Global Crisis Management Series: This post is part 12 in a series concerning topics further elaborated on in Cleary Gottlieb’s Global Crisis Management Handbook—a desk reference for spotting issues and avoiding common mistakes when faced with a crisis. The current version is available here.
One critical issue to consider in responding to an investigative request is whether by producing the requested data, the company will be waiving a privilege or violating legal confidentiality obligations, including data privacy restrictions. To avoid inadvertently waiving protections over the company’s information or violating any legal restrictions on the production, companies should consider whether any of the following are implicated by the information requested by the authority:
Attorney-Client Privilege and Attorney Work Product. Investigative requests may ask for documents and other materials about broadly-worded topics, some of which implicate legal advice the company received from in-house or external counsel. While the topics of that legal advice may technically be responsive to the authority’s request, companies can limit or prevent disclosure of privileged information, as materials covered by either attorney-client privilege or attorney work product need not be disclosed in response to a compulsory request. However, consideration of these protections at the outset is critical as they may be inadvertently waived.
In the United States, attorney-client privilege protects against disclosure of communications between a lawyer and client made for the purpose of seeking or providing legal advice, and extends to communications made during the course of an internal investigation between a company’s employees and the company’s counsel.[1] The work product doctrine protects against disclosure of documents (or other tangible items) containing mental impressions, opinions, or legal theories prepared in anticipation of litigation. Privilege and work product protections differ by jurisdiction, however, and it is therefore important to be sensitive to choice-of-law issues and the applicable substantive law of privilege in investigations involving legal advice that touches foreign jurisdictions.
In some cases, it may be in a company’s strategic interest to disclose privileged information to the requesting authority, for example, in order to support an advice of counsel defense. Such decisions should be made carefully, however, as an intentional waiver of privilege over certain materials can lead to a finding that the privilege holder has waived privilege on an entire subject matter. Entering into confidentiality or non-subject matter waiver agreements with the requesting authority can help to mitigate these risks.
If materials are withheld from a production on this basis, the authorities will often ask for a “privilege log” identifying information sufficient to conclude that the document is privileged, such as the participants in a communication and the subject matter of the document.
Confidential Supervisory Information. Financial institutions responding to investigative requests should be mindful of limits on the disclosure of information related to examinations by prudential regulators. Financial institutions supervised by the Board of Governors of the Federal Reserve Bank (the “Board”) may have access to confidential supervisory information (“CSI”), which is subject to the Board’s regulations governing its disclosure.[2] In practice, CSI covers information related to the examination of a financial institution by a bank examiner.[3] Relevant bank examiners include the Board, the Office of the Comptroller of the Currency, the New York State Department of Financial Services, the Consumer Financial Protection Bureau, and the Federal Deposit Insurance Corporation, among others. For example, because all CSI remains the property of the Board, no supervised institution or individual to whom the information has been made available may disclose such information without the prior written consent of the Board’s general counsel, unless a specified exception applies.[4]
Blocking Statutes or Restrictions on Cross-Border Data Transfers. Where an investigative request seeks information located in foreign jurisdictions, the recipient’s ability to respond may be restricted by foreign laws that limit the cross-border transfer of certain information or require notice to foreign authorities before such transfers are made. These limitations may include: (i) foreign blocking statues that prohibit exporting documents for use in judicial or administrative proceedings without government consent;[5] (ii) data privacy laws that similarly restrict cross-border access to information stored in certain countries, particularly in the EU;[6] and (iii) requirements that certain foreign authorities be notified of a request that implicates data or documents stored in their jurisdiction and/or that the information be provided through the local authority as a conduit.[7]
Like the other potential restrictions discussed in this post, companies should consider the relevance and importance of blocking statutes or other similar restrictions at the very beginning of an inquiry. Ideally, these issues should be analyzed before any documents are collected, as decisions about where to collect and review data can have ongoing consequences throughout the investigation and may impact the company’s ability to argue that the production of such materials is restricted during later stages of the investigation. This is especially important for companies with global operations that are subject to different, and possibly inconsistent, legal regimes across jurisdictions. Depending on the particular foreign laws and requirements at issue, such restrictions may also provide an opportunity for the company to negotiate narrowing the scope of a request, in order to quickly get the investigating authority at least some of the information it seeks or in the interest of obtaining approval from the foreign authority to facilitate the production of the information sought.
Personally Identifiable Information. Some information not covered by a statutory restriction or other legal doctrine may still be protected from disclosure, such as personally identifiable information (“PII”), which can be used to identify an individual in context (for example, name, social security number, passport number, driver’s license number, address, or phone number). Authorities may be amenable to a company redacting PII if it is irrelevant to the purpose of their investigation. In addition, where PII is produced, there may be statutory limitations on further disclosure by the relevant authority,[8] or procedures by which the company can request confidential treatment by the authority.[9] Companies should be mindful, however, that prohibitions against disclosure may not apply where such disclosure is required by the Freedom of Information Act, or where another federal, state, or local government requests such information for purposes of civil or criminal law enforcement.[10]
Confidentiality Agreements. Companies should also consider the terms of confidentiality agreements with clients or customers that restrict their ability to disclose certain information. While standard non-disclosure agreements may include contractual provisions accounting for the possibility of compulsory requests, companies should further analyze such agreements for applicable notice provisions before documents are produced. In addition, companies asked to disclose information subject to confidentiality agreements may be able to rely on common law provisions that provide exceptions to confidentiality for government requests. Certain investigating authorities may also be amenable to companies seeking confidential treatment of such information in order to limit further disclosure and collateral liability under the terms of an applicable contract.[11]
[1] Upjohn Co. v. United States, 449 U.S. 383, 395 (1981).
[2] See generally 12 C.F.R. § 261.
[3] See 12 C.F.R. §§ 261.2(c)(1)(ii)-(iii).
[4] See 12 C.F.R. § 261.20(g). Upon request, the Board may make CSI available to federal or state financial institution supervisory agencies and may authorize other discretionary disclosures of CSI as necessary. Id. at §§ 261.20 (c), (d), (e).
[5] 3 Robert L. Haig, Business and Commercial Litigation in Federal Courts § 21:97 (4th ed. 2017).
[6] See Council Directive 95/46, of the European Parliament and of the Council of 24 Oct. 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L. 281) 31; General Data Protection Regulation (GDPR) 2016/679, 2016 O.J. (L. 119).
[7] For example, the UK Financial Conduct Authority sets forth procedures by which information stored in the UK must be produced pursuant to a Notice of Requirement. See Financial Services and Markets Act 2000 § 169 (Investigations in support of overseas regulator), § 195 (Exercise of power in support of overseas regulator).
[8] See, e.g., Privacy Act of 1974, 5 U.S.C. § 552a (governing disclosure of PII).
[9] See, e.g., 17 C.F.R. § 200.83 (setting forth a procedure by which those submitting information to the SEC may request that it not be disclosed pursuant to a request under the Freedom of Information Act).
[10] 5 U.S.C. §§ 552a(b)(2), (7).
[11] See, e.g., Sec. Exch. Comm’n, Enforcement Manual § 4.3.1 (2017), https://www.sec.gov/divisions/enforce/enforcementmanual.pdf (The SEC Enforcement Division may enter into confidentiality agreements with a company subject to investigation, by which the SEC would agree not to assert privilege waiver for documents produced by the company that it would otherwise withhold as privileged. In addition, the SEC might agree to maintain confidentiality over certain materials provided by a company, “except to the extent that the staff determines that disclosure is required by law or that disclosure would be in furtherance of the SEC’s discharge of its duties and responsibilities.”).