Do Law Firms Need Compliance Programs?

Dewey-LeBoeuf compliance

Do as I say; Not as I do.

The bankruptcy of Dewey & LeBoeuf sent shivers throughout big law firms. The firm could trace its history back 100 years and employed over 1000 lawyers when it exploded. Last week, key leaders of the firm were charged with securities law violations and criminal theft charges related to the law firm’s bond issuance.

When Dewey went under, the first thing that caught my eye  was its bond issuance. That seemed an unusual way for a law firm to finance its cash flow and capital needs. Unfortunately for the Dewey leaders, its one thing to lie to the firm’s partners and lenders about the firm’s financial health. But the lying to the bond purchasers is securities fraud.

According to the indictment and SEC complaint, the firm was behind on its lender covenants and started reclassifying items to make its financial statements meet the targets. In reading through the charges, some of those accounting adjustments sound bad and some sound questionable. An accountant would probably not approve, but that Dewey managers may have some arguments to justify the changes.

“I assume you new [sic] this but just in case. Can you find another clueless auditor for next year?”

Oh my… What would a lawyer say to his client who put something like this in an email?

What ever argument the Dewey managers may have had about the accounting treatment is going to be questioned when there are emails discussing the decisions with phrases like: “fake income”, “accounting tricks” and my favorite: “cooking the books”. At this point, we only have the government’s side of the story and the Dewey managers have not had a chance to tell their side of the story.

There is an email asking for back-dated checks so the firm can book revenue to the prior year in an effort to make 2009 year-end numbers. That is followed by a response from another manager asking the email to be re-worded so it does not sound like it’s engaging in accounting fraud.

The firm is not meeting its financial goals. That’s disappointing and the its lenders are going to reel the firm in. The solution was a bond offering. According the SEC and district attorney, the firm’s financial statements were fraudulent.

This seems like a classic “company gone bad” fraud scheme. The firm insists on making its numbers and pushes its accounting treatment to make the numbers in that quarter, but ends up robbing income from the following quarter. It hopes it can catch up, but never does.

The firm managers had been fraudulently claiming revenue that Dewey did not have and kept pushing expenses and financial obligations off into the future. Dewey had to cut partner compensation and that was not enough to prevent them from leaving. With the loss of partners, there was a loss of revenue. At some point the rubber band is stretched too far (not that law firms are that flexible) and snaps. The firm managers could no longer fool Dewey’s lenders and bond holder. It had no choice but to file bankruptcy, sending thousands onto the unemployment line.

But this was a law firm who, on a regular basis, dispensed advice about compliance and SEC enforcement and accounting fraud. As Donna Boehme and Joseph Murphy point out in 10 Inconvenient Truths About Law Firm Compliance (.pdf):

Fact 1: People create risks. Fact 2: Law firms have people.

It seems like Dewey had a case of not following the advice it dispensed to its clients.

References:

Email, Warrants and Corporate Email

Inside the company, you can take away your employees expectations of privacy when it comes to email. It has been unclear whether the same is true when it comes to the government inspecting your email. Surprisingly, there has been little law on whether your email would be subject to same protections as your phone calls from government snooping. Does the government need a warrant to obtain the contents of your email from your internet service provider?

The latest case to address the issue is U.S. v. Warshak out of the Sixth Circuit Court of Appeals which held:

If we accept that an email is analogous to a letter or a phone call, it is manifest that agents of the government cannot compel a commercial ISP to turn over the contents of an email without triggering the Fourth Amendment. An ISP is the intermediary that makes email communication possible. Emails must pass through an ISP’s servers to reach their intended recipient. Thus, the ISP is the functional equivalent of a post office or a telephone company. As we have discussed above, the police may not storm the post office and intercept a letter, and they are likewise forbidden from using the phone system to make a clandestine recording of a telephone call—unless they get a warrant, that is.


The case is based on charges against the manufacturer of Enzyte with its Smilin’ Bob commercials. The company got into mess of mail and wire fraud because of their sales practices and banks closing down their accounts.

The government seized 27,000 emails from the company’s internet service provider under the the Stored Communication Act (18 U.S.C. §§ 2701 et seq.), a statute that allows the government to obtain certain electronic communications without procuring a warrant. As you might expect, the company objected to this government action.

Once you become a registered investment advisers, you are going to be subject to inspection by the Securities and Exchange Commission. The SEC will likely not need a warrant for any records or communication required to be kept under the Investment Advisers Act. You can’t have an expectation of privacy for stuff you are required to submit to SEC examination.

As an employer, you own the hardware and the network and you can decide how your employees use them. If you clearly state that your employees have no expectation of privacy for email on the company’s network then you are free to dig into their email traffic as part of an internal investigation.

The Warshak case is important for criminal law, but has no effect on corporate email policies.

