Juggling multiple objectives in a crisis situation

Balber kicked-off the panel discussion: “A crisis is more serious than a difficult issue. It is time-critical, unexpected, brings an intense media spotlight and interrupts ‘business as usual.’”

“In a crisis, companies need to limit sensitivity amid intense media scrutiny. They need to minimize liability and damage to reputation; retain (or enhance) goodwill and employee morale; strengthen and showcase brand value; minimize the effects of media coverage; work with regulators and governments to stave off intervention and enhanced regulation; and protect business operations and retain investor confidence,” he continued.

“The in-house counsel plays the role of quarterback. They will likely possess the most complete knowledge of the facts and issues of anyone in the business and may act as a conduit for information, as well as controlling and coordinating the flow of information with investors, employees, customers and the press,” said Balber.

More specifically, lawyers need to juggle multiple competing, and sometimes conflicting, goals. These include, “maintaining the integrity of investigations and preserving evidence; identifying and advising on legal risks; mitigating liabilities; ensuring compliance with regulatory and legal obligations; identifying and pursuing legal remedies; and considering legal risks in the broader context all while ensuring day-to-day legal obligations are met,” added Balber.

A hypothetical crisis scenario

Forming the basis of the discussion, Herbert Smith Freehills presented conference attendees with a hypothetical scenario where a publicly traded global financial services company, headquartered in New York, with offices in London, Paris, Hong Kong and elsewhere, faced several crises amid a contemplated corporate divestment. The key events that transpired leading up to, during and just after the hypothetical crisis took place included:

• In-house counsel for the financial services company was speaking with the CEO about an upcoming sale of a business unit when she learned a massive cyberattack carried out by hackers had frozen customer accounts, preventing millions from withdrawing funds.
• The hackers obtained access to confidential information including due diligence files relating to the company’s potential divestment.
• The hackers claimed to have uncovered information concerning payments made by the company’s CFO to officials at a foreign state investment fund in Latin America.
• Across all company computers a banner appeared stating that the CFO is corrupt and has paid bribes.
• Following this, the CFO acknowledged to the in-house counsel his payment of said bribes.
• Prior to the cyberattack, a software engineer had warned that there were vulnerabilities in the software that manages customer accounts. The allegations were dismissed and the engineer was terminated.
• To make matters worse, it became known that the CEO was advised of the engineer’s concerns but covered them in anticipation of the pending divestment.

Ten broad questions were then presented and discussed by the panel who shared insights from their professional areas (and countries) of focus.

1. Which issue should be prioritized by the in-house counsel: the customer accounts, the alleged bribe, or the sale of a business unit and associated sensitive information?

The PR professionals suggested that “customer accounts must be fixed first because customers are the lifeblood of the business.”

Spiro agreed that “the customer accounts are the single most important issue, but all three issues need to be dealt with from the outset so there is no single priority.”

In Asia, Wombolt said “the Hong Kong regulators would demand that account holders are notified but will not offer guidance on prioritizing the other issues.” Wombolt adds that the conversation could be different in mainland China where the government owns banks.

The investigative journalist noted that she “would first focus on the customer accounts as it is of interest to the largest number of readers, but also finds the bribe very interesting.”

2. Who should be on the company’s crisis team? Should the CEO, CFO, or both be excluded?

“The composition of a communications committee is the first decision that PR firms need to agree on with a client. The real job is to save the business and have a small team to handle the crisis; fixing the crisis is no good if there is no company left afterwards. The CEO need not be involved. A lean team of the in-house counsel, outside counsel and COO could be sufficient,” said the PR professionals.

Cogman agreed that “a small enough group to avoid getting bogged down makes sense and given that this is an existential crisis for the company, the heads of IT, PR and legal should be involved.”

Mattout thought it was difficult not to include the CEO, but agreed it was not very practical, and suggested that the heads of IT and PR should be involved.

Cogman and Wombolt agreed that the CEO and CFO should be excluded, but Wombolt flagged up the practical problem of what to do “if the CEO refuses to step aside, wants to be involved, and even threatens to make a statement to the media?”

Balber recommended establishing a special committee of the board, to take the responsibility away from management, as prescribed in a US corporate governance code.

3. Who should oversee the company’s response to the crisis: the founder, the CEO and majority shareholder; the entire board; in-house and external counsel; an audit committee of the board or other committee of outside directors; or the head of public relations?

