, and sanctions prevention: Most companies are expected to maintain policies to prevent, detect, and mitigate the risks of fraud, money laundering, and economic sanctions violations (particularly for financial institutions and cross-border business). These policies are normally expected to include protocols for all aspects of the business transaction lifecycle — including customer on-boarding, transaction monitoring, investigation, escalation, and where appropriate, remediation and reporting to relevant government authorities.
- Intellectual property: An intellectual property policy should define the company’s policies on patents, trademarks, copyrights, and trade secrets, and outline procedures for protecting and enforcing intellectual property rights. The policy should also provide guidance on the use of third-party intellectual property and the creation of new intellectual property.
- Personal Trading and Material Non-Public Information: Many companies are also expected to maintain clearly defined policies that set out how, when, and where employees may engage in personal trading of securities or other investments. These policies should include clear guidelines as to how to handle instances where the company or its employees may become aware of MNPI and how it should be treated in the context of potential investment decisions.
- Sales or market practices: Depending on the nature of the company and its personnel, many enterprises are also expected to maintain policies related to the conduct of their sales force and the associated sales practices they undertake. Training and procedures to educate company personnel and set expectations for the sales force as they engage with customers or clients will help mitigate regulatory issues and potentially benefit the enterprise through the market’s recognition of its fair practices.
- Social media: A social media policy can help ensure that the company’s employees use social media in a responsible and professional manner, and avoid disclosing confidential or proprietary information. The policy should also provide guidance on the use of social media for marketing and communication purposes. Companies must be mindful in a social media policy of rights that employees may have under certain laws, including the National Labor Relations Act.
2. Conduct examinations or investigations where appropriate: Conducting an internal exam or investigation at a company can be a valuable preventive exercise to assess compliance with applicable laws, regulations, and standards. Here are some steps to follow when contemplating how to proceed with one:
- Plan the mission and scope: Define the mission and scope of the review, the regulatory requirements that apply to the areas of risk, and the proposed methodology of the inquiry. This will involve reviewing the applicable laws, regulations, and standards, as well as the company’s policies, procedures, and controls. At the planning stage, companies should also identify who will be responsible for conducting the review, who findings will be provided to, and whether the inquiry will be conducted under the attorney-client privilege.
- Conduct a preliminary review: Identify all systems and documents that are known to be relevant (or potentially relevant) and review in accordance with the defined scope. This may include reviewing policies, procedures, training materials, financial databases, personnel data (compensation and demographic information, for instance), correspondence, memoranda, and other relevant documents and information.
- Conduct the exam or investigation: Along with a review of relevant documents and materials, interview relevant personnel to gather further information and evidence. The inquiry should be conducted in a sensitive and structured manner, and should focus on the areas of highest risk.
- Document findings: Record any deficiencies or non-compliance issues identified during the review, as well as any areas of strength or best practices observed. Keep in mind the possibility that the documentation and other information could be discoverable in subsequent regulatory investigations or litigation in certain contexts.
- Issue a report: Determine whether a report will be in written or verbal form, and then prepare one that summarizes the findings, including any recommendations for improvement or corrective action. The report should also include a summary of the company’s response to the findings, including any remediation plans or other actions taken. Again, keep in mind the possibility that the report may be discoverable.
- Follow up: Develop a process and timeline for checking in with relevant stakeholders to ensure that any recommended improvements or corrective actions are implemented and that regulatory compliance is being maintained.
3. Regularly review contracts and agreements: General counsel should periodically review relevant contracts, agreements, and other documents to ensure that they are legally sound and comply with all applicable laws, regulations, and best practices. Some key considerations in light of recent regulatory and global developments include:
- Employment: Does the company have an executive clawback policy in place? Is it clear to employees that they can speak and provide information to certain regulatory authorities without the company’s consent? Do restrictive covenants and anti- discrimination/harassment policies comply with the latest developments? Has the company accounted for hybrid or remote personnel working in other jurisdictions?
- Force majeure: In light of recent world events (e.g., Covid), is your company unduly exposed as a result of overly broad force majeure provisions?
- Insurance and liability: Is your company under any new insurance requirements? How does your insurance protection reconcile with any relevant indemnification/liability clauses?
- Pricing provisions: Are there interest rate provisions in any contracts tied to floating interest rates that should be revisited given the Federal Reserve’s ongoing policy of raising rates?
- Technology: Has your company sufficiently accounted for the proliferation of generative AI and how it might impact your business in view of applicable law?
- Vendor due diligence: It is extremely important to conduct periodic due diligence checks on all key vendor relationships to mitigate potential risks for your organization. Such assessments should cover, among other things, financial stability, key personnel turnover, cybersecurity status, as well as any legal and reputational matters that could impact the vendor’s ability to deliver its services to your company.
If you have any questions concerning any of the foregoing, please contact one of the attorneys in our Litigation Practice listed below or your Seward & Kissel attorney contact.