The Future of Scandal: Technology and Corporate Wrongdoing

For as long as there has been business and investors, there have been those who have sought to make money illicitly by breaking the rules and misleading others.

Nowadays, corporate scandals come in many shapes and forms, but among the most common are those related to fraud and price-fixing cartels. One thing that links all modern scandals is the importance of electronic devices, both as a means of propagating a scandal and as a source of electronic evidence that can be used to detect a scandal or deal with the legal consequences.

This article examines the life cycle of a scandal; how they are created and how they emerge, as well as offering practical advice on prevention and crisis management.

How do scandals start and how can they be prevented?

A joint report by the International Corporate Governance Network (ICGN), the Governance Institute (ICSA) and the Institute of Business Ethics (IBE) suggests that certain corporate cultures can increase the chance of wrongdoing.

The report highlights some ‘red flags’ that can be an indicator of malfeasance and according to the report are not industry-specific; with examples being drawn from banking, retail, manufacturing and automotive sectors. According to the report there are three main factors that lead to a degeneration in ethical behaviour:

• “Corporate stress” which encourages employees to take short-cuts
• Tolerance of minor rule breaches and an atmosphere where rules are pushed to their limits
• Focus on short-term targets

Much like the ‘Broken Windows’ theory of crime, the report’s authors believe bad behaviour is incremental. What could start as relatively minor breach could develop into something more serious.

Other factors given by the report include:

• controversial pay deals, such as high executive pay or targets which encourage risk-taking to hit short-term targets
• complex legal structures which make it hard for boards and management to work out what is going on inside the company
• poorly executed takeovers which lead to a mix of cultures within a company, with “pockets” of bad behaviour thriving beyond the control of the board
• lax financial discipline, for example both Northern Rock and RBS had excessive leverage which led to their problems as the crisis hit.

The report also warned of the dangers of “autocratic” chief executives who staff are afraid of angering for fear of reprisals, meaning that vital information about potential problems might never reach senior management.

The report said that the best way of improving companies’ corporate cultures to reduce risk was to get boards more involved and have a better understanding of the way staff are motivated and treated.

Changing company culture can be a long-term process. A more immediate preventative measure is to look to corporate communications. Scandals, particularly cartels, live and die by conversation. Without communication between parties, there can be no cartel, in the traditional sense of the word.

Including checks on communication can be a powerful part of any robust compliance strategy.  Since evidence showing misconduct may be found in written communications and among irregularities found in financial data, savvy compliance officers and in-house counsel regularly conduct mock dawn raids and perform compliance audits. Both these methods are good starting points for companies wanting to take a more proactive approach to compliance.

What is a mock dawn raid?                                           

Mock dawn raids are usually conducted by third parties, such as lawyers and ediscovery providers, to deliver the experience of an unannounced inspection from an authority. Computer forensics professionals will seize electronic devices, such as laptops, computers and phones, as well as take copies of data from servers and the cloud. They may also take paper documents. Data stored on these devices will then be forensically copied for analysis and a full audit trail maintained. Other consultants may train a variety of personnel (including receptionists, in-house legal and IT) on the proper procedures to follow when confronted with a surprise inspection.

After a mock dawn raid, it is possible to learn from the experience and identify areas that the company ought to address.

Mock dawn raids are a powerful tool for compliance officers because they can help to assess a company’s level of readiness for investigations and they also send a strong message to employees that compliance is taken seriously

Compliance audits

Authorities such as the European Commission and Competitions and Markets Authority recommend that companies conduct internal reviews to assess compliance. Regularly reviewing samples of electronic communications and information is an important part of an internal compliance audit. The benefit of such audits is to gain insight and to be in the driving seat if anything seems out of place.

Information gathered from interviews may lead the audit toward particular sources of data for review. Email, databases and even social media can be targeted to provide an organisation with a more comprehensive view of the levels of risk to which it is exposed.

As the know-how to interrogate databases develops, companies are increasingly using specialist data analytics tools to proactively examine financial, operational and transactional data. Even light analysis of databases can uncover patterns, anomalies and red flags. For example, data can be arranged graphically to show purchases by country or account number. Outliers such as purchases being made in unexpected countries or to duplicate accounts can then be investigated.

Regardless of the method chosen, organisations that carry out internal reviews to detect wrongdoing, such as corrupt practices and anti-competitive behaviour, are better positioned to defend themselves should a scandal be uncovered.

What industries are at risk from corporate scandals in 2017?

As stated earlier, scandals can stem from misconduct of individuals or small groups of individuals and so in theory any industry runs the risk of a scandal. However, corporate culture aside, some industries are more at risk from corporate scandals emerging simply because they are more heavily regulated than others and the regulator’s focus is increasingly broad.

The Competition and Marketing Authority (CMA) stated that their priorities for 2017 were in the following areas:

• Consumers’ access to markets and barriers to decision-making
• Online and digital markets
• Technology and emerging sectors
• Regulated sectors and infrastructure markets
• Markets for public services
• Sectors that are important to economic growth

Ostensibly, this covers quite a large swathe of industries operating in the UK and beyond. Any corporation whose business activities fall under the above categories should consider making compliance a priority for 2017.