Mattout pointed out that “the audit committee option is part of existing US guidance (that does not exist in other countries). The in-house counsel could be a valid option in France, though it is a difficult call.”

O’Donnell emphasized that “anyone with a potential interest in the outcomes should be excluded, to deal with the conflict. If facts emerge showing that the CEO was involved, the DOJ would be very aggressive in second guessing. So, it is a safer course to have board members (though it does not have to be the audit committee specifically).”

Balber agreed that a different board committee could be used.

Spiro was “very surprised that there is any discussion of the CEO being involved. He is tainted by having covered-up facts and fired the engineer in breach of US whistleblower protections.” For Spiro, the committee should be comprised of disinterested parties.

One of the PR professionals suggested they would “do their best to convince the CEO that he needs to take a step back. He may have an emotional response to defending his ‘baby.’” The other PR professional added if the CEO normally speaks to the media daily, and abruptly stops doing so, that could be viewed as an “eloquent silence.”

Wombolt argued that a delicate balancing act needs to be traversed: “It is important to indicate that the CEO is in control of the company, while limiting any exposure to adverse outcomes.”

Balber thought that a senior IT person, such as the Chief Information Security Officer, should be involved – and that this IT person should be independent of the Chief Compliance Officer.

Cogman agreed that “in principle it should be someone who is knowledgeable and conversant with the IT systems, but independent.”

The selection of law firm representation is also important, and multiple firms may be involved. Wombolt pointed out that the in-house counsel’s usual or preferred external law firm might not be involved.

O’Donnell underscored that “the DOJ will expect that the law firm conducting an internal investigation does not have a long-standing relationship with the company.” A further distinction identified was that both the audit committee and management team should have access to different sets of outside counsel, partly to avoid perceived conflicts.

Balber summarized: “The core team will depend on the nature of the organization and crisis. It could include a CEO or senior manager, senior legal adviser and senior communications advisor. It might also include heads of human resources, operations or finance, depending on the nature of the crisis.” General guidance for building such a team, is that “their skills and personal attributes should be complementary; they should know each other and receive training; act as an internal intelligence center; and be excluded if they are perceived to lack independence,” he elaborated. Balber distinguished between the operational and communications aspects of a crisis plan, and explained the need for extensive and regular, time-stamped documentation and records including objectives, defined responsibilities, plans, updates, contact details, protocols for approving communication, budgets and so on.

4. Which stakeholders’ interests must be considered when crafting public statements: the hackers; members of the public with accounts that may be vulnerable; the counter-party to the transaction; worldwide criminal and civil regulatory authorities; or all of these?

The PR professionals took the view that no one person can speak to all of these audiences. Balber agreed that “it is hazardous to create a communications strategy to address all disparate interests.”

Wombolt thought that regulators in Hong Kong and China would expect to be alerted to a crisis and be kept informed.

Cogman cautioned against presumptuously issuing public communications describing interactions with regulators before consulting the regulators. In a recent UK bribery case, a publicly listed firm put out a statement containing typical, bland “boilerplate” language saying that they were fully cooperating with the SFO. The next day, the company was forced to issue another statement revealing that the SFO did not believe the company was fully cooperating (though the company did believe that they were).

Facts always change
The status of cooperation with the SFO might of course have changed in the interim, and that is not unusual. The PR professionals pointed out that the facts always change, yet there is zero tolerance for error, so statements must be thoughtfully qualified and caveated. They caution that facts are likely to leak out to the media and investigative journalists are tenacious in ferreting out any scrap of news.

“We will talk to anyone who will talk. All of the PR people. All employees. Every document of public record. We will try to find out what is being said on internal message boards. We will do all of this even with official silence,” said the investigative journalist.

Be proactive or be boring?
A traditional PR approach characterized as swiftly revealing all was contrasted with a traditional legal approach of total reticence. Yet the panellists present at the event adopted the opposite of the traditional approach.

Balber emphasized that “lawyers need to message affirmatively to the press,” and Spiro was also “a great believer in a proactive response and getting the message out on social media in advance to maximize your ability to control the situation. The regulator will assume that customers have been immediately told to change their passwords and so on.”

“Companies need to limit the scope for misinformation and rumor by establishing the company as a credible source and providing information early and often – even if they only confirm that there is no new information,” said Balber. “‘No comment’ is off-limits,” he added.