Sources:

That’s a $h!#ty Policy

On the front page of today’s Wall Street Journal is story about one of the fallouts from Goldman Sachs’ recent problems with the SEC: George Carlin Never Would’ve Cut It at the New Goldman Sachs.

One of the most sensational bits of Goldman Sachs fiasco was an email from a Goldman executive “[B]oy that, timberwolf was one $h!#ty deal.” Apparently, Goldman thinks the solution is to ban profanity in electronic messages.

Of course, everyone needs to pay closer attention to what is written down in email. They are often reviewed and taken out of context during litigation. Saying it was “$h!#ty deal” is more sensational than saying it was a “bad deal.”

Monitoring language in email has been part of financial service compliance for years. The SEC requires that compliance monitor for improper activity and advice. It will be easy enough to have the monitoring program also search for George Carlin’s “Seven Words You Can Never Say on Television” and their variants.

The big problem will be false positives once you start getting into the variants. That means frontline employees and deal flow will be get emails bounced back or blocked. Inevitably, compliance will get the blame for messing up a deal.

The other problem is enforcement. The first line of enforcement will probably be to block messages from being sent with profanity in them. That works as long as you can eliminate false positives. The alternative is to notify compliance when a message has profanity. Compliance can then keep track of the number of messages and report back to management for discipline.

“Employee A had 354 message with “$h!#ty”, 1,567 with F@(k, and 456 with this word which I don’t know but sounds dirty.”

Sounds like a $h!#ty policy and $h!#ty role for the compliance department.

N.J. Supreme Court upholds privacy of personal e-mails accessed at work

The New Jersey courts have been handling a case that squarely addressed a company’s ability to monitor employee email.

Back in April of 2009, I mentioned a New Jersey case that found e-mail, sent during work hours on a company computer, was not protected by the attorney-client privilege: Compliance Policies and Email. That later was overturned: Workplace Computer Policy and the Attorney Client Privilege.

The New Jersey Supreme Court has ruled on the appeal and found that the employee

“could reasonably expect that e-mail communications with her lawyer through her personal, password-protected, web-based e-mail account would remain private, and that sending and receiving them using a company laptop did not eliminate the attorney-client privilege that protected them.”

The court went a step further and chastised the company’s lawyers for reading and using privileged documents.

The court’s decision focused on two areas: the adequacy of the company’s notice in its computer use policy and the importance of attorney-client privilege.

Computer use policy

The court was not swayed by the company’s arguments about its computer use policy. The company took the position that its employees have no expectation of privacy in their use of company computers based on its Policy. The court found that the policy did not address personal email accounts at all and therefore had no express notice that the accounts would be subject to monitoring. Also, the policy did not warn employees that the contents of the emails could be stored on a hard drive and retrieved by the company.

Attorney Client Communication

The bigger problem was that the communications between attorneys and their client are held to a higher standard. They were not “illegal or inappropriate material” stored on the company’s equipment that could harm the company. The e-mails warned the reader directly that the e-mails are personal, confidential, and may be attorney-client communications.

In my opinion, the nature and content of these emails made this an easy decision for the court.

Key Considerations

The decision does not mean that a company cannot monitor or regulate the use of workplace computers.

  • A policy should be clear that employees have no expectation of privacy in their use of company computers.
  • A policy needs to explicitly not address the use of personal, web-based e-mail accounts accessed through company equipment.
  • A policy should warn employees that the contents of e-mails sent via personal accounts can be forensically retrieved and read by the company.

Sources:

Monitoring Employee E-mail in Canada

canada

The key to a defensible system of e-mail monitoring is the creation of a comprehensive and communicated computer use policy. That is apparently as true in Canada as it in the United States.

Brian Bowman and Andrew Buck put together an excellent privacy primer on Monitoring employee e-mail: a privacy primer.

In what situations is e-mail monitoring justified? And what tests can we use to answer this question? Canada has no definitive answer either.

Workplace Computer Policy and the Attorney Client Privilege

email_icon

Back in April, I mentioned a New Jersey case that found e-mail, sent during work hours on a company computer, was not protected by the attorney-client privilege: Compliance Policies and Email (Stengart v. Loving Care [.pdf]) That case has now been overturned. It seems that a company’s policy on computer use may be more limited that I originally posted.

Factual Background:

The company provided Stengart with a laptop computer and a work email address. Prior to her resignation, plaintiff communicated with her attorneys, Budd Larner, P.C., by email about an anticipated suit against the company, and using the work-issued laptop but through her personal, web-based, password-protected Yahoo email account. After Stengart filed suit, the company extracted a forensic image of the hard drive from plaintiff’s computer. In reviewing plaintiff’s Internet browsing history, an attorney discovered numerous communications between Stengart and her attorney from the time period prior to her resignation from employment with Stengart.