On a more international scale, the European Commission has also laid out its priorities for 2017, and whilst they are broadly analogous with the CMA’s, there are some interesting points to note. Firstly, European antitrust authorities will gain increased powers to prosecute breaches of competition rules under draft legislation to be proposed by next June, following talks between the Commission, corporations and competitions experts.

Currently, the Commission is proposing the following actions to increase the power of national regulators.

• giving national authorities tools to detect and sanction violations of EU competition rules;
• encouraging companies to come forward to national authorities with evidence of illegal cartels through ‘leniency’ programmes;
• ensuring the independence of the national authorities
• ensuring authorities have sufficient resources and staff

Big data and how companies use big data is also a priority for the Commission.  Companies in possession of big data can potentially trigger both Articles 101 (antitrust cases) and 102 TFEU (abuse of dominance cases). However, the Commission is looking to strengthen its ability to enforce the rules in cases involving big data.

During a speech in late 2016, Margarethe Vestager, the European Commissioner for Competition stated that the Commission does not object to the collection of large data sets as long as they don’t hurt consumers in the process, by undermining competition. In order to combat this, the Commission is aiming to release a proposal on legislation for big data in early 2017. Based on Vestager’s comments in the speech, this is likely to be in the form of a directive rather than a regulation.

She also commented that further scrutiny may be required for mergers with valuable data, even if the turnover of these companies is not large enough to come under the usual merger control criteria. Again, this widens the pool of companies who are at risk of corporate scandals emerging from regulation, bringing in smaller players who might not be prepared for competition scrutiny. Companies handling large data sets should ensure they are up to speed with the latest directives and understand how their data can breach EU law and take steps to ensure compliance.

What should companies do?

Going looking for trouble leaves some companies feeling squeamish, but the authorities often impose lower fines when a company confesses and provides good quality evidence to help the authorities with their investigations.

If the wrongdoing is exposed by a whistle-blower or as a result of a regulatory investigation, this can add considerable pressure to any internal investigation the company chooses to instigate. Companies who are implicated in this way are more vulnerable to penalties. Also, if the matter has had time to grow in scale, they face potentially larger legal penalties and fees than if they had put themselves into the whistle-blower position. And when outside investigators looking at one issue discover further skeletons in the closet, this can lead to further scrutiny, public criticism and costs.

If a company is implicated in a scandal, what is the best way to manage the situation?

1. Act quickly and launch an internal investigation as soon as possible. Once news of a scandal is in the public domain, an investigation by a regulatory body is almost inevitable. An internal investigation will help get to the heart of the issue and enable a company’s legal team to form a strategy based on evidence found in the investigation. Time is of the essence, so technologies such as predictive coding can help find hot documents as early as possible. Predictive coding learns from the decisions made by human document reviewers to prioritise other similar documents for review and to predict how unseen documents might be categorised.

2. Think outside the box when it comes to data. Email and calendar appointments are some of the most important sources of electronic evidence, but valuable evidence can be found from other sources, as well. Twitter, Instagram and even GPS data from satellite navigation systems can provide revealing information that may be vital to a case.

3. Use an experienced digital forensics provider. It is of vital importance that data is collected in a forensically-sound, defensible manner. Digital forensics experts employ the correct techniques to carefully and accurately contain, preserve and extract critical evidence. This includes the implementation of a strict “chain of custody” procedure and audit trail throughout the analysis of the data. Leaving the task of handling such important evidence to in-house IT teams, potentially without advanced forensics knowledge, can compromise the defensibility of a case.

Although corporate scandals and wrongdoing can seem somewhat inevitable, a rigorous compliance regime and a positive company culture can reduce the risk of scandals causing reputational and financial damage should wrongdoing be found.

 

In-house counsel and IT directors at tech companies are facing tough challenges in balancing data protection compliance and responding to increasing pressure from law enforcement agencies for access to data without compromising security or consumer confidence.

One of the reasons for this is the introduction of new data protection regulation in 2016, including the Privacy Shield agreement following the dissolution of Safe Harbor and the confirmation of the forthcoming EU General Data Protection Regulation (GDPR).

GDPR has been anticipated for the past three years. However, the Regulation was only finalised in 2016, giving companies just two years until the GDPR is enforced in May 2018.

The main points of interest are:

• Increased fines for breaches of the GDPR, up to 4% of the annual global turnover
• A “Privacy by design” provision requires that data protection is designed into business services. Measures to protect data must be taken from the start of client engagement with clients.
• Explicit consent must be obtained for the collection and processing of data. Contracts with clients should include a section on consent.
• Multinational companies working across the EU will be required to appoint an independent Data Protection Office. This will be a challenging role to fulfil given the breadth of knowledge required to manage both IT systems and be familiar with the legal aspects of the GDPR.
• International companies based outside the EU, but which hold data inside the EU, will be subject to these regulations.
• “Right to erasure”. A client has the right to request the erasing of personal data. Organisations need to take steps to understand how easily and cost-effectively they can comply with these requests.