The PR professionals’ view in this instance was wholly different. “It is very counterintuitive, but public silence is better. One-on-one communication with customers is needed. The real goal is to be boring, and this involves a lot of work behind the scenes. If you jump into social media, your voice is equal to that of people all around the world who do not know the facts. There are real world examples of companies who wanted to convey a message that had the opposite effect. Therefore, individual email communication is preferable to social media,” they advised.

Cogman pointed out that overseas regulators might also need to be informed: “For instance, in the UK there is a regulatory obligation, under the principles of business, which explicitly requires you to inform the FCA and PRA of problems with overseas offices.”

Wombolt observed that remedial work might be required as “outside counsel are often brought in long after communications are scrambled. Somebody in the US may have done something without thinking about the US rules. Often, part of managing the crisis includes having to undo things or talk to regulators in different jurisdictions.”

5. Who should take the lead in communicating with the media: the CEO, outside counsel, in-house counsel, whoever has the best relationship with the reporter, or none of these? Should the communications be on or off the record?

The investigative journalist said she “would like to hear from the CEO, or somebody with a strong grasp of the facts, who can answer substantive factual questions, even if answers about the facts are changing. The contact person should be empowered to deal with reporters, without having to go back and get permission for every call. A junior person sends out a message that the company is not taking it seriously or cannot say anything. You should never select a junior person. Outside counsel is better for a first hit and can be very helpful. Somebody who is less emotionally invested has a better ability to handle a tough story without getting emotionally involved or trying to ‘kill’ the story.”

The PR professionals maintain that much communication needs to be off the record: “Some issues are so complicated that outside counsel needs to communicate them so that reporters understand the nuances and potential next steps. Internal and external PRs may also need to handle calls off the record.”

Off the record briefings can create their own conundrums, as “the definition of ‘background’ and ‘off the record’ means different things to different people,” pointed out the investigative journalist. If an off the record briefing differs from other sources, the journalist would go back and double-check facts to work out why they might not be correct. She would also alert the contact person to the discrepancies and might explain why she believed an alternative storyline was more credible.

6. At the start of the crisis, should the in-house counsel alert the CFO/CEO that there will be an investigation and invite them to retain a lawyer? Or would this risk being seen as “tipping” in the US, known as “tipping off” in the UK, and run the risk of him seeking to delete evidence?

Wombolt said that the CEO might get their own lawyer, and Balber said that both the CFO and the CEO could be asked to get their own counsel. Wombolt has found that larger US companies would usually offer to pay for a lawyer, though smaller organizations or non-US companies would not do so.

Balber cautioned that providing the CEO or CFO with lawyers could make them reticent whereas counsel for the company “wants staff to be forthcoming and give the whole story.” He added that “some companies have a written policy of penalties up to, and including, termination for non-cooperation.”

In a French context, Mattout said “the CEO and CFO have the right to a lawyer and should be informed of this right.”

Fact-finding and documentation
Whether, and which, staff get their own lawyer may also impact strategy for fact-finding and documentation. “This could include suspending the deletion or augmentation of documents; seizing computers, hard drives, phones and documents; preserving documents; and limiting the creation of new documents,” said Balber.

Document and data preservation policies are contentious, however. Wombolt has found that “document retention memorandums can be interpreted as the opposite – and treated as a signal to start shredding documents!” Mattout was also concerned that informing staff of preservation rules alerts them to the existence of an inquiry.

7. Six months have passed and US and UK regulators are conducting parallel investigations and know that the in-house counsel had a conversation with the CFO and now want to interview her. What information can the in-house counsel withhold on the grounds that it is privileged? Should lawyers seek a full, limited or no waiver?

The concept of attorney/client privilege usually requires litigation to be in prospect and varies by jurisdiction. Whether, and which type of privilege applies, partly hinges on the definition of a “client.” O’Donnell argued that “the CEO was not a client, but a senior officer of a client, and therefore attorney/client privilege does not apply, even though litigation is in prospect.” Others suggested that the CEO ceased to be a client when his behavior, at variance with the client’s best interests, became apparent.

To maximize potential for availing of any privilege, many steps should be taken, including in terms of who carries out interviews; how reports are drafted and labelled; and to whom they are circulated. “Lawyers should conduct investigations and interviews; reports and findings should interweave legal analysis and fact; communications should be labelled privileged and confidential; advice should be split between business and legal; and circulation of legal advice and documents should be restricted,” says Balber.

