Can You? Should You? Must You?

As general counsel of a small public company, you discover that, for 2 years, a department head approved sending false invoices to customers, resulting in profits of at least $2 million. Although it stopped a year ago and is well concealed, the practice was intentional, and a half-dozen current employees were involved. You fear that the false invoices constitute at least mail and wire fraud. Moreover, if the victims find out, they might sue. What do you do?

Getting a Handle on the Problem

After discovering illegal conduct by company employees, in-house counsel must ensure that the conduct has stopped, and that he or she understands its nature and scope. An adequate internal investigation is required.

The traditional rule is that a corporation or its lawyer has no self-reporting obligation. Although entities may have an obligation to undo certain crimes, merely knowing about a completed crime is not an offense absent an affirmative act to further or conceal the crime, which could constitute aiding and abetting, accessory after the fact, misprision of a felony or conspiracy (18 U.S.C. '' 2-4, 371).

Some specific statutes, however, make failure to report such conduct a violation itself. 42 U.S.C. ' 7414(a)(1) (A) – (G) (toxic emissions); 42 U.S.C. ' 1320a-7b (a)(3)(B) (Medicare overpayments); 41 U.S.C. ' 57(c) (kickbacks on government contracts); 12 CFR ' 21 (suspected bank crimes). Failure to make a mandatory disclosure to the government might, under some circumstances, amount to criminal concealment (see 18 U.S.C. ' 1001) or obstruction of justice (see 18 U.S.C. ' 1505 et seq.). The false invoices in our hypothetical case are not covered by any specialized statute.

Does counsel's discovery trigger a reporting obligation under the securities laws? For public companies, ' 307 of the Sarbanes Oxley Act of 2002 (the Act) requires up-the-ladder internal reporting “of a material violation of securities law or breach of fiduciary duty or similar violation by the company or any agent thereof … ” A violation is material if there is a substantial likelihood that the conduct would be viewed by a reasonable investor as significantly altering the “ total mix” of information. See Basic Inc. v. Levinson, 485 U.S. 224, 231-32 (1988).

As a matter of practice but not law, lawyers and regulators used to rely on quantitative benchmarks to assess materiality, eg, whether results were misstated by more than 5%. In 1999, however, the SEC staff made clear that evidence of corrupt management may be material even if the amount at issue is relatively small. See SEC Staff Accounting Bulletin (SAB) No. 99. Although a corporation and its officers and directors may not face criminal liability for failing to disclose uncharged criminal conduct, see United States v. Matthews et al., 787 F.2d 38, 49 (2d Cir. 1986), the same omission may give rise to civil liability. See e.g., Craftmatic Sec. Litig. v. Kraftsow, 890 F.2d 628, 639-40 (3d Cir.1989).

Here, the deliberate nature of the misconduct, the involvement of numerous employees, including a department head, the possible criminal exposure, and the potential civil liability (securities, RICO, and other) all suggest materiality. The fact that the conduct is complete, relatively small, and limited to one kind of invoices suggests it is not material.

If counsel concludes that management and the Board have not responded adequately (ie, no remedial or preventative action), counsel faces a different dilemma. The SEC's initial proposed rule provided for mandatory “indirect” disclosure by requiring counsel to quit and tell the SEC they had done so — the infamous “noisy withdrawal.” The SEC's final up-the-ladder rules dropped the requirement. However, the rules still permit an attorney to disclose to the SEC without the client's prior consent in circumstances where a failure to report would result in perjury or fraud on the SEC, substantial injury to the issuer or investors, or to rectify a material violation by the issuer that caused, or may cause, substantial injury.

The American Bar Association's Model Rules of Professional Conduct (MRPC) now clarify when a company lawyer may disclose confidences. Rule 1.13 provides that if the lawyer knows of conduct “related to the representation that is a violation of a legal obligation … that reasonably might be imputed to the organization, and that is likely to result in substantial injury to the organization, then the lawyer shall proceed as is reasonably necessary in the best interest of the organization.” (Emphasis added.) This includes revealing client information, but only “to the extent the lawyer reasonably believes necessary to prevent substantial injury to the organization.”

