Skip to content

Investigating the Insider

HEWLETT-PACKARD, in a now infamous case, hired an outside firm to help it spy on its own board of directors to find out who was leaking information to the press. The outside firm was asked to obtain the directors’ phone records. The firm used information, including the Social Security numbers of the suspects, to conduct pretexting—pretending to be a client or other authorized person to obtain the records of a third party. The scheme, which has since resulted in indictments against the chairwoman and three attorneys as well as large fines against the company, was overseen by the company’s ethics chief.

The only objection voiced at the time came from security personnel involved in the investigation who happened across the telephone records and questioned whether they had been obtained legally. The IT security director later testified before Congress on the issue. He said that his objections were passed along the chain of command and that he was assured that the pretexting was perfectly legal.

As this example illustrates, companies that are called on to investigate their own employees in major criminal cases, such as fraud or other financial crimes, must be aware of the legal constraints. Missteps can cost them more than the infractions they are investigating.

The need to understand how to conduct ethical and legal investigations is increasingly important as such investigations are on the rise. Virtually every public corporation and securities firm has conducted at least one significant internal investigation in the past few years. The reasons for this development include the environment created by the Sarbanes-Oxley Act and the policies of the Department of Justice (DOJ), the Securities and Exchange Commission (SEC), and other law enforcement agencies that encourage companies to conduct internal investigations.

Every internal investigation should be credible, timely, fair, accurate, objective, and thorough. The following overview focuses on the key legal questions that typically arise when investigating major crimes within an organization.

When to Investigate

Whether to conduct an internal investigation should be considered carefully. Once the decision is made, it is difficult to reverse. An investigation that is halted before it is completed can lead to claims of a cover-up or failure to ascertain the facts.

Internal investigations typically should be conducted when there have been credible allegations or suspicions of significant wrongdoing, misconduct, or ethical lapses. There are many factors that are important in determining whether an internal investigation should be conducted, including the magnitude of the alleged harm to the company (separate criteria apply regarding investigations of prohibited employee behaviors, such as harassment), the existence of any governmental inquiry, the extent of publicity that the matter has received, the number of employees involved, the duration of the alleged wrongdoing, the prior disciplinary history of the company, the culture of the company, and the aggressiveness of the company’s board of directors. Internal investigations may also be appropriate where there have not been specific allegations against a company but where there have been allegations of misconduct within the industry or against a competitor.

A good example of an industrywide development that could lead a company to conduct an internal investigation was the widespread backdating of stock-option grants in early 2007, a practice which can lead to the misstatement of a company’s financial accounts. After the publication of an academic study showing that the practice had been widespread before being made impractical by a rule change, hundreds of companies began internal reviews of their historical options-granting practices in anticipation of widespread investigations by the Securities and Exchange Commission (SEC) and the Department of Justice (DOJ).

In other cases, the circumstances leading to an internal investigation are specific to the individual company. In some instances, a whistleblower from inside or outside the company may bring an issue to the management’s attention, which will lead the board to conduct an investigation as an exercise of its duty of care.

Alternatively, the company’s own internal audit or internal security functions may detect practices that are illegal or violate the company’s guidelines. In such circumstances, companies should conduct an internal investigation to mitigate the company’s potential liability and to determine what changes to institute to prevent future problems.

Certain government agencies, including the SEC, have stated explicitly that they will consider a company’s efforts to conduct an investigation when deciding whether to charge that company with wrongdoing. DOJ guidelines for charging corporate entities with criminal conduct—as revised in 2007 through the McNulty memo—urged prosecutors to consider whether the company shared the results of any internal investigation with the government.

Who Should Lead

Who should lead an internal investigation of major crimes depends on the situation. If the matter looks contained—if, for example, it concerns impropriety within one department or division—and if it is not linked to senior management, security can usually handle the situation alone regardless of whether the security department reports to the CEO.

By contrast, if the case involves allegations against executives or issues that could have a major impact on the company’s reputation, value, or viability, an outside firm might be a better solution, because the results of these types of internal investigations must be beyond reproach. One way to achieve credibility is to ensure that the probes were conducted by a truly independent third party. This entity should be an outside law firm or investigative team that has not done extensive work for the company. Companies may face skepticism as to the credibility of their efforts to examine themselves or root out wrongdoing if the outside agency that conducts the investigation is considered too closely tied to the company.

