Asian-mena Counsel: Sanctions & Investigations Special Report 2020Published in
When a crisis such as a regulatory raid or phishing attack grips an organisation, there are essential steps to take that can steady the business and help it steer clear of further danger.
By Yvette Anthony, Counsel, dispute resolution practice head, Singapore and Lyndon Choo, Legal Associate, Osborne Clarke.
It is a Sunday evening. You are the general counsel of a global technology multinational company. You have just been informed by someone from the business that investigators from the commercial affairs department are present at the office premises and are demanding access to all your company’s documentary, personnel and electronic records. There is a vague idea that the investigation relates to alleged corrupt practices involving a foreign joint venture.
Meanwhile, the company’s staff in the office are (naturally) alarmed by the presence of investigators. In their panic, they reach out to their contacts in the joint-venture partner. Some post videos and text messages about the incident on social media, while others start deleting emails they perceive as incriminating.
The above may be a hypothetical, but it is a real and very possible scenario given the increase in corporate scrutiny. Indeed, crises can come in various forms – from warehouse fires to phishing incidents and regulatory investigations.
Yet, organisations often scramble and flounder when faced with such situations. Potential ramifications of this include the inadvertent disclosure of sensitive information or accusations of evidence tampering. But there are some proven measures that an organisation can take to better prepare for unexpected events.
The establishment of a standing crisis-management committee helps ensure that organisations are able to effectively take charge of a crisis.
This committee should be made up of individuals managing the organisation’s main functions. This could include representatives from human resources, compliance, finance, legal and others.
To minimise confusion, a single point of contact within the committee (with a deputy) should be identified. This person would ideally have undergone some training in crisis management and be familiar with the standing orders to be followed during any incident.
Assemble the team
Organisations should try to bring external counsel on-board early to take charge of the response to an incident. This has a number of important benefits. External counsel with expertise and experience in investigations management can quickly oversee the situation, work with the crisis committee to prepare an action plan, and maximise the prospects of privilege over correspondence and documents that are to be retained.
In order to speed up the appointment of external consultants during a crisis, an organisation may prepare beforehand a shortlist of possible counsel with suitable expertise (for example, for tech companies, lawyers familiar with technology regulation). Companies may also consider having pre-agreed engagement terms, which can be quickly activated.
Privilege is a right to resist compulsory disclosure of correspondence and documents.
One type of privilege is legal professional privilege, which generally applies (at least in the main common law jurisdictions) over correspondence and documents exchanged between the external counsel and the client for the purpose of legal advice or the dominant purpose of litigation. In Singapore, such privilege extends to communications with in-house counsels.
To increase the prospect of successfully relying on privilege, it would help to state clearly on the face of correspondence and documents between the organisation and its external and in-house lawyers that these are privileged and confidential. Although not conclusive, this generally provides a starting point for arguments to be made on the nature of the correspondence/documents in question.
In a crisis or an unexpected situation, there is often a temptation to update as many business recipients as possible to keep them ‘in the loop’.
This practice carries certain risks, especially when there are ongoing investigations and potential litigation. For example, documents may lose privilege if sent to individuals with little or only tangential interest in the investigations.
Care should therefore be taken to limit communications to personnel on an absolute “need to know” basis, and mark such communications as privileged as discussed in the preceding section. Communications on the incident should also be done on a single secured channel (for example, encrypted work email), to avoid any information leakage.
Data retention policies
Once an incident occurs, it is important to have data retention protocols to preserve evidence relating to it. This could include standing orders to employees, and the suspension of any auto-delete IT policy. Doing so increases the chances of the organisation being able to review and evaluate critical evidence. It also minimises the likelihood of the organisation being accused of destroying evidence/interfering with investigations.