-->


 

ACC South Carolina held its 2017 Midyear Meeting in Greenville on June 9. The all-day event served as an essential crash course in the latest in-house practices, and provided unique insights into a wide-variety of subjects pertinent to the legal profession. Highlights from the event included opening remarks from South Carolina Supreme Court Justice John Kittredge, followed by presentations entitled "A Former Insider's View: An Unseen Antitrust Risk and True Partnership with Outside Counsel," "What to Expect in Business Immigration Law," "Challenging Issues in M&A Transactions," "The Ethics of Witness Preparation," and "Recent Developments in Officer and Director Liability."

Special thank you to our 2017 Midyear Sponsors: Bowman & Brooke, LLP; Haynsworth Sinkler Boyd, P.A.; K&L Gates LLP; and Parker Poe Adams & Bernstein LLP!

 

     

Managing Global Corruption Risk in an Era When Everyone Has (or Should Have) a Compliance Program
William D. Semins and Meredith D. Bateman, K&L Gates LLP

I.       By Any Other Name, It’s Still a Bribe

In India, it’s “chai”; in French-speaking countries, it can be a “sip of wine”; in Mexico, it’s a “mordida,” or a “little bite”—the euphemisms for bribery can be as varied as the mechanisms for accomplishing it.  But even as the lists of keyword searches to be run across databases in cross-border corruption investigations grow longer, the conduct seems to be fairly well understood, even in its less obvious guises. 

After more than a decade of robust enforcement of the Foreign Corrupt Practices Act (“FCPA”) by the U.S. Department of Justice (“DOJ”) and the Securities and Exchange Commission (“SEC”), most companies with global sales and operations have implemented anti-corruption compliance policies, if not programs with trainings and procedures.  Many companies are even conducting reasonable risk-based due diligence in connection with third-party relationships and higher-risk transactions.  These programs have been effective at identifying risk to the extent that employees are better able than ever to recognize the many faces of corruption (i.e., to spot the “red flags”).  For example, employees at the frontlines of sales or operations in high-risk countries now know (or should know) from compliance trainings that a bribe can be “anything of value.”  They also know that both companies and individuals can face FCPA exposure for the corrupt payments of third-party intermediaries.  Many even understand that the “knowledge” element of a violation extends beyond actual knowledge to include an awareness of circumstances suggesting a probability of bribery, such that employees might run afoul of the FCPA if they turn a blind eye to risk or fail to recognize and mitigate identifiable red flags.

Employees generally seem to understand that a “bribe” is not simply characterized by the cartoonish suitcase of cash carried from one sinister bagman to another in some far-flung market.  Rather, bribery can manifest in discounts or rebates, market development funds for local resellers or distributors, referral fees or other percentage-based compensation to intermediaries of all stripes, political contributions, charitable donations, gifts, travel, entertainment expenses, hiring practices (paid or unpaid), or even baked into vendor invoices that mingle legitimate services with those that are not. 

Many of these activities are part of daily operational decision-making by senior staff managing overseas subsidiaries.  The challenge still facing compliance officers at the parent or group level, however, is to bridge the gap between sophisticated policies and trainings rolled out by headquarters and local management to ensure consistent understanding, application, and communication, and support – i.e., moving from remote risk detection to effective risk prevention.  Recent enforcement actions appear to highlight circumstances in which the compliance function had identified at the group level certain risks associated with such daily operational issues as setting of distributor discounts, engaging third parties, charitable contributions, and hiring practices, and yet an effective response at the local level appears to have been lacking.

II.       Risk Detection Is Not Enough

           a.   Too Late To Say “I Told You So”:  Acting On Due Diligence Results

It is nothing new to see a corruption fact pattern in which deep discounts and rebates allegedly provide a means to create slush funds for distributors to pay bribes from their inflated profit margins.  As alleged in an enforcement action settled in 2016, however, Teva Pharmaceuticals Industries Ltd. (“Teva”) and its Russian subsidiary effectively cut out the middleman by engaging a distributor that was controlled by an influential foreign official in Russia.[1]  This scenario was part of the FCPA-related claims against Teva, the world’s largest manufacturer of generic pharmaceutical drugs, which led to a $519 million settlement with the DOJ and the SEC.  This was the fourth-largest combined FCPA settlement of all time. 

