Privilege in Peril: Protecting the Privilege in Corporate and Government Investigations

When conducting a corporate investigation, a client and its legal counsel will have many goals. The primary goal is to identify, understand, and fix problems. Another paramount objective for companies and their executives is to preserve important privileges and confidences connected to communications with their lawyers. That’s often easier said than done. Ensuring these protections apply requires more than just designating a document as “privileged” and having lawyers in the room. It also requires more than cautioning employee witnesses that because the lawyers represent the company, the discussion is protected by the company’s attorney-client privilege. Even meticulously designing an investigation to cloak it in privilege from the outset cannot guarantee the privilege will be maintained throughout, given the complexities of investigations and the unavoidable involvement of third parties who may not have the same interests as the company.

Experienced counsel knows that third parties — even those who are “friendly” to the client — inevitably may seek disclosures that could put the most carefully guarded privilege in real jeopardy. It may be in a client’s interest to make a disclosure to one of these third parties — for example, to facilitate the completion of an external audit or to obtain insurance coverage. The disclosure may even be required by law. In all cases, client and counsel should consider the privilege impacts of what they disclose and whether there are alternative disclosures that would satisfy a third party’s request for information without jeopardizing privilege.

This article lays out privilege risks involved in disclosures to the most common groups of third parties — employees and potential whistle-blowers, outside auditors, consultants, insurers, and government entities — and potential ways to mitigate those risks. Interactions with each of these groups present their own unique threats to privilege all while providing useful — and often necessary — support to the company’s business and strategy. Companies must think ahead, understand these threats, and take steps to limit them before authorizing the disclosure of any confidential and privileged information. Once these legal protections are waived, you can’t get them back.

Company Employees and Potential Whistle-Blowers

Employees typically play a central role in any investigation, whether as fact witnesses, whistle-blowers, or because they are the cause of wrongdoing. Understanding how privilege applies to communications with employees will help companies avoid inadvertent waiver of privilege during an internal investigation.

The attorney-client privilege protects communications between the company’s lawyers and employees where a primary purpose of the communication is to provide legal rather than business advice. [See In re Kellogg Brown & Root, Inc., 756 F.3d 754, 760 (D.C. Cir. 2014).] This protection extends to interactions in the context of fact-finding investigations. [Id.; Upjohn Co. v. United States, 449 U.S. 383, 390−91 (1981).] For example, employee interviews conducted during an internal investigation fall under the attorney-client privilege if several conditions are met: 1) the witness understands that the interview is privileged and confidential; 2) the interview is conducted in a confidential manner; and 3) the interview concerns matters within the scope of the employee’s duties. [Upjohn, 449 U.S. at 394.] Under the “need-to-know” doctrine, a company employee may access privileged documents without destroying privilege so long as the employee reasonably needs to know of the communication to act in the company’s interests or is responsible for deciding whether to act on counsel’s legal recommendations. [Coastal States Gas Corp. v. Dep’t of Energy, 617 F.2d 854, 863 (D.C. Cir. 1980).]

The D.C. Circuit’s 2014 decision in In re Kellogg Brown & Root, Inc. confirmed the application of attorney-client privilege to employees of a company. The court held that: 1) an in-house attorney did not need to confer with outside counsel for the attorney-client privilege to apply to an investigation; 2) so long as an investigation “was conducted at the direction of the attorneys” in a company’s law department, the privilege applies even if employee interviews were conducted by non-attorneys; 3) it was not necessary to inform employees that they were being interviewed for the specific purpose of assisting the company in obtaining legal advice; and 4) “[s]o long as obtaining or providing legal advice was one of the significant purposes of the internal investigation, the attorney-client privilege applies, even if there were also other purposes for the investigation and even if the investigation was mandated by regulation.” [756 F.3d at 758−59 (emphasis added).]