In addition to this, companies transferring data between the United States and the EU will now be subject to the recently-agreed Privacy Shield arrangement.  The basis for the agreement is centred on the following 7 privacy principles[i]:

• Notice
• Choice
• Accountability for Onward Transfer
• Security
• Data Integrity and Purpose Limitation
• Access
• Recourse Enforcement and Liability

In addition to these principles, the EU-US Privacy Shield will:

• Introduce an Ombudsman to investigate any complaints regarding access to data by US Intelligence agencies
• Conduct a joint annual review by the European Union and Department of Commerce of the program

Although many of the changes in data protection law have been in response to technological developments such as social media, the European Commission has also taken a consumerist focus, commenting that privacy is a key concern for its citizens and as such, legislation such as the GDPR takes this into account.

Equally, Safe Harbor was dissolved due to action by a Maximilian Schrems, a private citizen, who had concerns over the way data belonging to EU citizens was being handled. This background, as well as the need for regulatory compliance perhaps explains why companies have been resistant to comply with growing pressure from law enforcement.

The FBI v Tech providers

In 2015 and 2016, Apple received and challenged at least 11 orders issued by United States district courts under the All Writs Act of 1789. Most of these sought to compel Apple to assist with extracting data from locked iPhones in order to assist in criminal investigations and prosecutions. A few requests, however, involved devices with more extensive security protections that would require Apple to write ‘back door’ software to allow the government to directly access data.

Many commentators have been sceptical that the FBI needed to take Apple to court and that they have the technical know-how to extract data from these devices without assistance. Some privacy advocacy groups believe these court cases are not about technology but establishing a legal precedence for wider access/surveillance.

A number of organisations such as Whatsapp, the online messaging service, have responded to this climate by introducing end-to-end encryption to increase users’ privacy and security. With end-to-end encryption in place, not even WhatsApp’s employees can read the data that’s sent across its network.

In other words, WhatsApp has no way of complying with a court order demanding access to the content of any message, phone call, photo or video travelling through its network. Like Apple, WhatsApp is, potentially, blocking law enforcement agencies, but is doing so on a larger scale than Apple, as WhatsApp is used on one billion devices including iPhones, Android, Windows, and even older Nokia phones.

Although third party forensic specialists can now decrypt Whatsapp messages, it is likely that this will result in Whatsapp retaliating with further security updates. This effectively creates a vicious cycle of encryption and decryption.

This places in-house counsel in a difficult position, caught in the middle of these conflicting demands On the one hand, they must ensure that their business practices meet the privacy requirements of regulators such as the European Commission and the standards demanded by their consumers. But equally, agencies such as the FBI have been putting increased pressure on companies to comply with their demands.

Companies with a low risk from law enforcement cases may opt to focus on ensuring they comply with all relevant data protection legislation. If a company does operate within a sphere that could attract the attention of the FBI and other enforcement agencies, (e.g. communications, social media), then this is a delicate subject and one on which the company should seek expert legal advice. However, one potential resolution is cooperating with the enforcement agency to provide the information they seek via other channels and techniques.

As devices become more connected, it can be possible to access the required data from another device. For example, rather than examining a phone, an investigator could look at a computer (which might feature backups) or the Cloud.

Many people backup their phones on a computer. Investigators are then able to recover this data via taking an imprint of the computer’s hard drive and using forensics methods to search within the back up. This approach can often yield the following data types:

• Emails
• Photographs
• Chat transcripts from apps such as Whatsapp
• Notes

If a case requires emails or other kinds of unstructured data such as chat records, a wider net can be cast by including correspondents in the search for data.  Ediscovery technology can sift through huge sets of unstructured data such as emails, instant messenger and techniques such as predictive coding mean what could be a time consuming exercise can be completely relatively efficiently.

By looking at the iPhone owner’s network of contacts, any incriminating evidence could be gained from data owned by the receiver rather than the original custodian. Ediscovery technology is especially suited to this kind of exercise as trained users can run searches for keywords and suspected code words which may be missed if someone simply reads the emails sequentially.

For suspected fraud, it may be possible to isolate patterns from available financial data using data visualisation tools. Data analytics specialists can take large sets of structured data (e.g. spreadsheets, data held in relational data bases) and find previously unseen abnormalities that can be pinpointed to specific individuals. This evidence can then be used alongside other data to build a case.

Conclusion

2017 is unlikely to see a dilution in the tension between security and data privacy. The UK’s decision to leave the EU and the Prime Minister’s announcement that Article 50 will be invoked in March may even have the effect of complicating the situation still further. However, from a lawyer’s point of view, the ability to identify and report on a wide range of data sources using intelligent technology will only become more important across the board.

[i] https://www.privacyshield.gov/EU-US-Framework