When the Company Ignores Your Advice

What should the general counsel do if the company ignores his or her advice and knowingly persists in collecting on outstanding fraudulent invoices? She may be required to withdraw from the representation. There are “situations where the lawyer must conclude that the misconduct is so extreme or irretrievable, or that the involvement of his client's management and board of directors is so thorough-going and pervasive that any action short of resignation would be futile.” In the Matter of William R. Carter and Charles J. Johnson, Jr., 1981 Fed. Sec. L. Rep. (CCH) ' 82, 847 (1981). A lawyer may withdraw from representation if “the client persists in a course of action involving the lawyer's services that the lawyer reasonably believes is criminal or fraudulent.” MRPC 1.16. The general counsel cannot, of course, counsel or assist the client in conduct which he or she knows is criminal or fraudulent without risking sanction or civil or criminal liability herself. See MRPC 1.2(d).

What the States Say

Jurisdictions around the country are wrestling with this issue. Four states – Florida, New Jersey, Virginia and Wisconsin — require disclosure to prevent a future crime or fraud (including a financial fraud). For lawyers in these jurisdictions, disclosure could be required if the company tries to collect on outstanding invoices. Nine states — Connecticut, Massachusetts, Michigan, Minnesota, Nevada, North Dakota, Pennsylvania, Texas and Utah — permit disclosure under such circumstances. At least two of these states — Minnesota and Michigan – expressly permit lawyers for organizations to reveal potential crimes or frauds if reasonably necessary in the best interests of the organization.

Should counsel report misconduct to outside auditors? Auditors sometimes press for the results of an internal investigation even after the underlying conduct is completed and/or the existence of a government investigation has been disclosed. In the present climate, auditors are increasingly aggressive, citing their own noisy withdrawal rules under Section 10A of the Exchange Act and accounting and auditing standards such as FAS 5. Counsel is faced with a Hobson's choice: 1) either disclose the results of the internal investigation and risk waiver of the attorney client privilege and/or attorney work product doctrine; or 2) refuse the auditor's request and risk that they will resign from the account and/or issue a qualified audit opinion. Thus, if counsel is “on the fence” over whether to disclose, the auditor's stance may tip the balance.

Relations with the employee wrongdoers also may tip the balance in favor of disclosure. With six employees involved, at least one may become disgruntled, go to work for a defrauded customer, or otherwise be motivated to disclose the fraud. Any future dispute with these employees could evolve into a “whistleblower case” which, if accompanied by an allegation of retaliation, could trigger the penalties (civil and criminal) against retaliation in ' 806 of the Act. The chance that a customer also might eventually discover the fraud also may point in favor of disclosure.

Unfortunately, deciding whether you have an obligation to report is sometimes the easier question. It gets harder when the CEO you have warned of the false invoices asks whether to order a thorough internal audit and whether the company should make restitution to the defrauded customers or even “turn itself in” to authorities. These questions go to the heart of the “audit dilemma”: The audit may uncover additional misconduct and self-reporting will presumably result in full disclosure of as-yet-unknown problems.

The federal government traditionally encouraged voluntary self-reporting in discrete areas (antitrust, defense procurement, environmental, tax and Foreign Corrupt Practices Act matters) in exchange for leniency. In November 2002, however, the Department of Justice (DOJ) asked the U.S. Sentencing Commission for “stronger incentives” to self-reporting. Specifically, DOJ recommended “an additional two-level enhancement when a company does not self-report in a timely fashion following discovery of criminal behavior.” (Emphasis added) Likewise, Health and Human Services now insists that the model compliance program for a drug manufacturer include reporting misconduct to the appropriate federal and state authorities.

The Thompson Memorandum

Privilege waivers are also expected. The DOJ's Thompson Memorandum, issued in January 2003, states that a prosecutor may consider “the completeness of its disclosure including, if necessary, a waiver of the attorney-client and work product protections, both with respect to its internal investigation and with respect to communications between specific officers, directors and employees and counsel.” In its Report of Investigation in the Seaboard Matter, the SEC took a similar approach, stating that the Commission encourages waivers, but noting that it “does not view a company's waiver of a privilege as an end in itself, but only as a means (where necessary) to provide relevant and sometimes critical information to the Commission staff.” Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 and Commission Statement on the Relationship of Cooperation to Agency Enforcement Decisions, Release No. 34-44969, at 4 n3 (Oct. 23, 2001).

Conclusion

So where does this leave you as general counsel? Notwithstanding the audit dilemma, good corporate governance almost always will require an investigation of a long-term and potentially substantial fraud — indeed, as seen above, counsel could subject herself to accomplice liability or ethical sanctions if she were to do otherwise. Practical considerations will generally guide counsel to disclose to regulators if it is in the best interests of the corporation. Even where not required, voluntary disclosure may be appropriate where the benefits of leniency from regulators outweigh the risks of sanction for conduct that would otherwise have gone undetected.

