Global Crisis Management Series:  This post is part 1 in a series concerning topics further elaborated on in Cleary Gottlieb’s Global Crisis Management Handbook—a desk reference for spotting issues and avoiding common mistakes when faced with a crisis.  The current version is available here.

A company faced with a crisis needs to act quickly to assess and determine the scope of any potential liability in order to guide its first response and frame the forthcoming investigation.  Issues overlooked in the early phases of an investigation could prove very costly down the road, limiting options or potentially subjecting a company to greater penalties.  Understanding the full scope of potential liability early in an investigation allows a company to develop a plan of action through consideration of how such penalties can potentially be mitigated and whether it is sensible to set aside reserves for potential fines and other expenses associated with an investigation.  The severity of such penalties may also shed light on who needs to be informed, including for example, whether any public disclosures will be necessary. 

In determining the scope of that liability and potential consequences, companies should think broadly about:  (1) civil or criminal enforcement liability, (2) the possibility of private civil litigation, (3) individual employee liability, and (4) collateral consequences flowing from the crisis.  The below is a non-comprehensive list of factors that companies should consider when assessing risks and liability at the outset of a crisis.

(1) Civil or Criminal Enforcement Liability:  Companies should consider the nature of the conduct at issue, the relevant investigative authorities, and the range of potential sanctions.

Assessing the nature of the conduct at issue will allow a company to determine which regulatory and statutory regimes may apply and correspondingly which authorities have jurisdiction over the relevant conduct.  For example, bribery abroad may have been accomplished with funds flowing through a bank in New York on behalf of a publicly traded company.  Each step of the conduct could potentially implicate, in turn, the FCPA, New York anti-money laundering laws, and federal securities laws.

Once the nature of the conduct is understood, companies should seek to understand which authorities may be relevant.  Financial fraud could simultaneously involve the DOJ, SEC, FINRA, the New York State Department of Financial Services, and the local district attorney while conduct concerning unlawful drug marketing practices could implicate the FDA, both the civil and criminal divisions of the DOJ, and the Department of Health and Human Services.  Importantly, understanding the many potential authorities enables a company to appropriately disclose improper conduct if necessary in order to begin mitigating the consequences of the crisis.

Finally, once a company has a grasp on the nature of the conduct and relevant authorities, the company can determine the range of potential sanctions—such as fines, monitorships, and deferred and non-prosecution agreements—through review of past prosecutions and settlement agreements as well as publicly stated enforcement priorities and cooperation guidelines.  Understanding the range of sanctions imposed for similar conduct allows a company to set realistic targets for handling the crisis and to manage the expectations of the relevant stakeholders.

(2) Private Civil Liability:  Companies facing a crisis should consider the range of potential private plaintiffs and the possible claims they could bring.

After a civil or criminal enforcement action begins, follow-on litigation, frequently class action litigation, is likely, particularly where disclosure of the crisis results in a significant drop in the stock price of the company.  Critically these civil suits are likely to capitalize on information that becomes public through an investigation.

Understanding the scope of private civil liability as compared to civil or criminal enforcement liability also allows companies to make informed decisions about how to deal with authorities.  Extensively sharing information with regulators to obtain cooperation credit is frequently at loggerheads with limiting discovery in civil actions, and therefore companies should expect that presentations made to regulators would also need to be turned over in civil litigation or even that sharing findings from an internal investigation may risk waiving privilege for the underlying work product.[1]

(3) Individual Employee Liability:  In discerning the scope of individual employee liability, companies should consider whether the company can be held liable for the actions of individual employees, whether disciplinary action is appropriate, and whether the company should retain separate counsel for individuals.

Corporations traditionally are liable under the doctrine of respondeat superior for the actions of their employees, but regulators may often take a more holistic view when determining whether to charge a corporation.  The DOJ, for example, considers whether employee wrongdoing has been voluntarily disclosed and the adequacy of corporate compliance programs when deciding whether and to what extent to hold corporations responsible for the wrongdoing of their employees.[2]  But companies should also pay particular attention to pronouncements and guidance from the relevant authority to properly calibrate their response.  While former Deputy Attorney General Sally Yates issued a memo limiting cooperation credit unless companies disclosed “all relevant facts” regarding individuals involved in corporate misconduct,[3] then Deputy Attorney General Rod Rosenstein subsequently relaxed this requirement to focus on disclosure of wrongdoing by those individuals “substantially involved” in wrongdoing and to allow individual DOJ attorneys more discretion in granting cooperation credit.[4]

Even after a crisis begins, companies may still be able to take steps to mitigate liability for employee misdeeds.  This includes decisions about whether disciplinary action—an aspect of remediation under SEC and DOJ guidelines—is appropriate or even possible in light of foreign labor laws.

Finally, companies should consider whether they need to retain separate counsel for individual employees because of possible adversity with that employee and the extent to which company counsel can and should communicate with separate counsel about the matter.  Such communication is often beneficial for the company to gather facts and fully understand the scope of potential wrongdoing, but the DOJ views unfavorably the existence of a joint defense agreement between a company and individual employees when assessing cooperation credit.[5]  Therefore decisions about retaining and communicating with counsel for individual employees should be made with a full understanding of these competing factors.

(4) Collateral Consequences:  When thinking about the collateral consequences of a crisis, companies need to consider the impact of producing particular documents, making concessions when entering into settlements, and the potential for legislative action.

Producing documents to receive cooperation credit in one investigation may run afoul of privacy laws such as the European Union’s General Data Privacy Regulation, and companies may need to proactively educate regulators about the requirements of foreign privacy regimes.  And the decision to waive privilege over certain documents may result in a subject matter waiver having substantially broader consequences for other documents and information.

Concessions made when entering into settlements may have important implications on regulatory statuses or exemptions as a consequence of civil administrative orders or criminal convictions, which may in turn have broader implications for the company’s ability to conduct its business.  A company that adequately understands these implications can more intelligently negotiate a settlement to, for example, admit to certain bad acts but not others or to word certain findings in a way that does not trigger additional collateral consequences.

Finally, it is not uncommon that major crises trigger calls for legislative action.  In recent years, costly cyber breaches of sensitive data, for example, have generated substantial state regulation with calls for federal regulation and even potential criminal liability for executives.  Companies should be mindful of this potential impact in how they manage public and government relations during a crisis.

*          *          *

Often the considerations of how to best handle different aspects of risks and liability will come with competing concerns.  Seeking cooperation credit may risk enabling private civil litigation and likewise refusing to concede individual employee wrongdoing to avoid respondeat superior liability could jeopardize a regulator settlement.  Fully understanding the scope of potential liability is critical to planning and prioritizing a response to a crisis so that when difficult decisions need to be made, the company can fully understand these competing concerns and work to mitigate the impact of the crisis across the landscape of potential risks and liabilities.

[1] See, e.g., SEC v. Herrera, 324 F.R.D. 258 (S.D. Fla. 2017) (holding that oral downloads of interviews waived work product protection of the underlying interview memos).

[2] Dep’t of Just., “Justice Manual,” § 9-28.800 (2018),

[3] D.A.G. Sally Yates, “Individual Accountability for Corporate Wrongdoing,” Dep’t of Just. (Sept. 9, 2015),

[4] Dep’t of Just., “Deputy Attorney General Rod J. Rosenstein Delivers Remarks at the American Conference Institute’s 35th International Conference on the Foreign Corrupt Practices Act” (Nov. 29, 2018),

[5] Dep’t of Just., “Justice Manual,” § 9-28.730 (2018),