I found it strange that the email from a web-based email account would be stored on the local computer. I am going to guess that it was attachments to the email that ended up stored on the computer in a temporary file and not the email itself.

Company Position:

According to the decision, the company’s policy may not have been clearly distributed and applied. There was some factual disputes about whether the company had ever adopted or distributed such a policy. There was a further dispute that even if the policy was put in place as to whether it applied to executives like Stengart.

Decision:

In the end the company’s position didn’t matter and the court assumed the policy was in place. Instead, the court took a harsh position:

A policy imposed by an employer, purporting to transform all private communications into company property — merely because the company owned the computer used to make private communications or used to access such private information during work hours — furthers no legitimate business interest. See Western Dairymen Coop., 684 P.2d 647, 649 (Utah 1984). When an employee, at work, engages in personal communications via a company computer, the company’s interest — absent circumstances the same or similar to those that occurred in State v. M.A., 402 N.J. Super. 353 (App. Div. 2008); Doe v. XYC Corp., 382 N.J. Super. 122, 126 (App. Div. 2005) — is not in the content of those communications; the company’s legitimate interest is in the fact that the employee is engaging in business other than the company’s business. Certainly, an employer may monitor whether an employee is distracted from the employer’s business and may take disciplinary action if an employee engages in personal matters during work hours; that right to discipline or terminate, however, does not extend to the confiscation of the employee’s personal communications.

Those were some broad statements, but the decision was ultimately limited to the attorney-client privilege.

There is no question — absent the impact of the company’s policy — that the attorney-client privilege applies to the emails and would protect them from the view of others. In weighing the attorney-client privilege, which attaches to the emails exchanged by plaintiff and her attorney, against the company’s claimed interest in ownership of or access to those communications based on its electronic communications policy, we conclude that the latter must give way. Even when we assume an employer may trespass to some degree into an employee’s privacy when buttressed by a legitimate business interest, we find little force in such a company policy when offered as the basis for an intrusion into communications otherwise shielded by the attorney-client privilege.

It seems that New Jersey courts are now taking the position that a company cannot read an employee’s personal e-mail, even when the employer has a policy stating that the employee has no reasonable expectation of privacy. The exception to this rule would be when the company needs to know the content of the e-mail to determine whether the employee broke the law or violated company policy.

References:

Extranets for Law Firm and Client Collaboration – Moving Beyond Email

project_extranet

One of the problems with collaboration between law firms and their clients is that too much of it happens through email. Email is fast, allows you to send the same message to lots of people, and is inexpensive.

But it is still a set of messages sent back and forth, much like the Pony Express. To figure out what is going on you need to comb through the messages and hope that you end up looking at the latest message. Since email is so fast and so inexpensive, you often end up with a barrage of short ineffective messages.

With email, the message ends up in a different place for the sender and recipient. If I send the email, it is in my sent items and it ends up in the inbox for the recipient. Each recipient may do something different with that email once it’s in their email in-box. Some may pile it on top of the thousands of other emails in their inbox, some may file it in another email folder, some may print and delete, and some may just delete.

There has been talk for years of using extranets to change the way law firms and their clients communicate. Unfortunately, it seems there has been more talking than there have been successful extranets.

The trouble with deploying a successful extranet is finding both an attorney team and a client team that want to share information by using an extranet.

The most common extranet for a legal team is the document war room seen in larger acquisition transactions. There is a great benefit to having the documents in one place, typically with some great security. But they lack the communications tools needed to move it beyond being merely an online fileroom.

An extranet can be poorly organized and messy, making the relevant information hard to find. But organizing the information in a meaningful way can save lots of time and money for both the law firm and the client.

One of challenges for using an extranet platform is deciding which one to use. Should it be sponsored by the law firm or the client? If it is sponsored by the law firm, a few issues arise. One, the law firm will have to allow access to the client’s other law firms working on similar matters or the client will have to work with a different extranet for each of its different law firms. If the client sponsors the extranet, then the client bears the expense and maintenance burden of the extranet platform. There also will be the expense and resources spent on showing the law firm how to use the extranet platform.

One barrier to overcome is that there are a broad variety of possible extranet platforms that operate very differently and provide information in very different ways. Some of the newer 2.0 tools show how the web can be better used as a collaboration space. They also break down some of the barriers to using an extranet. Perhaps the next generation of extranets will be more effective. The answer may be SharePoint. Microsoft is pushing its SharePoint platform causing it to become more pervasive and bringing some of the concepts of Enterprise 2.0 into many business environments. By having a common platform, you could break down some of the barriers to extranet adoption.

Compliance Policies and Email

email_icon

You should take a look at your computer use and email policies to see how they address three recent cases involving email in the workplace.