Employees who are potential whistle-blowers add further complexity and may pose more direct threats to the attorney-client privilege. Whistle-blowers who reported allegations to their superiors may seek updates on the company’s investigation. Failure to address whistle-blower concerns can lead to litigation or cause a whistle-blower to report to the government or the press. Updating a whistle-blower about an investigation, however, may result in a waiver of privilege or work product protections. A company must, therefore, balance the risk of waiver against its interests in allaying whistle-blower concerns and managing the risk of further disclosures outside the company.

Companies must also carefully navigate rules protecting employee whistle-blowers against retaliation or constraints on further reporting. These rules increase the risks associated with sharing information with employee whistle-blowers even when such disclosure may be necessary to advance the investigation. It can be a delicate balance but, while it is essential to take every precaution in safeguarding the company’s privileges, a company should be careful that its efforts to prevent waiver do not run afoul of whistle-blower protections. SEC Regulation 21F-17, for example, prohibits companies from deterring employee communications with the Securities and Exchange Commission regarding possible securities law violations. SEC Regulation 21F-17 states: “No person may take any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement . . . with respect to such communications.” Therefore, a company may not draft confidentiality agreements requiring employees to seek company permission before reporting possible violations to the SEC. Other whistle-blower protection laws include similar provisions.

To protect privilege during an internal investigation, companies should limit the information shared with employees about the investigation. Counsel should restrict communications with employees to matters within the scope of their employment and refrain from disclosing attorney work product to the extent possible. Company employees who are interviewed by counsel should be notified of the confidential nature of the investigation and should be told that the purpose of the investigation is to provide the company with legal advice. Before being interviewed, employees should be given Upjohn warnings, notifying them that counsel represents the company and not its individual employees, to ensure that any future decision on privilege waiver rests solely with the company. Further, to the extent a confidentiality agreement is considered, the agreement should prohibit disclosure of privileged communications but permit employees to disclose facts to the government to avoid impeding whistle-blower rights.

Outside Auditors

Companies often face the prospect of waiver when sharing information with outside auditors. Auditors may request reports pertaining to the company’s investigations or other materials bearing on potential litigation. Because an outside auditor is a third party and is not considered to be an agent of counsel, disclosure of otherwise privileged information to outside auditors typically results in waiver of the attorney-client privilege.

The work product doctrine may offer stronger protection where litigation is reasonably anticipated because disclosure to third parties does not automatically waive that protection, unless the third party is adverse. Most district courts have held that auditors are not adverse parties under the work product doctrine. These courts often cite the harmful effect such a rule would create if companies become discouraged from fully cooperating with auditors. One judge in the U.S. District Court for the Southern District of New York held that “any tension between an auditor and a corporation that arises from an auditor’s need to scrutinize and investigate a corporation’s records and book-keeping practices simply is not the equivalent of an adversarial relationship contemplated by the work product doctrine.” [Merrill Lynch & Co., Inc. v. Allegheny Energy, Inc., 229 F.R.D. 441, 448 (S.D.N.Y. 2004).] The D.C. Circuit in United States v. Deloitte LLP similarly took the view that outside auditors are not inherently adversarial. [610 F.3d 129, 143 (D.C. Cir. 2010).] The Deloitte court held that, in assessing waiver, “the question is not whether [the auditor] could be [the company’s] adversary in any conceivable future litigation, but whether [the auditor] could be [the company’s] adversary in the sort of litigation the [disclosed materials] address.” [Id. at 140.]

But some district courts have found waiver where work product was shared with an auditor. A different judge in the Southern District of New York reasoned that “[g]ood auditing requires adversarial tension between the auditor and the client,” [Medinol, Ltd. v. Boston Scientific Corp., 214 F.R.D. 113, 116 (S.D.N.Y. 2002).] and held that work product protection had been waived as to both the results of an investigation and the minutes from a corresponding board meeting, which company counsel had shared with an outside auditor.

Although most courts do not consider outside auditors to be adverse parties, given the somewhat unsettled legal landscape, companies must carefully evaluate sharing information with outside auditors to prevent waiver of privilege or work product protections. In some circumstances, it may be advisable to provide auditors with information about the internal investigation process rather than disclose attorney work product that could become discoverable later. Companies should also clarify their relationship with outside auditors by including, where appropriate, detailed confidentiality provisions in contracts and clearly marking documents as attorney work product.

