I have facilitated Martindale
Counsel to Counsel forums all over the world since 2000. These discussions
are "best practice" exchanges by corporate counsel and law firm
lawyers about a particular topic. Consistently, they are the best
received CLE programs by buyers of legal services and senior law firm partners
of any I've seen.
Yesterday's program in New York was
a popular one - it always is, given the regulatory climate in a post-Enron
world. All particpants (17 corporate counsel and 6 law firm partners - 2
each from co-hosts Andrews Kurth, LeClair Ryan and Morvillo, Abramowitz) were well
prepared and shared a 5-minute best practice based on real-world
experiences. We heard war stories from the trenches of legal departments
about compliance concerns, enforcement challenges and next steps in their
thoughtful compliance planning and handling.
I thought I'd include my
introductory remarks here - it's a good primer on what's on the minds of
sophisticated buyers of high-end corporate legal services.
A special thanks to my co-chairs for
the program: Vanessa Vargas-Land, Vice President and Assistant Compliance
Officer, Archer Daniels Midland, and Gregg Formella, Senior Attorney, American
And thanks to our co-hosts and
partners from Andrews Kurth: Spencer Barasch and Roscoe Howard
Shareholders from LeClair Ryan: Carlos Ortiz and Michael Ruggio
And Principals from Morvillo,
Abramowitz: Lisa Prager and Robert Anello
Here is my introduction:
Lexis Nexis/Martindale has sponsored
Counsel to Counsel forums around the world since 2000, and I have facilitated
many of them since the very beginning. The purpose is to bring corporate
counsel and law firm lawyers together in open and candid discussions around
many of the hottest issues and concerns of the day.
How many of you are new participants
to Counsel to Counsel? As you see with our table set-up today, this forum
is the antithesis of a "talking head CLE." The best Counsel to Counsel
forums are those where participants are interactive, open and candid. So,
get comfortable, ask questions, share opinions-even when you disagree.
Don't be shy about sharing your war stories and experiences.
Having said that, today's forum is
"off the record." Some of you will be contacted about sharing your best
practice as an article. And others will be posted in the legal articles
database at martindale.com. But nothing will be done or shared without
your review and approval.
Now, let me briefly set the stage
for our discussion. In my research for today, I found several conditions
and developments that impact corporations and how they do business in the U.S.
Since 2007, regulators and commentators have touted each year as a new
record-breaking year for FCPA enforcement. 2010 saw a record-breaking
year in corporate fines and prison terms for individual defendants.
The number of FCPA enforcement
actions increased by 85% from 2009 to 2010.
As of June 30 this year, 17 actions
have been filed, and 2011 is poised to yield a record number of trials and
defendants to challenge FCPA charges. Even Corporate America is playing
its part, with the first ever FCPA trial of a company.
The monetary penalties assessed against corporations in 2010 were also
astounding in their magnitude. In total, companies paid a record $1.8 billion
in financial penalties to the DOJ and SEC in 2010. Of the top 10 biggest
FCPA settlements of all time, eight of them were reached in 2010.
In just one 2011 case (and there are several notable ones, including IBM
and Tyson), in April of this year, Johnson & Johnson agreed to pay $77
million in combined penalties related to improper payments to government
officials in Poland, Greece and Romania. According to every report I
read, Johnson & Johnson was very forthcoming, and admitted responsibility
for its actions and subsidiary company actions in these countries, as well as
In countries with socialized medicine, every doctor in the country may
be considered a government official. Doctors' research payments or even travel
and entertainment payments to induce product or pharmaceutical purchases may
violate the statute.
As troubling as the government actions, financial penalties and reputation
damage are to a company, there are new civil threats from enterprising
plaintiffs seeking to capitalize on FCPA misconduct: derivative claims,
securities fraud actions, tort and contract law claims, employment lawsuits,
and private actions under RICO statutes.