Among the more extreme examples of this was when Ken Lay hired Enron’s main outside counsel, Vinson & Elkins (V&E), to conduct an investigation into the allegations contained in a whistleblower letter. Many of the transactions that V&E reviewed as part of its investigations had been undertaken in the first place only with the assistance of V&E. Therefore, V&E was in the position of reviewing its own work. The court-appointed examiner who reviewed Enron’s collapse in bankruptcy was harshly critical of this dual role.

Another consideration is that the third party has no role in any governmental investigation that is already underway. In one prominent case, the City of San Diego hired outside counsel to conduct an internal investigation into possible improprieties relating to the city’s municipal bond sales and transactions with its pension fund. After the firm that was conducting the investigation also began defending the city in a related SEC investigation, the city’s auditors publicly questioned whether that firm could complete its internal investigation in an objective and independent manner. Ultimately, another firm was hired to conduct a separate investigation relating to the same conduct, at great cost to the city.

Obviously, if there have been any allegations that the CEO, general counsel, or any member of the board has engaged in wrongdoing, those people should not have any involvement in, or influence over, the investigation. Alternative structures, including board committees, can be used in these circumstances.

For instance, one measure implemented as part of the Sarbanes-Oxley Act requires that corporations establish audit committees with responsibility for developing procedures to receive, retain, and investigate complaints of financial fraud involving auditing, accounting, or internal-control issues. The law empowers those audit committees to hire their own counsel to conduct such an investigation.

The audit committee, the security director, or the person within the company who is in charge of hiring and receiving reports from the third party should designate an employee to act as a liaison and facilitator who can help the third party identify sources for relevant documents. That person should assist in arranging interviews and performing other administrative tasks. This facilitator may or may not be a member of the security department but should not otherwise participate in the investigation or be privy to the findings.


Anyone involved in an investigation must be aware of the legal issue of privilege when writing reports or communicating about the case.

Broadly speaking, the attorney-client privilege protects from discovery any confidential communications between a lawyer and his or her client if they were for the purpose of rendering or obtaining legal advice. In the corporate context, the privilege applies to communications between in-house or outside counsel to a company and employees of the company if the communications are intended to assist counsel in rendering legal advice to the company.

The attorney work-product doctrine provides protection for any documents prepared by counsel in anticipation of litigation. Private litigants and government investigators frequently seek to obtain documents that were part of an internal investigation. Because of the sensitivity of such documents, companies often fight to resist those efforts by claiming the protection of the attorney-client privilege and work-product doctrine.

As a general rule, if information is not maintained in a confidential manner, it will be difficult to maintain any privilege. For example, if the results of an investigation are to be publicly released, it will be difficult to maintain attorney-client privilege.

Even an oral briefing of government investigators by counsel, subject to a confidentiality agreement, could be interpreted by the courts as a waiver of the privilege. For example, on July 20, 2006, Gregory Reyes, the former CEO of Brocade Communications, was charged by both the SEC and the DOJ with securities fraud in connection with an alleged scheme to award backdated options to company recruits. Details of the activity in question had been provided to the government by the law firms that had been hired by the company to conduct an internal investigation.

When the company tried to have the information ruled as inadmissible because it was protected by attorney-client privilege, the court said the privilege had been waived when the lawyers briefed the government. (U.S. v. Reyes, U.S. District Court for the Northern District of California, 2006).

The work-product doctrine can be similarly difficult to establish. Because it only applies to documents that are created in anticipation of litigation, whether the protection will attach is often determined by an analysis of the circumstances that led to the initiation of the investigation.

For instance, one recent decision held that an investigation of accounting fraud undertaken to satisfy the demands of the company’s outside auditors, who refused to complete their audit prior to the completion of the investigation, was performed for a business purpose, rather than because of likely litigation resulting from the fraud. Therefore, the court refused to allow the company to withhold the documents on the basis of the work-product doctrine. (In re Royal Ahold N.V. Secs. & ERISA Litigation, U.S. District Court for the District of Maryland, 2005).