Unfortunately, it does not appear that Teva was blindsided by the risks of this relationship.  According to the pleadings in this enforcement action, e-mails sent by an executive in Teva’s Russian subsidiary explain that a particular Russian official’s “influence in the industry” could benefit Teva by attaining “more speedy and straightforward registration of products”[2] and the official could “influence the Russian government to purchase” Teva’s products.[3]  Teva also allegedly knew that the official owned a drug distribution company and that he transferred the ownership interest to his wife when he became a government official while he continued to participate “in the ownership structure[.]”[4]  Beyond the distributor’s connection to government officials, Teva was allegedly aware that the distributor’s president had been investigated for corruption in Russia—an obvious red flag—but still chose to enter an “exclusive repackaging and distribution agreement” with the distributor to win large public sector tenders.[5]

After establishing the relationship, Teva allegedly provided deep discounts to the distributor, creating a profit margin of approximately $65 million and enabling the foreign official, the de facto owner, to benefit directly.[6]  This case presents more than just a warning about testing and justifying the commercial reasonableness and necessity of deep discounts in high-risk markets or transactions; rather it underscores certain failures in the due diligence process to the extent red flags were identified and ignored and certain information known to employees of the Russian subsidiary was not shared with or discovered by the compliance function.

           b.   When Charity Isn’t Exactly “Charitable”

Another way of channeling bribes that has been highlighted to some degree in recent enforcement actions is through unvetted charitable contributions, which may directly or indirectly provide an improper or corrupt benefit to a foreign official.  DOJ and SEC have specifically recognized this potential vehicle for corruption in their collective Resource Guide to the FCPA and have consistently penalized companies that use “charitable contributions as a way to funnel bribes to government officials.”[7] 

As a threshold matter, pay-to-play scenarios are always dangerous and should be entered into reluctantly, rarely, and only after significant, well-documented due diligence has been performed.  Real risk is associated with potential abuses of corporate social responsibility dollars, particularly where the quid pro quo for individual decision-makers may be difficult to diagnose.  Many multinational companies have responded by implementing compliance programs that provide specific guidelines for how and when charitable contributions may be made, including tiered approvals for such contributions based on known indicators of risk.  Some companies have even embraced the “best practices” approach of referring proposals to make large charitable contributions in high-risk countries to outside counsel for review.  Such diligence typically involves a review of the origin and purpose of the charitable contribution (i.e., whose idea was it and why?), whether the recipient is a bona fide charitable organization, whether or to what extent the charitable organization is connected to a government, whether or to what extent a government official will benefit in any way, directly or indirectly, from a proposed charitable contribution (including, in particular, any impact on relevant constituencies). Some companies also require recipients of large charitable contributions to submit proposals and outlines, explaining exactly how they intend to use the funds, as well as reporting requirements as the funds are used.  Charitable contribution agreements can also be structured to protect against corruption through staged payments, audit rights, clawback provisions, and—at the most basic level—robust anti-corruption compliance representations and warranties.

This level of prophylactic engagement should not only enable a company to better manage the potential corruption risk associated with certain charitable contributions in high-risk countries, but also should reduce the risk of a compounding claim that the company failed to implement adequate internal controls if a violation associated with a charitable contribution is later discovered notwithstanding these efforts. 

Most importantly, if the diligence process indicates a heightened level of risk, a company should be prepared to respond effectively and proactively with enhanced monitoring and controls, up to and including refusal to make the contribution.

           c.   Employment Is a Thing of Value

A raft of recent enforcement actions has focused on the improper use of hiring practices as a potentially corrupt means of currying favor with foreign officials that hold some decision-making authority.  In particular, several companies have been penalized for hiring relatives of foreign officials, where the individuals may have been unqualified and their employment may have circumvented company hiring procedures.  In exchange for the hires, the companies allegedly received preferential treatment in the region and generated substantial revenue. 

The U.S. enforcement authorities consider offers of employment to be “things of value” under the FCPA.  While hiring relatives or friends of a government official is not in and of itself a violation, particularly where the candidate is qualified and the candidate was evaluated in a manner consistent with the company’s internal hiring procedures.  The inquiry regarding potential FCPA liability for such hires ultimately turns on the intent behind the hiring decision.  Making such an employment decision as a quid pro quo with a foreign official in exchange for a favorable business advantage on its face satisfies the elements of an FCPA violation. 

