Under the act, any organization doing business in the UK or with ties to the UK may be prosecuted and face unlimited fines and the risk of a prison sentence for the individuals involved. Considering the unusually broad scope of the act, and the boundless penalties it could inflict, corporate fears are well justified. Yet, despite dire predictions, enforcement actions have been slow to materialize.
In fact, the first year under the Bribery Act was eerily quiet. Only one individual—a British court official—has faced charges to date. The slow start should not, however, give companies a false sense of security. Complex corruption investigations take years to complete and the law is not retrospective, so experts don’t expect the first corporate Bribery Act prosecutions to mature until late 2012 or 2013 at the earliest.
Recent reports demonstrate that investigators are hard at work. This spring the UK Serious Fraud Office (SFO), the agency tasked with enforcing the act, indicated it is in the process of reviewing four self-referral cases, and noted it has entered the pre-investigation stage on 11 more. More announcements are expected within the next three-to-six months.
For CIOs and IT managers at any organization with potential Bribery Act exposure, the slow ramp-up to vigorous enforcement provides a window of opportunity to develop systems and procedures for internal investigations. Unprepared companies are at a considerable disadvantage if corruption allegations emerge, and are at risk of losing information critical to the company’s defense and cooperation with SFO investigators.
Managing the process
Untangling the complex financial dealings associated with a bribery case requires companies to collect, review and produce a wide range of electronic records quickly and thoroughly. Naturally, the organization’s e-discovery capabilities play a critical role. Technology managers should start by taking a fresh look at the company’s e-discovery playbook to ensure the proper personnel and procedures are in place for Bribery Act investigations.
The individual who is responsible for the e-discovery process will be determined by the company’s size and risk exposure. A large company with far-flung international business operations is at greater risk, but is also more likely to have internal resources to manage e-discovery. For smaller or low-risk businesses, an external vendor relationship may be more appropriate.
As many Bribery Act investigations may have international ramifications, it is important that companies are aware of the data privacy regimes in the countries in which they do business. Data privacy restrictions may impact whether data can be transferred outside of the country that it is currently resident in, the countries that it can be transferred to and the legal agreements that may need to be put in place for the transfer to be performed.
Either way, companies should ensure that internal or external expertise is in place and at the ready. No one wants to negotiate an e-discovery contract with an outside vendor after the SFO comes calling.
Where to look
Once the potential data custodians are identified and the scope of the information required is established, companies must determine exactly where the information resides in the corporate IT estate, implement the preservation process and suspend any automated data destruction and media reuse schedules.
The process may involve placing a hold on specific user accounts within the corporate email, accounting, or human resources systems. More importantly, the data on a variety of individual devices may need to be preserved too, including employee laptops, PDAs and smart phones. Depending on the scope of the preservation requirements, companies will probably need to suspend the rotation of back-up tapes as well.
At this juncture, timing is crucial because once an employee discovers he or she is involved in an investigation they may run wiping software on their laptop or other devices to cover their electronic tracks.
This frequently happens and not necessarily because the employee has committed a crime. They may be trying to cover up an affair, an outside job application, or records of unauthorized or inappropriate web traffic. And while investigators may be able to leverage forensic technology to recapture some of the lost data, it’s often impossible to determine what the employee deleted.
Companies must be especially vigilant once the data collection process is under way. Preserving data and documents on a corporate file server or email server may be a comparatively simple process for suitably trained individuals, but individual employee laptops, PDAs and other devices often require forensic imaging on the ground at the employee’s location.
A mirror image
Virtually every conceivable business communication or transaction is created and stored electronically and, as a result, computer forensics has become an integral part of any corporate investigation. Taking what amounts to a snapshot of the data is often the only feasible way to ensure the information is produced in its original state.
But beware: unless the imaging process is conducted by a trained expert, there’s a chance key information may be inadvertently and permanently altered—rendering critical documents worthless in the courtroom.
Companies should also establish a detailed chain of custody log that tracks where every document came from, when and how it was collected, and the people who had access to it. A company must be able to clearly demonstrate how each document moved from preservation to production to the regulator—without changing.
Finally, remember that similar steps must be taken for paper documents, which often contain key pieces of evidence. A supply company invoice with vague or generic references to “consulting services” or ad hoc cash payments may speak volumes in a bribery investigation. Since paper documents are typically kept on file for five or six years, be sure those preservation/destruction policies are suspended as well.
If and when a bribery investigation hits, it will be fast-moving, especially at the initial stage. Companies need to identify, preserve and protect key electronic evidence throughout the company and do it at breakneck speed.
Reviewing the company’s bribery risk profile and internal investigation plans ahead of time ensures the proper e-discovery systems, procedures and personnel are in place if corruption allegations emerge. A well-executed e-discovery program saves valuable time, minimizes disruptions to the company’s day to day business activities, and possibly reduces any ultimate penalties.