Another court held that a company’s investigation of one of its employees for expense report fraud, though undertaken with the expectation of litigation with the employee, was primarily for the purpose of determining whether or not to terminate the employee, which the court characterized as a business decision. (Electronic Data Systems Corp. v. Steingraber, U.S. District Court for the Eastern District of Texas, 2003). The court held that the attorney work-product protection did not apply and allowed the employee access to the investigative report during litigation.

These cases demonstrate that a company cannot automatically assume that the results of an investigation performed by counsel will be protected from discovery in all circumstances. A company can, however, take certain steps at the outset of an internal investigation conducted by an outside law firm to maximize its ability to protect the findings.

At a minimum, the engagement letter between the client and counsel conducting the investigation should make clear that a purpose of the investigation is to give legal advice and not just to gather facts. In addition, steps should be taken to limit the number of people with access to the process and information as the investigation is ongoing. Moreover, all documents prepared should contain a “privileged and confidential” legend.

In an effort to make it easier for companies to be cooperative with government investigators without losing attorney-client privilege protections, the DOJ released new guidelines relating to the prosecution of corporation fraud in late August. The guidelines note that as long as companies provide relevant information, they may get credit for cooperation, even if they do not waive the attorney-client privilege or work-product protection.

Potential Pitfalls

A company can face numerous challenges in conducting an internal investigation of major crimes. Among the most critical issues are preserving documents, conducting interviews, upholding the rights of employees, and determining whether to issue a report.

Preserving documents. The credibility and effectiveness of the internal investigation depends on the investigators having unfettered access to all potentially relevant documents. A request to preserve documents should be distributed to all employees who may have relevant information when the investigation begins. The notice should provide sufficient detail as to the scope of the internal investigation, but it should not telegraph its direction or otherwise jeopardize its integrity.

The company should also issue a notice to all relevant staff members to immediately suspend destruction of potentially relevant documents, including those stored remotely. If there is a concern about intentional destruction of documents, the office and files of affected employees should be secured until investigators can identify any potentially relevant evidence.

E-mails are a critical source of information given that they reflect the contemporaneous and sometimes unfiltered state of mind of the sender. Thus, they are as important to obtain and analyze as other documentation.

E-mails can be retrieved from the network. In some situations, the hard drives and PDAs of relevant personnel should be taken for analysis as well. If it appears that relevant e-mails have been deleted, great efforts should be made to restore them. Emails should typically be reviewed and analyzed for each witness who is interviewed.

Given the increasing importance of email, it is no surprise that courts and regulators have begun to look harshly at any company that fails to maintain or produce e-mails relevant to potential wrongdoing. As an example, Banc of America Securities was fined $10 million for a series of delayed and incomplete e-mail productions during an SEC investigation. The size of the fine shows the emphasis that the regulators place on e-mail evidence.

Interviews. Interviews are typically the most valuable source of information in an internal investigation. Initial interviews should be conducted as early as possible in the investigation, with two goals: the first is to obtain from each witness his or her version of events before it may be influenced by other factors; the second is to get an overview of relevant events.

The preliminary interviews may be conducted before a significant amount of documents are gathered and analyzed. The investigator can conduct follow-up interviews as needed after obtaining a fuller picture of the situation.

Care should be taken not to be adversarial in interviews. If interviews become contentious, it can cause an allegation of lack of objectivity and weaken the credibility of the findings. The goal in interviews should be to obtain as much information as possible. The investigator can later test the accuracy of what the interviewee said against documents, other testimony, and any additional information obtained.

If a verbatim record of an interview is needed, then the interview should be recorded. A verbatim record may be required if the company has decided that it will provide the government with the record of all interviews, for example. Absent this requirement, it is generally better not to record the interviews, because doing so may inhibit or chill a witness. Therefore, in such situations, detailed notes of the interview should be taken so that there is a comprehensive and accurate record of the interview.

Notes of interviews may be protected by the attorney-work-product doctrine if they contain the mental impressions of an attorney. An interview may be privileged even if the person conducting it is not an attorney so long as the overall investigation is the responsibility of an attorney and the person is conducting the interview at the direction of an attorney.

Under most circumstances, it is best to have two members of the investigative team present for each interview so that one can focus on asking questions and formulating follow-ups, while the other focuses on taking notes. The presence of two interviewers will also lessen the chances of the interviewee later challenging the accuracy of the interview notes.