To address the red flags posed by such hiring practices, companies should work to improve any gaps between human resources (“HR”) and compliance -- e.g., by improving the internal communications and controls between these departments.  While most compliance and HR functions already work together to distribute policies and procedures, arrange for and document employee trainings, and liaise regarding whistleblower complaints and internal investigations, in a risk-based compliance program, HR policies, procedures, and decisions do not typically draw as much scrutiny from the compliance function as other areas, such as international sales and operations.  These recent cases, however, suggest that closer monitoring of HR practices may be advisable.

At a minimum, HR should establish a formal, centralized, written hiring process that is monitored for compliance.  The hiring process should track whether a foreign official or customer requested the individual be hired as well as the candidate’s merits and qualifications to perform the job, identifying and documenting particular skills that the individual has to offer the company.  The process should also require that all applicants and/or their sponsors within the company disclose any relationships they may have with foreign officials or customers, escalating any potential conflicts or red flags to the compliance function.  Identifying a red flag during the hiring process, however, is insufficient if compliance personnel are not notified or adequately empowered to address the identified risk in meaningful ways, up to and including rejecting the proposed employment. 

III.       Conclusion: Beyond Mere Risk Detection

In an era when most multinational companies have policies and procedures in place that identify risk, taking compliance programs to the next level is often primarily a function of corporate governance and commitment—ensuring that compliance officers are empowered (i.e., sufficiently independent and autonomous from management) to take meaningful action when risk is identified.  Once the structural support and resources are in place, compliance officers can develop internal controls to manage identified risks in a reasonable and proportionate manner.  Satisfaction in compliance controls should rest ultimately on adaptability through testing.  In other words, the goal is not perfect controls (which will never be possible) but rather perfectly adaptable controls, which are both proactive and reactive, enabling corporate responses to risk to be as varied as the risks themselves.  

These concepts receive significant emphasis in the DOJ’s recent memorandum regarding the Evaluation of Corporate Compliance Programs, which draws extensively from other sources, including the U.S. Sentencing Guidelines and a Resource Guide to the U.S. Foreign Corrupt Practices Act.  It covers 11 topics and poses 119 questions commonly asked by the DOJ during an investigation, and corporate counsel and compliance officers would be well-served to imagine how they would answer these questions about their own programs if misconduct were discovered.  For multinational companies of all sizes, it is usually not a matter of “if” but “when” an incident will occur, and this exercise will help in the process of framing or enhancing the existing compliance program to deal with the red flags as they emerge and better manage them to protect the company.

 


[1] SEC v. Teva Pharm. Indus., Ltd., No. 1:16-cv-25298, ¶ 19 (S.D. Fla. Dec. 22, 2016), https://www.sec.gov/litigation/complaints/2016/comp-pr2016-277.pdf; U.S. v. Teva Pharm. Indus. Ltd., No. 1:16-cr-20968-FAM (S.D. Fl. Dec. 22, 2016), https://www.justice.gov/criminal-fraud/file/920436/download.

[2] SEC v. Teva Pharm. Indus., Ltd., No. 1:16-cv-25298, ¶ 19 (S.D. Fla. Dec. 22, 2016), https://www.sec.gov/litigation/complaints/2016/comp-pr2016-277.pdf.

[3] United States v. Teva Pharm. Indus. Ltd., No. 1:16-cr-20968-FAM, ¶ 16 (S.D. Fla. Dec. 22, 2016), https://www.justice.gov/criminal-fraud/file/920436/download.

[4] SEC. v. Teva Pharm. Indus., Ltd., No. 1:16-cv-25298, ¶ 21 (S.D. Fla. Dec. 22, 2016), https://www.sec.gov/litigation/complaints/2016/comp-pr2016-277.pdf.

[5] Id. at ¶ 24, 32–34.

[6]Id.at ¶ 40.

[7] DOJ & SEC, A Resource Guide to the Foreign Corrupt Practices Act (2012) at 16, https://www.sec.gov/spotlight/fcpa/fcpa-resource-guide.pdf.