But lawyers may not always choose to exercise this option. In some jurisdictions, there may be a tactical case for sharing more information with the DOJ in order to obtain “cooperation credit” as any eventual sanctions or penalties may be more lenient under the US system of “plea bargaining.”

It might become more difficult to avail of privilege in the UK. Spiro explained how “a recent UK ruling on ENRC determined that information was not privileged for various reasons, including that the court was not satisfied that a sufficient nexus existed to contemplate litigation.” This judgement is being appealed at the UK Supreme Court. If the ruling is fully upheld, it would markedly narrow the scope of how privilege is defined in the UK which has repercussions for cases in multiple other countries, as English law governs many commercial contracts and English courts are often specified as the venues for dispute resolution and litigation.

A further possibility is “the nuanced concept of a limited waiver, which the SFO is usually prepared to accept,” said Cogman.

In France, “any waiver applies only to external counsel and not in-house lawyers. France has no concept of cooperation credit,” said Mattout.

Wombolt pointed out that in Asia the concept of privilege only applies in two common law jurisdictions – Hong Kong and Singapore – which would respect privilege (and would not grant cooperation credit). Overall, the inconsistent treatment of privilege means that some information disclosed to prosecutors in some jurisdictions could be withheld in other jurisdictions.

The resolution
Eighteen months have passed since the hypothetical crisis first came to light. The events that transpired next included:

• The financial services company has been sued by hundreds of thousands of account holders.
• The CEO and CFO both have been fired.
• The DOJ, SEC and SFO have informed the financial services company they intend to bring charges based upon the bribery scheme and they will also charge the former CFO.
• Regulatory investigations of the hack are ongoing around the world.
• The company has decided to negotiate a settlement with the regulators when another potential crisis erupts: A reporter tells the in-house counsel that the CEO owns property in the Latin American country associated with the CFO bribe. The property is close to that of the Minister of Finance, with whom the CEO has been photographed socializing. The reporter wants to run the story tomorrow.
• Neither the in-house counsel, nor anyone else at the company, was aware of the extent of the CEO’s relationship with the Minister of Finance.

8. How should the company respond to the reporter: tell the reporter that the company does not comment on the CEO’s vacation habits; say they had no idea about this but thank the reporter for the information; threaten the reporter with a defamation lawsuit if the article runs; or promise to look into it and revert promptly?

The investigative journalist would “expect the company to respond as promptly as possible but might give them a day to do so if they had a track record of being responsive. If the company had a previous history of not reverting, we might go ahead and publish anyway, and write that the company had no comment. A defamation threat would need to be reported to the newspaper’s lawyers but would not stop the story from being published. Substantive evidence that the story was wrong, such as evidence that the CEO did not in fact own the property, is the only thing that would prevent the article from being published. The story is clearly important and in the public interest.”

The PR professionals were suspicious about the origin of the story as it is from a source and not an investigative team. Nonetheless, the PRs are well aware of the competitive pressures in the

media, and that the story might have been sent to other publications. Relationships between PRs and journalists need to be based on mutual trust and respect, so the PRs would not risk destroying relationships by putting out a press release pre-empting the article.

9. A meeting with the DOJ is scheduled for tomorrow. Should the company: cancel the meeting; attend and tell the DOJ that the latest CEO allegations are under review; ask the CEO to attend so that he can provide information about his dealings with the Minister of Finance; or go and hope that the DOJ does not ask about the article?

Balber said he “would cancel the meeting for sure, as I don’t know what I don’t know. I don’t know the source and I don’t know what the DOJ knows. So, I don’t want to be asked questions about things I am absolutely ignorant about.”

Wombolt would “attend the meeting, tell the regulator the company knew about the issue, remind them that the CEO is no longer with the firm, and stress the importance of not punishing shareholders.”

Cogman would “have the meeting and plan for it the night before, form a strategy and capture any relevant documents through a very thorough forensic review.”

Spiro added that “in a UK context, it depends on your relationship with the SFO. If there is a good relationship, based on credibility, honesty and transparency, it will survive.”

O’Donnell agreed and said “if there is no evidence that the company acted in bad faith,” he would take the meeting, but he would disclose at the outset and tell the DOJ that the matter would be investigated promptly and thoroughly.