Employee rights. In the context of an internal investigation, an employee has no legal right to have a lawyer present. (Union employees may have the right to a union representative.) Even so, an employee should be allowed to have a lawyer present at an interview if requested.

The lawyer for the witness should not impede the questioning at the interview. The lawyer for the witness may, however, be given an opportunity to ask questions of the witness at the end of the interview. Given that the goal of an internal investigation is to gather the facts as thoroughly and accurately as possible, this additional questioning is important.

Whether the company indemnifies the cost of a lawyer for the employee typically depends on the past practices at the company, the by-laws, the seniority of the employee, the rights to indemnity under state law, and the types of allegations being investigated. In most cases involving senior officers, the company will pay for a lawyer.

Government regulators have strongly implied that they would not look favorably on the company’s decision to indemnify employees who were targets or subjects of investigations. But a U.S. district court overseeing the case against several former executives of KPMG who were under investigation for selling fraudulent tax shelters found that it was unconstitutional for the government to exert such influence (U.S. v. Stein, U.S. District Court for the Southern District of New York, 2006).

Under pressure to repudiate this approach, the DOJ, as another part of the McNulty memo, suggested that it would now only seek to limit the payment of attorney’s fees for employees in “extremely rare cases,” where the payment of such fees is “intended to impede a criminal investigation.”

Investigators may also want to offer employees the opportunity to submit other information that they believe is relevant. This offer is usually made near the end of the investigation when the issues and facts are more focused.

Issuing a report. Whether a written report should be prepared can be one of the more difficult questions to resolve in any internal investigation. Though it seems counterintuitive, it may not make sense to produce a written report in some situations. We have been involved in major investigations concerning significant issues where we decided to give only an oral report to the board of directors.

One of the risks in preparing a written report is that it will give a blueprint to plaintiff’s attorneys, thus increasing the chances for a lawsuit. A written report can make an internal investigation more credible, however. We have conducted investigations in which we gave an oral report first, and then prepared a written report after a regulator asked for one and after it was determined that the litigation risks were low.

On one hand, a written report provides tangible evidence that the company has sanctioned a thorough and complete examination of the company’s problems. Companies frequently provide written reports of internal investigations to regulators or law enforcement to demonstrate cooperation. Also, companies frequently use written reports of investigations to refute charges of wrongdoing in litigation.

Unless there is a clear reason at the outset to prepare a written report, it may make sense to defer that decision until the investigation is completed and the outcome and consequences of the investigation are better understood. Even if the company intends to keep the report’s findings confidential, maintaining the confidentiality of the written report can be exceedingly difficult.

In addition, while the written version of the report may be useful in dealing with regulators or law enforcement, it will, as noted, also provide a roadmap for them to conduct their investigations. A written report provides a similar roadmap to civil litigants, who otherwise might not have become aware of the situation under investigation.

In some cases, an oral report by counsel or an outside investigative team to the client will be sufficient to apprise the client of counsel’s findings. The contents of an oral report will generally be protected by the attorney-client privilege if given by a law firm, making it easier to keep confidential.

When the circumstances call for a written report, it should not be reviewed by anyone before it is finalized so as to preserve its integrity and independence. However, in certain situations, especially when the issues are of a highly technical nature, it may be beneficial to let someone who is not implicated by the internal investigation to review the factual portion of a final draft to ensure the accuracy of the report. In that case, the reviewer should agree to maintain the strict confidentiality of the information until it is released to avoid the inadvertent waiver of the attorney-client privilege or work-product protection.

Companies are facing an increasing number of circumstances that may lead them to consider initiating an internal investigation. These investigations can entail considerable expense and inconvenience, and they should not be entered into lightly. However, in many situations an investigation is necessary for a company to salvage its reputation. A credible, well-run investigation is one of the most effective means of coping with a corporate crisis.

Michael J. Missal is a partner in the Washington office of the law firm of Kirkpatrick & Lockhart Preston Gates Ellis LLP, where he has led a variety of major internal investigations, including acting as the examiner in the New Century Financial Corporation bankruptcy proceeding and as lead counsel to the Independent Review Panel investigating the 60 Minutes segment on President George W. Bush’s Texas Air National Guard service. Andrew H. Feller is a former associate in the firm’s Washington office.