As general counsel of a small public company, you discover that, for 2 years, a department head approved sending false invoices to customers, resulting in profits of at least $2 million. Although it stopped a year ago and is well concealed, the practice was intentional, and a half-dozen current employees were involved. You fear that the false invoices constitute at least mail and wire fraud. Moreover, if the victims find out, they might sue. What do you do?

Getting a Handle on the Problem

After discovering illegal conduct by company employees, in-house counsel must ensure that the conduct has stopped, and that he or she understands its nature and scope. An adequate internal investigation is required.

The traditional rule is that a corporation or its lawyer has no self-reporting obligation. Although entities may have an obligation to undo certain crimes, merely knowing about a completed crime is not an offense absent an affirmative act to further or conceal the crime, which could constitute aiding and abetting, accessory after the fact, misprision of a felony or conspiracy (18 U.S.C. '' 2-4, 371).

Some specific statutes, however, make failure to report such conduct a violation itself. 42 U.S.C. ' 7414(a)(1) (A) – (G) (toxic emissions); 42 U.S.C. ' 1320a-7b (a)(3)(B) (Medicare overpayments); 41 U.S.C. ' 57(c) (kickbacks on government contracts); 12 CFR ' 21 (suspected bank crimes). Failure to make a mandatory disclosure to the government might, under some circumstances, amount to criminal concealment (see 18 U.S.C. ' 1001) or obstruction of justice (see 18 U.S.C. ' 1505 et seq.). The false invoices in our hypothetical case are not covered by any specialized statute.

Does counsel's discovery trigger a reporting obligation under the securities laws? For public companies, ' 307 of the Sarbanes Oxley Act of 2002 (the Act) requires up-the-ladder internal reporting “of a material violation of securities law or breach of fiduciary duty or similar violation by the company or any agent thereof … ” A violation is material if there is a substantial likelihood that the conduct would be viewed by a reasonable investor as significantly altering the “ total mix” of information. See Basic Inc. v. Levinson , 485 U.S. 224, 231-32 (1988).

As a matter of practice but not law, lawyers and regulators used to rely on quantitative benchmarks to assess materiality, eg, whether results were misstated by more than 5%. In 1999, however, the SEC staff made clear that evidence of corrupt management may be material even if the amount at issue is relatively small. See SEC Staff Accounting Bulletin (SAB) No. 99. Although a corporation and its officers and directors may not face criminal liability for failing to disclose uncharged criminal conduct, see United States v. Matthews et al., 787 F.2d 38, 49 (2d Cir. 1986), the same omission may give rise to civil liability. See e.g., Craftmatic Sec. Litig. v. Kraftsow , 890 F.2d 628, 639-40 (3d Cir.1989).

Here, the deliberate nature of the misconduct, the involvement of numerous employees, including a department head, the possible criminal exposure, and the potential civil liability (securities, RICO, and other) all suggest materiality. The fact that the conduct is complete, relatively small, and limited to one kind of invoices suggests it is not material.

If counsel concludes that management and the Board have not responded adequately (ie, no remedial or preventative action), counsel faces a different dilemma. The SEC's initial proposed rule provided for mandatory “indirect” disclosure by requiring counsel to quit and tell the SEC they had done so — the infamous “noisy withdrawal.” The SEC's final up-the-ladder rules dropped the requirement. However, the rules still permit an attorney to disclose to the SEC without the client's prior consent in circumstances where a failure to report would result in perjury or fraud on the SEC, substantial injury to the issuer or investors, or to rectify a material violation by the issuer that caused, or may cause, substantial injury.

The American Bar Association's Model Rules of Professional Conduct (MRPC) now clarify when a company lawyer may disclose confidences. Rule 1.13 provides that if the lawyer knows of conduct “related to the representation that is a violation of a legal obligation … that reasonably might be imputed to the organization, and that is likely to result in substantial injury to the organization, then the lawyer shall proceed as is reasonably necessary in the best interest of the organization.” (Emphasis added.) This includes revealing client information, but only “to the extent the lawyer reasonably believes necessary to prevent substantial injury to the organization.”