 

 

William D. Semins advises companies with business in foreign countries on matters involving the Foreign Corrupt Practices Act (FCPA) and has conducted internal corporate investigations as well as investigations into prospective and existing foreign agents and business partners in the United States, Europe, the Middle East, North Africa, Asia, and South America. In addition to helping clients develop effective FCPA compliance programs to deter and detect potential FCPA problems, he has represented clients in FCPA matters before the Department of Justice and the Securities and Exchange Commission.

Meredith D. Bateman focuses her practice on litigation, with an emphasis on government enforcement, internal investigations, and compliance with the Foreign Corrupt Practices Act (“FCPA”). In addition, Ms. Bateman has assisted in defending financial institutions during federal criminal investigation of Bank Secrecy Act and related anti-money-laundering violations. Ms. Bateman has also participated in internal investigations on behalf of clients to evaluate potential exposure under federal statutes, such as the False Claims Act. With respect to her FCPA practice, Ms. Bateman has conducted due diligence investigations of current and prospective business partners, distributors, agents, and acquisition targets with evaluations of the anti-corruption risks associated with potential mergers, acquisitions, and joint ventures. Additionally, Ms. Bateman has assisted in developing anti-corruption corporate policies and procedures for a variety of clients.

The New Wave of Data Privacy, Security, and Data Breach Litigation
Ashley P. Cuttino and Madi A. Bakker, Ogletree, Deakins, Nash, Smoak & Stewart, P.C.

            It is officially summer, and any seasoned South Carolina sailor knows you cannot control the waves. But you can be prepared to navigate your boat. Likewise, the data privacy and security landscape is ever-changing, unpredictable, and encompasses a constant thrashing and twirling that can leave your company feeling a bit seasick. But sailors, take heart! A skilled crew and a trusty navigation plan can save you from the data privacy storm, including any ill-meaning “phishers” and “pirates” you meet along the way.  

More Than A Drop in the Ocean

            It is estimated that by 2019 internet traffic will reach two zettabytes a year. If each unit of data was a grain of rice, this would be enough rice to fill the entire Pacific Ocean- twice. Swimming in this ocean of data is information that is vital to your company and your employees. Names, social security numbers, addresses, tax information, health information, financials; the list is seemingly endless.  And the fact remains, all employers are susceptible to cyber-attacks and data breaches, regardless of their industry, size, or location.

If one does not know to which port one is sailing, no wind is favorable.

            The ultimate data privacy goal for your company is clear: protect your customer and employee data in order to avoid the costly reputational and financial risks that accompany a breach. As corporate counsel, it is no secret your role is continually evolving. The continued prosperity of business operations alongside legal compliance is your specialty, which gives you a seat at the helm of the data privacy boat. But all too often corporate counsel is summoned as a reactionary byproduct to a data breach; the swab crew to a costly data privacy storm, which often leads your company to a port for which you were not destined.  Instead, counsel should be an integral part of a preventive strategy to protect against a cyber-attack and limit your risk from the moment you first set sail. As general counsel, you are in the best situation to mitigate the risk and get your team sailing towards the port of protected data.

It is not the ship so much as the skillful sailing that assures the prosperous voyage.

            The need to keep the vitality of cyber privacy and the commitment need for data security in the forefront of counsel’s minds cannot be understated. Skillful navigation from the beginning is imperative to ensure your company’s continued success. A non-exhaustive list of corporate counsel’s should-be priorities include:

  • Advise employees of their duties with respect to cyber security. Just as data privacy and security affects every facet of your organization, prevention strategies should be wired throughout your organization, as well. This includes knowing legal responsibilities, structuring roles, and developing compliance initiatives for members of your team outside of the compliance and law departments. Most data breaches actually occur not by hackers, pirating, or phishers, but via your own well intentioned employees. This includes incidents such as management sending an e-mail with employee files to a wrong e-mail address, human resources mistakenly leaving an employee medical leave form on a bus, or a member of the board of directors leaving their laptop in a cab. While cybercrime happens, more frequently your own people are your greatest risks. Including management, human resources, public relations, board members, and record departments in your cyber security plans and training minimizes costly mistakes. Finally, as data breaches become increasingly more not “if” but “when”  scenarios, having a crisis plan in place that includes your public relations team reduces scramble and stress should a data breach storm strike. It is also important to have a systematic reporting process and protocols in place throughout your organization.    

