Investigation and prosecution of corporate crime in New York

March 2024  |  SPOTLIGHT | RISK MANAGEMENT

Financier Worldwide Magazine

March 2024 Issue

Companies doing business in New York (including multinational companies) are well-advised to be familiar with two significant changes relating to government investigation and prosecution of corporate crime in that state.

Whistleblower pilot programme

In a new, first-of-its-kind policy, the Southern District of New York US Attorney’s Office (SDNY USAO) announced a whistleblower pilot programme, effective March 2024, to incentivise voluntary disclosure of corporate crime by individuals. Policies seeking to motivate companies to self-disclose have become ubiquitous throughout the Department of Justice (DOJ), including at the Criminal Division and US attorneys’ offices around the country. Here, however, the SDNY hopes to motivate individuals to expose corporate crime – including persons who were themselves involved in the corporate misconduct being reported.

In contrast to whistleblower policies administered by the Securities and Exchange Commission (SEC) and a number of other agencies, there is no financial incentive (a whistleblower reward). Instead, the ‘carrot’ is leniency in the criminal matter itself, namely, a non-prosecution agreement for the reporting individual who qualifies under the policy.

For a reporting individual to receive a non-prosecution agreement, the SDNY USAO must conclude that several important requirements, as outlined below, have been met.

First, the disclosure pertains to conduct by or through a public or private company, exchange, financial institution, investment adviser or investment fund, involving fraud or corporate control failures or affecting market integrity, or state or local bribery or fraud relating to federal, state or local funds. However, violations of the Foreign Corrupt Practices Act, as well as violations of federal or state campaign financing laws, federal patronage crimes, corruption of the electoral process or bribery of federal officials are not covered.

Second, the corporate misconduct was not public and not already known to the SDNY.

Third, the disclosure was voluntary and not in response to a government inquiry or obligation to report misconduct.

Fourth, the individual is able to provide ‘substantial assistance’ in the investigation and prosecution of one or more ‘equally or more culpable persons’, and will cooperate fully. As with the concept of substantial assistance under section 5K of the US Sentencing Guidelines, the determination of whether the assistance was substantial lies with the prosecutor.

Fifth, the disclosure must be complete and truthful in all respects.

Sixth, the individual is not a federal, state or local government official, a federal investigative or enforcement agent or officer, ‘a person of major public interest’ or the chief executive, chief financial officer or equivalent of either a public or private company. No definition is provided for the concept of ‘major public interest’, which is left to the discretion of the prosecutor.

Lastly, the individual has no prior felony conviction or prior conviction of any kind for a crime involving fraud or dishonesty, and has not participated in any crime involving violence, a sex offence involving a minor, terrorism or a national security offence.

For individuals who disclose the types of crimes covered by the policy, but who do not satisfy the programme’s requirements, the pilot programme provides that SDNY prosecutors may nonetheless consider exercising discretion to offer a non-prosecution agreement in exchange for the individual’s cooperation. The policy sets forth the factors to be taken into consideration, which are drawn from the DOJ’s Justice Manual.

Given the limitations and exceptions to the policy, and the fact that it is the SDNY that determines whether the policy requirements have been met in any particular case, it will be interesting to see whether the programme is effective in motivating individuals to come forward with information about the types of corporate crime that the SDNY USAO seeks to uncover. Certainly, it is difficult to imagine that any individual involved in misconduct, and who has any understanding of the complexities of the policy, would come forward without having consulted with counsel. Nonetheless, for companies doing business in New York it is important to be aware that this programme is now an additional risk factor in terms of corporate misconduct being discovered by enforcement authorities.

Accessing employees’ offline communications

The second significant change is that companies doing business in New York must also fend with new restrictions regarding accessing employees’ offline communications. On 14 September 2023, Kathy Hochul, the governor of New York, signed Assembly Bill 836 prohibiting employers from requesting that employees or job applicants disclose the login information – such as usernames and passwords – to their personal online or electronic accounts.

The new law also prohibits employers from retaliating against employees or applicants who refuse to provide such login information. As a result of this legislation, New York employers that routinely rely on information they obtain by accessing employees’ or applicants’ personal accounts when conducting internal investigations or responding to government inquiries may need to adjust their investigative approach.

Under Assembly Bill 836, employers are prohibited from requesting, requiring or coercing any employee or applicant to: (i) disclose their username, password, authentication information or any other information used to access their personal accounts via an electronic communications device; (ii) access their personal accounts in the employer’s presence; or (iii) reproduce in any manner photographs, video or other information contained within a personal account obtained by means prohibited under the law.