Third-Party Consultants and Advisers

Companies and counsel may benefit from bringing in third-party consultants, such as accountants, translation services and public relations firms, to advise on specialized matters and should take steps to ensure that sharing privileged material with these third parties does not waive privilege.

Communications with third-party consultants can be protected by the Kovel doctrine. Kovel applies when the communication was intended to remain confidential and when the consultant’s work is useful to an attorney’s provision of legal advice to the client. [United States v. Kovel, 296 F.2d 918, 922 (2d Cir. 1961).] If a consultant acts in a way that is “functionally equivalent” to a department of the company, the communications between the company’s lawyers and the consultant still may be viewed as standard attorney-client communications. [See, e.g., In re Copper Market Antitrust Litig., 200 F.R.D. 213, 218-20 (S.D.N.Y. 2001) (attorney-client privilege extended to crisis-management firm hired by foreign client and given full authority to communicate with English-language media).] However, if the consultant’s work does not fit under the Kovel umbrella, sharing privileged materials to assist with nonlegal matters will waive privilege. The determination rests on the extent to which the consultant’s involvement was intended to assist the legal case. [See In re Grand Jury Subpoenas, 265 F. Supp. 2d 321, 330-31 (S.D.N.Y. 2003) (holding public-relations firm was within the privilege when engaged by attorneys to manage public opinion that would influence prosecutor’s charging decision).]

To increase the likelihood of protection under Kovel, all parties need to understand their roles and expectations. The consultants should be engaged through lawyers, not by the company directly, regardless of how the bill is paid. Engagement letters should make clear that the consultant has been retained to assist in providing legal advice and in anticipation of potential litigation. Further, the consultants should work under the direction of the legal team, with documentation of that arrangement throughout the process.

Insurance Companies

The activity that leads a company to conduct an internal investigation may trigger the defense obligations of the company’s insurer or require the company to seek coverage for losses incurred. There is no special privilege relationship between insurers and insureds, and the company should be aware of threats to privilege that will arise from sharing information with insurers. The work product doctrine will only apply where communications are made in anticipation of litigation, but privilege analyses are heavily fact-dependent and based on the specific terms of an insurance contract.

Many courts have held that the extension of the attorney-client privilege to communications with an insurance company depends upon the nature of the insurer’s duty to defend the company. Generally, if an insurance contract contains a duty to defend with no reservations regarding the types of claims covered, communications between insurer and insured are more likely to be protected by the common interest doctrine, meaning disclosure of otherwise-privileged information will not constitute a waiver. [E.g., Cont’l Cas. Co. v. St. Paul Surplus Lines Ins., Co., 265 F.R.D. 510, 519 (E.D. Cal. 2010).] In some cases, however, an insurance company’s obligations may be more limited.

Many insurance agreements include reservations, such as indemnity denial for certain types of claims, or a requirement that the corporation hire its own counsel. Courts addressing these situations have found that the claim of common interest between insured and insurer is weaker, increasing the risk that confidential communications between the entities will not be privileged. In In re Imperial Corp. of America, a court found that two letters written by company counsel to an insurer regarding a litigation were not protected by the attorney-client privilege. [167 F.R.D. 447, 455 (S.D. Cal. 1995).] Despite the existence of two joint defense agreements between the insured and insurer, the court found no basis for privilege where the insurer had no duty to defend the company under the insurance policy terms; the letters also did not request or provide legal advice but instead requested settlement contributions. While the letters contained opinion work product that would normally be protected, those protections were waived because litigation between the company and insurer was “a very real possibility” when the letters were sent.

To manage and avoid waiver risks, companies must be acutely aware of the specific terms of an insurance liability policy and what obligation it imposes on an insurer in the litigation context. That said, a company must also understand that there is always some possibility that it could end up adverse to its insurer. Decisions made in the investigation should anticipate this possibility from the start.