  • Read the fine print. Routinely review insurance policies for the who, what, where, when, and why of cyber coverage and the related terms, as well as vendor agreements for data assess and cyber security liability. A breach by a third party vendor could still leave your company on the hook for liability so it is important to understand who is accessing your data, where they are storing it, and how they are using it. Likewise, it is important to stay apprised of the various contracts without relying on third party policies for data security, as well as exercising due diligence for cyber issues related to any mergers and acquisitions.

  • Stay technologically informed. Quite simply, you cannot protect your data if you do not know what you have. Knowing your systems, protocols, and data inventory is imperative if you want to know how to protect it. An open line of communication between general counsel and your IT department or vendors ensures you’re taking steps to mitigate potential exposure. This often includes implementation of firewalls, password protection strategies, monitoring, device security, user training and education, data storage, antivirus and malware protection, working with partners to draft effective privacy policies, and routinely conducting security updates to hardware and software.

  • Stay legally informed. There is an increasing amount of cybersecurity legislation, regulations, and even Executive Orders. It is imperative to stay in the know regarding ever-evolving state, federal, and international laws and regulations. Particularly, once a breach has occurred, each state has its own data breach notification statute, varying in reporting requirements and obligations for your company. But once again, it’s important to stay ahead of the wind, as states are now introducing bills that require any person doing business in that state to protect private information by developing and maintaining an information security program. Finally, assessing which laws affect your company often is a matter of where your data lives, not where your company is headquartered, so staying ahead of the curve in multiple jurisdictions and countries is necessary. Additionally, corporate counsel should ensure that post breach investigations and all related communication are legally privileged. Finally, knowing what you don’t know is equally as important and engaging outside counsel or other privacy professionals is crucial in certain storms.

The pessimist complains about the wind; the optimist expects it to change; the realist adjusts the sails.

            With the ever-expanding prevalence of data security laws and regulations comes a new wave of implications as a result of a breach, including federal enforcement actions, government investigations, lawsuits, penalties, and sanctions. Data breach litigation is rising by 25 to 30 percent every year. While class action lawsuits have always been at the forefront of the data breach litigation circus, the players are now starting to evolve. In the past, consumers and employees have typically been the go-to Plaintiff in data breach litigation, but these Plaintiffs were often confronted with standing issues and difficulties proving their damages. But now financial institutions are getting in on the action when a payment card breach has occurred. Additionally, the Plaintiffs’ bar is getting creative with the causes of action in data breach litigation lawsuits. An uptick in suits filed under breach of contract, as well tort based theories such as breach of warranty, strict liability, and negligent misrepresentation has hit the waters.  Under such claims plaintiffs generally allege that the company had a duty to exercise reasonable care in protecting the plaintiffs’ personal information. The named plaintiffs additionally allege the company breached that duty by failing to establish adequate data security protocols or by failing to provide timely notification of the breach. This new wave of suits makes the corporate counsel’s role in preventing data breaches and staying apprised of the statutory notification process necessary in minimizing the company’s potential exposure. With data breach litigation, adjusting the sails and staying two steps ahead of your potential plaintiffs, whoever they may be, remains necessary for your successful voyage. Aye aye, corporate counsel captain!

 

 

Ashley P. Cuttino is a shareholder in the Greenville office of Ogletree Deakins and specializes in complex litigation, class action and multi-plaintiff litigation. Ashley is experienced in e-discovery, the use of emerging technologies in the workplace and developing records retention policies. She also advises clients in the area of traditional labor law and has defended both small businesses and national companies in their efforts to be union-free.

Madi Bakker is an associate in the Greenville office of Ogletree Deakins. A member of the Data Privacy practice group, Ms. Bakker specializes in corporate data privacy matters and provides advice and training sessions to a wide range of clients regarding cybersecurity, best privacy practices, and data breach remediation, notification, and response.