The FCPA Law blog regularly publishes the "corporate investigations list." The
last list I could find was published in January 2011 - it listed 71
companies (nearly all of them issuers) that are known to be the subject of an
ongoing and unresolved FCPA related investigation. With social media and
blogs, it is nearly impossible to keep such investigations quiet, even in their
Dodd-Frank introduced more than 2,000 pages of new regulations and provisions.
As a result of the new Whistleblower rules under Dodd-Frank, companies are
fearful of more of whistleblowing occurring, more lawsuits, more fines and a
much higher cost of compliance. The new rule doesn't require
Whistleblowers to report violations internally to qualify for an award under
the SEC's program. How do you establish a spirit in your company that
encourages your employees to invest in your compliance protocols before they go
to the SEC?
In most cases, the SEC will not
consider information that was obtained through a communication that was subject
to the attorney-client privilege. This is one more reason to ensure
that privilege isn't needlessly eroding in your companies.
A final note about Dodd Frank - it
included an obscure provision called "Conflict Minerals" where U.S. companies
have to report whether certain minerals, such as gold, are used in their
products - even trace amounts - and whether those minerals came from the Congo
and adjoining countries. Even though it isn't illegal to use them,
companies will be required to audit and report on where the minerals they use
come from. The idea is that shareholders and consumer groups will put
pressure on companies to stop using anything from the Congo because of its
human rights violations.
It isn't finalized yet, but nearly
6,000 U.S. companies are expected to be affected by this provision as of Jan.
With the blurring of one's personal life and professional life - because of the
ubiquitous nature of social media and proliferation of Smart Phones and other
devices that we use in the workplace - corporate compliance and controls have
the potential of eroding every day.
Security experts say that employees
are easy targets for security breaches because we readily and enthusiastically
post volumes of information about ourselves and our jobs online. Blogs
and social media sites like LinkedIn are very useful sites for criminals -
since many of us share details about our roles at work.
In May, a Hewlett-Packard
executive accidentally exposed the company's cloud computing strategic plans on
LinkedIn by updating his profile with details about what the company was
building. Bloggers and probably competitors quickly noticed it before the
executive could take it down. This was an executive!!
How many of you use Gmail for your personal email? In June of this year,
Google shut down a phishing attack that targeted the personal Gmail accounts of
what it described as senior U.S. Government officials, Chinese and South Korean
political activists and others who were communicating through Gmail instead of
through their official, secure email accounts of their organizations.
The challenge for compliance officers and the legal department is that social
media is inherently decentralized. Social media amplifies and broadcasts
our personal bad decisions and our bad judgment.
Carrying and using SmartPhones and tablets carries the risk of introducing
unknown security holes inside the corporate networks. And senior
executives in your companies are often the most guilty of leaping on the latest
As we all know, when it comes to compliance, people are the weak link in every
organization. Another thing that well intentioned employees do is share
their corporate login and password with employees inside the company - after
receiving an email requesting them. Hackers have figured out how to have
such a request appear as though it's coming from an internal, trusted account,
such as the IT dept. The answer from a compliance standpoint? Have
a policy where employees NEVER share their login credentials and passwords with
anyone in your company. Not even your CEO. If you get such a request
- notify the appropriate IT compliance person.
Gregg and others of you will talk about the increasingly important role of IT
in your compliance program. I'm wondering if you have gone so far as to
have IT security experts assigned to the compliance dept?
In 2010, 662 organizations publicly disclosed data breaches - and the number is
likely much higher because countless companies don't disclose it.
A final thought before I turn it
over to the co-chairs: Challenging times in the world of business signal
an opportunity to rethink things-from ethics and compliance guidelines to
business models. For the in-house/outside counsel relationship, there is
an opportunity to get creative, focus on cementing the best relationships and
locking in value, and look at how outside services are priced, handled and
more insight at the Law Firm 4.0 Blog.
For more information about LexisNexis products and solutions connect with
us through our corporate site