When the Company Ignores Your Advice

What should the general counsel do if the company ignores his or her advice and knowingly persists in collecting on outstanding fraudulent invoices? She may be required to withdraw from the representation. There are “situations where the lawyer must conclude that the misconduct is so extreme or irretrievable, or that the involvement of his client's management and board of directors is so thorough-going and pervasive that any action short of resignation would be futile.” In the Matter of William R. Carter and Charles J. Johnson, Jr., 1981 Fed. Sec. L. Rep. (CCH) ' 82, 847 (1981). A lawyer may withdraw from representation if “the client persists in a course of action involving the lawyer's services that the lawyer reasonably believes is criminal or fraudulent.” MRPC 1.16. The general counsel cannot, of course, counsel or assist the client in conduct which he or she knows is criminal or fraudulent without risking sanction or civil or criminal liability herself. See MRPC 1.2(d).

What the States Say

Jurisdictions around the country are wrestling with this issue. Four states – Florida, New Jersey, Virginia and Wisconsin — require disclosure to prevent a future crime or fraud (including a financial fraud). For lawyers in these jurisdictions, disclosure could be required if the company tries to collect on outstanding invoices. Nine states — Connecticut, Massachusetts, Michigan, Minnesota, Nevada, North Dakota, Pennsylvania, Texas and Utah — permit disclosure under such circumstances. At least two of these states — Minnesota and Michigan – expressly permit lawyers for organizations to reveal potential crimes or frauds if reasonably necessary in the best interests of the organization.

Should counsel report misconduct to outside auditors? Auditors sometimes press for the results of an internal investigation even after the underlying conduct is completed and/or the existence of a government investigation has been disclosed. In the present climate, auditors are increasingly aggressive, citing their own noisy withdrawal rules under Section 10A of the Exchange Act and accounting and auditing standards such as FAS 5. Counsel is faced with a Hobson's choice: 1) either disclose the results of the internal investigation and risk waiver of the attorney client privilege and/or attorney work product doctrine; or 2) refuse the auditor's request and risk that they will resign from the account and/or issue a qualified audit opinion. Thus, if counsel is “on the fence” over whether to disclose, the auditor's stance may tip the balance.

Relations with the employee wrongdoers also may tip the balance in favor of disclosure. With six employees involved, at least one may become disgruntled, go to work for a defrauded customer, or otherwise be motivated to disclose the fraud. Any future dispute with these employees could evolve into a “whistleblower case” which, if accompanied by an allegation of retaliation, could trigger the penalties (civil and criminal) against retaliation in ' 806 of the Act. The chance that a customer also might eventually discover the fraud also may point in favor of disclosure.

Unfortunately, deciding whether you have an obligation to report is sometimes the easier question. It gets harder when the CEO you have warned of the false invoices asks whether to order a thorough internal audit and whether the company should make restitution to the defrauded customers or even “turn itself in” to authorities. These questions go to the heart of the “audit dilemma”: The audit may uncover additional misconduct and self-reporting will presumably result in full disclosure of as-yet-unknown problems.

The federal government traditionally encouraged voluntary self-reporting in discrete areas (antitrust, defense procurement, environmental, tax and Foreign Corrupt Practices Act matters) in exchange for leniency. In November 2002, however, the Department of Justice (DOJ) asked the U.S. Sentencing Commission for “stronger incentives” to self-reporting. Specifically, DOJ recommended “an additional two-level enhancement when a company does not self-report in a timely fashion following discovery of criminal behavior.” (Emphasis added) Likewise, Health and Human Services now insists that the model compliance program for a drug manufacturer include reporting misconduct to the appropriate federal and state authorities.

The Thompson Memorandum

Privilege waivers are also expected. The DOJ's Thompson Memorandum, issued in January 2003, states that a prosecutor may consider “the completeness of its disclosure including, if necessary, a waiver of the attorney-client and work product protections, both with respect to its internal investigation and with respect to communications between specific officers, directors and employees and counsel.” In its Report of Investigation in the Seaboard Matter, the SEC took a similar approach, stating that the Commission encourages waivers, but noting that it “does not view a company's waiver of a privilege as an end in itself, but only as a means (where necessary) to provide relevant and sometimes critical information to the Commission staff.” Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 and Commission Statement on the Relationship of Cooperation to Agency Enforcement Decisions, Release No. 34-44969, at 4 n3 (Oct. 23, 2001).

Conclusion

So where does this leave you as general counsel? Notwithstanding the audit dilemma, good corporate governance almost always will require an investigation of a long-term and potentially substantial fraud — indeed, as seen above, counsel could subject herself to accomplice liability or ethical sanctions if she were to do otherwise. Practical considerations will generally guide counsel to disclose to regulators if it is in the best interests of the corporation. Even where not required, voluntary disclosure may be appropriate where the benefits of leniency from regulators outweigh the risks of sanction for conduct that would otherwise have gone undetected.