‘Personal account’ is defined as “an account or profile on an electronic medium where users may create, share, and view user-generated content, including uploading or downloading videos or still photographs, blogs, video blogs, podcasts, instant messages, or internet website profiles or locations, that is used by an employee or an applicant exclusively for personal purposes”.

There are limited exceptions for employers under the new law, which permit them to seek access to personal accounts if: (i) necessary to comply with a court order or federal, state or local law; (ii) needed to access the employer’s internal computer or information systems; (iii) the account was provided by the employer and is used for business purposes, and the employer provided prior notice of its right to access the account; or (iii) the employer knows the account is being used for business purposes.

Employers are also permitted to access electronic communications devices or restrict access to their networks on electronic communications devices that they pay for – in whole or in part – when the payment was conditioned on the employers’ access rights. However, employers may not access any personal accounts on these devices. Additionally, the law does not prohibit employers from accessing personal account information that is publicly available or provided voluntarily.

Notably, Assembly Bill 836’s exceptions do not include an exception for conducting internal investigations aimed at possible voluntary disclosures of illegal conduct to the DOJ or other regulators.

Recommendations in light of these new developments

Compliance programme health checks and tune-ups. Ensuring a corporate culture and a set of policies and controls that not only discourage misconduct but encourage internal reporting and demonstrate corporate accountability by following through with strong remediation is the best way to prevent individual employees from deciding they need to take matters in their own hands by reporting to authorities.

Confidential internal investigations. While it is always important to maintain the confidentiality of internal investigations, the risk that an employee who learns of an investigation may decide to turn into a voluntary reporter further heightens the stakes. Depending on circumstances, this could impact decisions such as: (i) whether and when to engage in document preservation and collection efforts before issuing a document hold to employees, if any; (ii) the order in which to interview particular employees or other witnesses; and (iii) the extensiveness of document and data review and analysis to be completed before initiating interviews.

Counsel for individuals. There are many factors to be considered by a company in determining whether to voluntarily provide separate counsel for individual employees in a corporate white-collar matter. Where possible, and consistent with the professional responsibility rules governing company counsel, a company will want to complete enough investigatory work to make its own decision whether to voluntarily disclose or not before engaging counsel for individuals.

Strong offline communication controls. This includes technological improvements in monitoring communications involving non-company email addresses, strengthening disciplinary measures against employees upon discovery of their engagement in offline communications for conducting business, frequent and documented employee training, and an environment that encourages – or at least does not discourage – the internal reporting of violations of the company’s prohibitions on offline communications. Given article 836’s exception for personal accounts of employees that the company knows have been used for business communications, companies should implement technological solutions that detect business communications occurring in its system that involve emails with common personal email account domain names, like gmail.com, yahoo.com, icloud.com and the like. These controls would enable firms to require employees to provide access to their offline accounts under this exception.

Employee consent to access personal data. Companies can implement incentives to obtain employees’ consent to view their personal cell phones, devices and email accounts. For example, they could allow personal phones in the office only if such consent is given or offer financial incentives to employees for providing their consent. When formulating such incentives, however, companies must also be careful not to implement coercive policies lest they run afoul of Assembly Bill 836’s restrictions.

Moreover, to the extent companies have adopted policies and procedures requiring employees to turn over personal devices or email accounts as part of their remediation in connection with settlements with the SEC or Commodity Futures Trading Commission (CFTC), they may need to revisit those policies and procedures. Independent compliance consultants assigned as part of these SEC and CTFC settlements will also need to keep the restrictions of article 836 in mind when advising settling companies going forward.

Non-New York-based companies must tailor their offline communications policies for New York-based employees. By its terms, Assembly Bill 836 applies to any company operating outside New York that has employees working in the state. These companies must carefully build into their policies and procedures provisions tailored to the new restrictions applicable to New York employees under Assembly Bill 836.

 

Patrick F. Linehan, Iris Bennett and Brigida Benitez are partners at Steptoe LLP. Mr Linehan can be contacted on +1 (202) 429 8154 or by email: plinehan@steptoe.com. Ms Bennett can be contacted on +1 (202) 429 8125 or by email: ibennett@steptoe.com. Ms Benitez can be contacted on +1 (202) 429 6261 or by email: bbenitez@steptoe.com.

© Financier Worldwide

BY

Patrick F. Linehan, Iris Bennett and Brigida Benitez

Steptoe LLP

©2001-2024 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.