In Part II on In-House Counsel, I examine the field of enforcement risks facing in-house counsel and outline my Top 6 Risks. The challenges facing in-house counsel are significant and growing. It is important to try and picture the vantage from their point of view.
It is easy for us in the “blogosphere” to write about compliance in a vacuum where we can pontificate about best practices for anti-corruption compliance or export control. The challenge is to look at all the risks from in-house counsel’s point of view and come up with a integrated approach to compliance – in other words, build in synergies where compliance in response to one risk can help with addressing another risk.
So aside from the chilling effect of the Laura Stevens case, here are the most significant risks facing in-house counsel and their clients.
1. False Claims Act — While everyone has been bloviating on the topic of anti-corruption, the False Claims Act continues to be the most significant risk facing business today — each year, the Feedral government collects over $4 billion in fines and penalties. As part of the Affordable Care Act push, the Justice Department secured a number of changes to the False Claims Act which gave them even greater leverage to prosecute civil and criminal False Claims Act cases. The government has a variety of tools which give them overwhelming leverage for civil and criminal enforcement. Individual instances of so-called “false” claims are trebled and can quickly add up to the millions and even billions of dollars. Because the False Claims Act relates to conducting business with the government, it creates an even more important power to exclude businesses and individuals from certain business, and/or suspend or debar businesses from government contracts. All of these advantages are supplemented by an established whistleblower program which allows “relators” or private citizens to allege False Claims Act violations against companies in order to seek significant monetary rewards. Once these complaints are filed under seal, the government reviews the matter to determine whether or not it should intervene – if it decides to intervene, the government has a success record of 99 percent.
2. FCPA – While I write often about the FCPA risks facing businesses today, the FCPA does not even come close to the risks facing businesses in the False Claims Act. I know that sounds like heresy but there is no real comparison. Assuming your business has a significant international presence, the risk of committing bribery and being caught is far less than the False Claims Act where you have an established bar and practice relating to whistleblowers/relators who know how to pursue False Claims Act cases. The SEC’s whistleblower program is in its infancy and there is no established protocol or whistleblower bar to create a track record. Nonetheless, the anti-corruption risks are significant, particularly in emerging economies like China, Russia and India. If you are operating in these countries, the chances are (1 would predict 99 percent) that there are violations occurring on regular basis. The risk of detection is growing and in-house counsel need to be realistic on their ability to respond to issues as they arise.
3. Antitrust – The risk of civil or criminal antitrust enforcement is more significant in the Obama Administration than any other administration in recent memory (perhaps back to the Carter Administration). There is no question that antitrust enforcement has been reinvigorated. The risk of antitrust enforcement is even greater in Europe where the European Union annually collects over $2-$3 billion each year in antitrust penalties. Moreover, the EU has a far broader interpretation of “anti-competitive” conduct than US antitrust enforcers, although the US and EU enforcement agencies have been trying to narrow that gap. Antitrust enforcement brings with it follow-on civil litigation which can be costly and time consuming for businesses. When the US government brings a criminal antitrust case, a class action suit brought by customers/victims is guaranteed.
4. Export Controls and Sanctions – One of the fastest growing areas for enforcement is export controls and sanctions. Compliance should be a priority, especially because it is not s resource intensive as other significant risks. Companies have to take precautions when they export their products. Low-cost database sources have to be installed and checked to make sure that customers are prohibited persons or in prohibited countries. Regulatory compliance is a challenge given the maze of regulation regimes at the State Department, the Department of Commerce, US Customs and the Bureau of Alcohol, Tobacco and Firearms. Financial companies face real challenges with the rapid movement of money and other financial instruments.
5. Data Breach – One of more under-appreciated risks for all businesses is the occurrence of consumer data breach. Companies face a patchwork of state regulation and requirements when consumer data is accidentally disclosed or stolen. Responding to the risk means complying with the most stringent requirements of all 50 states. It is a nightmare and the follow up requirements of notification, remediation and sometimes compensation can be devastating to a business, particularly smaller businesses. Congressional efforts to pass legislation and create a uniform federal law which pre-empts state regulation has been frustrated by attempts to create civil enforcement actions and to require business notification of law enforcement agencies. Until there is federal legislation in this area, businesses will continue to face the 50-state risk of data breach enforcement and regulation.
6. Data Privacy – In response to growing resentment over privacy invasions and the ubiquity of the internet, data privacy is fast becoming a hot topic, particularly for global businesses. In the United States, standards for compliance are more amorphous in this area, and are being debated and imposed through individual agency enforcement actions. Google is reportedly about to settle with the FTC a precedent setting privacy action for $22 million relating to its capture of consumer information through its search function. Meanwhile, data privacy regulation in the EU is stringent and requires pain-staking review for compliance and possible violations. The EU’s regime has created compliance difficulties for companies operating across EU countries. Companies are trying to comply but face a myriad of difficult compliance issues.