Contractual Provisions Waiving Punitive Damages Awards Are Enforceable in South Carolina
F. Elliotte Quinn, IV, Parker Poe Adams & Bernstein LLP

We have all heard the saying that an ounce of prevention is worth a pound of cure. This holds true for business transactions where the easiest and cheapest way to avoid a large judgment should litigation result is through careful contract drafting on the front end. One important tool for doing so is a limitation of liability provision, which is commonly found in commercial contracts. Following a decision last year in South Carolina, limitation of liability provisions can be used to shield a party from punitive damages, but it must be carefully drafted to be enforceable.

The South Carolina Supreme Court held in Maybank v. BB&T Corporation[1] that such provisions can extend to prohibiting an award of punitive damages. The potential for a punitive damages award in an amount many times a plaintiff’s actual damages is a serious concern for construction professionals, and the ability to contractually eliminate that risk is of great value. However, as Maybank makes clear, a limitation of liability provision must be carefully drafted to provide the greatest likelihood that a court will enforce the provision.

In Maybank, a customer entered into a contract with a bank for investment services and later brought contract, tort, and South Carolina Unfair Trade Practices Act (“UTPA”) claims against the bank related to investment advice he received. A jury found for the customer on a number of the claims and awarded punitive damages and treble damages under the UTPA. The bank moved for a judgment, notwithstanding the verdict as to the punitive damages award and the treble damages award, and the trial court denied the motions.

The contract between the customer and the bank contained a limitation of liability provision that read, “In no event shall Bank . . . be liable for any incidental, indirect, special, consequential or punitive damages.” The state Supreme Court held that this language was an enforceable waiver of a customer’s right to recover punitive damages and reversed the trial court’s denial of the bank’s motion.  In doing so, the court rejected the trial court’s ruling that the contractual limitation was unenforceable because it violated public policy and was unconscionable.

While the Maybank decision establishes the enforceability of contractual punitive damages waivers in South Carolina, the decision indicates that such waivers may not be enforceable in all instances. The court indicated that punitive damages waivers are unenforceable where they violate public policy or are unconscionable. Therefore, when drafting limitation of liability provisions and punitive damages waivers, factors to consider and address are:

  • The sophistication of the parties and their relative bargaining powers

  • Whether the contract is a form contract or is drafted for the transaction

  • Whether the other party will have an opportunity to negotiate for the removal of the provision

  • The scope of the provision and what damages it permits the other party to recover

  • Whether the provision is “one-sided” and applies only to the other party or equally restricts both parties’ rights

  • Whether the provision is included with or tied to other provisions or is isolated as its own, stand-alone contract term

  • Whether the contract contains a severability provision

  • Whether the provision is buried in the contract or highlighted and conspicuous

While there are no guaranteed outcomes in litigation, careful consideration of these factors when drafting a limitation of liability provision will result in a provision that a court is much more likely to enforce.

The state Supreme Court also considered whether the limitation of liability provision barred the jury’s award of treble damages under the UTPA. The court held that the provision did not cover treble damages under the UTPA because it did not “specifically prohibit statutory or multiple damages.” The court left undecided whether a limitation of liability provision that explicitly prohibits “statutory” or “multiple” damages will be enforced so as to bar an award of treble damages under the UTPA. Until the court squarely decides this issue, contract drafters are left in limbo as to whether to include an explicit prohibition on “statutory” and “multiple” damages. One approach is to include those limitations based on the assumption that such a prohibition may be enforceable. The second approach is to leave those limitations out of the provision based on a perceived risk that, should the court find those limitations unenforceable, the court may use their inclusion to declare the entire limitation of liability provision unenforceable.

Given the decision, the inclusion of a carefully drafted and comprehensive limitation of liability provision in commercial contracts is essential because it can shield a party from the uncertainty and harm of a potential punitive damages award and may also be able to shield a party from statutory treble damages awards.



[1]Maybank v. BB&T Corp., 416 S.C. 541, 787 S.E.2d 498 (2016).

 

 

Elliotte Quinn focuses his practice on the construction industry and assists contractors, homebuilders, architects, engineers, material suppliers, and others in all aspects of the industry from a project's conceptualization to post-completion disputes, including: contract negotiation, procurement, payment disputes, mechanic's liens, and construction defect claims. Elliotte also handles real property disputes, business governance disputes, and general litigation matters.