The Government and Regulators

When a company uncovers wrongdoing, it may be in its interests to disclose the problem to government regulators and seek credit for cooperation. However, divulging investigative findings to the government presents a range of privilege concerns, many of which have not been resolved by the courts. While government-provided guidance has shifted in recent years, some general themes remain unchanged: government agencies expect robust disclosures, and the government has much less interest in preserving privilege than the party under investigation.

Federal authorities formerly considered a company’s willingness to waive privilege in assessing its cooperation, but more recent Justice Department guidance does not explicitly demand waiver. Still, companies are expected to provide all relevant facts to the government to receive full cooperation credit, under the rationale that facts themselves are not privileged. Of course, when the company and its counsel learn relevant facts through a privileged investigation and must reference privileged communications to identify the source of those facts, this still presents problems. To the extent the company will later assert privilege against nongovernmental actors, the privilege could be deemed waived by the government disclosure.

A December 2017 ruling regarding cooperation with the SEC vividly illustrates this risk. In SEC v. Sandoval Herrera, a company hired outside counsel to investigate accounting issues with a foreign subsidiary. [SEC v. Sandoval Herrera, No. 17-20301-CIV, (S.D. Fla. Dec. 5, 2017).] Counsel interviewed company employees and prepared memoranda summarizing those interviews. The investigation was disclosed to the SEC and counsel provided information about their findings, including “oral downloads” describing the substance of interview notes and memoranda for 12 witnesses. When the SEC pursued a civil suit against former executives who oversaw the subsidiary, the defendants subpoenaed those notes and memoranda from company counsel, arguing that any work product protection was entirely waived by the oral presentation to the company’s undisputed adversary. Even though the SEC had received only oral summaries, not the underlying documents, the court agreed with the defendants and compelled the production of all notes and memoranda for the witnesses that had been discussed. While the parties later resolved this discovery dispute, causing the court to vacate its rulings as moot before they were challenged further, the risk of this reasoning being adopted by other courts is real. One proposed step to limit the risk of waiver is a confidentiality or “nonwaiver” agreement, through which the company agrees to confidentially disclose certain facts or material to the government while not waiving privilege as to the rest of the world.

These agreements are intended to limit the scope of the waiver between the disclosing company and the government; in some instances, these agreements have been upheld by courts against a third-party challenge. A recent case in the Southern District of New York, for instance, found that privilege was not waived by disclosure under such an agreement, in part, based on the public interest in cooperating with law enforcement. [In re financialright GmbH, No. 17-mc-105 (DAB), (S.D.N.Y. June 23, 2017).] The decision acknowledged, however, that enforcement of nonwaiver agreements is not uniform and may be decided on a “case-by-case basis.” Other cases have held that confidentiality agreements either have no weight or should simply be “one of several factors” in the analysis. [See, e.g., Alaska Elec. Pension Fund v. Bank of Am. Corp., No. 14-CV-7126 (JMF), (S.D.N.Y. Jan. 20, 2017) (collecting cases and concluding that work-product protection had been waived by sharing materials with government agencies).]

While an agreement with the government might serve to protect privilege from other parties, it is no guarantee. If disclosure of privileged information is sufficiently helpful or critical to the case, it may outweigh the risks of having to give the same information (or more) to third parties later (e.g., plaintiffs in civil litigation). Any disclosure should be carefully weighed, given the implications of a potential waiver.

Conclusion

Investigations are complicated. There is no guaranteed method to protect the attorney-client privilege and work product protection from being waived. A company may be required to make disclosures to outside auditors or the government, or it may need to disclose information to various third parties, such as consultants, public relations firms, insurance companies, and its employees to understand the full scope of a potential violation and to conduct damage control. Company counsel must act carefully and deliberately, particularly at the outset of every interaction with a third-party, to put the company in the best position to accomplish the goals of the investigation without needlessly — or inadvertently — jeopardizing the company’s privileges.