The first case involves unauthorized acces: (Van Alstyne v. Electronic Scriptorium, Inc.).  The president of the company had broken into an employee’s personal AOL email account. The employee had occasionally used that email account for business communications. To top off the bad behavior, the president of the company had propositioned the employee before firing her and then accessing that email account.

In the second case (Stengart v. Loving Care [.pdf]), Ms. Stengart resigned from Loving Care and sued the company. Before leaving she e-mailed her lawyer through her personal web-based account from her company-issued computer using the company’s internet access. Loving Care recovered temporary files stored on that computer which contained copies of Stengart’s attorney-client communications. Stengart discovered that Loving Care’s lawyers planned to use her e-mail in the litigation. She asked the trial court to decide whether the e-mail, sent during work hours on a company computer, was protected by the attorney-client privilege. The court held that it was not.

In the third case (Noonan v. Staples), Staples fired sales director Alan S. Noonan  for padding his expense report. Executive Vice President Jay Baitler sent an e-mail to approximately 1,500 employees explaining the reason for the firing. The e-mail contained no untruths, but Mr. Noonan sued for defamation anyhow. Unfortunately for Staples, truth is not a defense in Massachusetts if the challenged statement was communicated with actual malice.

Lessons? What should you have in your company’s computer policy?

First, tell employees that they should not use personal e-mail accounts for purposes of conducting company business.

Second, the company should have a policy that any message sent from a company computer is subject to disclosure and the employees should not have an expectation of privacy.

Third, employees should not access another employee’s files or email accounts, whether they are the company’s or personal.

Fourth, employees should not use email or company computers to send malicious messages.

Finally, make sure you can prove that each employee knows these rules.

See:

Email Compliance 201

liveofficeLiveOffice presented a webinar on records management issues related to electronic correspondence and archiving. (I missed the Email Compliance 101 session.)

First up was  Christina Rovira, Legal Compliance Advisor at CoreCompliance & Legal Services, Inc. She pointed out that SEC and FINRA require investment advisers and broker-dealers to supervise the business activities of their representatives. There is a fiduciary duty to act in the best interest of the client.

FINRA Rule 3010 requires written supervisory procedures including an annual internal audit. This audit includes a review of correspondence (that means email too). Securities Exchange Act of 1934 Section 17a3 & 17a-4 sets standards for retention. FINRA Rule 07-59 (.pdf) addresses the supervision of electronic communications. Investment Advisers are covered under Rule 204-2 with a laundry list of requirements.

The rules are largely risk-based. So you need to focus on new hires and others under closer supervision. In reviewing the communications you want to develop a search lexicon to try to identify issues in the electronic communication. You also want to make sure you exclude privileged attorney-client documents/correspondence. It may be better to store those is a separate repository. They also emphasized that you need to search the text of the attachments as well as the email itself. Attachments generally have more problems.

What to look for?:

  • discussions of performance without disclosure
  • inclusion of testimonials
  • predictions and projections
  • references to past specific recommendations
  • unbalance discussions of risk/reward
  • disclosure of confidential client information
  • breaches of privacy policy

Archiving functionality is key. You need to be sure that you cannot modify or delete email in the archive.

Privacy is hot button right now. Regulation S-P promulgated under section 504 of the Gramm-Leach-Bliley Act implements notice requirements and restrictions on a financial institution’s ability to disclose nonpublic personal information about consumers. State laws are going further. There is California’s SB1 Financial Information Privacy Act and the Massachusetts has 201 CMR 17.00. That means you need to look for social security numbers, drivers’ license numbers, new account forms and client specific information.

They turned to conflicts of interest and insider trading issues. For example, you should focus on communications between the research desks and trader desks.

The panel also pointed out that you need to look as the communication tools to see whether you can capture the communication. If you can’t capture it, then they cannot use. You must affirmatively prohibit the use of the tool. For example, some social networking sites are a problem. A Blackberry is okay as long as you route it through the company’s email and capture the email in the archive.

R. Anthony Seyboth moved on to give the sales pitch for LiveOffice.

Things You Should Never Put in an E-Mail

Molly McDonough of the ABA Journal puts together a list of things you should never put in an email, borrowing from Roger Matus10 Things Never To Put In Email:

  1. “I could get into trouble for telling you this, but…”
  2. “Delete this email immediately.”
  3. “I really shouldn’t put this in writing.”
  4. “Don’t tell So-and-So.” Or, “Don’t send this to So-and-So.”
  5. “She/He/They will never find out.”
  6. “We’re going to do this differently than normal.”
  7. “I don’t think I am supposed to know this, but…”
  8. “I don’t want to discuss this in e-mail. Please give me a call.”
  9. “Don’t ask. You don’t want to know.”
  10. “Is this actually legal?”

If you find yourself typing one of these phrases, perhaps you should delete the entire email. These are catchphrases often used by e-discovery professional to find smoking gun emails.