Ethical Issues and

Compliance
Ted Banks

Basic Guidance
• Compliance officers set the ethical example.
• Be prepared to be firm, but do it nicely.
• Can compliance officers & lawyers co-exist?

Since many compliance officers are

lawyers . . .

1
Rule 1.1 Competence
A lawyer shall provide competent representation to a client. Competent
representation requires the legal knowledge, skill, thoroughness and
preparation reasonably necessary for the representation.

Technology and
Competence – Comment 8
• ABA Model Rule: To maintain the
requisite knowledge and skill, a lawyer
should keep abreast of changes in the
law and its practice, including the
benefits and risks associated with
relevant technology, engage in
continuing study and education and
comply with all continuing legal
education requirements to which the
lawyer is subject.
• Adopted in 31 states (3/18) 32 states
(Vermont joins 10/18).

Rule 1.6(c) Confidentiality of Information

A lawyer shall make reasonable efforts to

prevent the inadvertent or unauthorized
disclosure of, or unauthorized access to,
information relating to the representation
of a client.
Reaffirmed in Formal Opinion
477R (10/17): encryption
when warranted.
No specific requirements, but a
fact-based analysis with “a ‘process’
to assess risks, identify and implement
appropriate security measures responsive
to those risks, verify that they are effectively implemented, and
ensure that they are continually updated in response to new
developments.”
6

2
Comment 18: Security of Information
The unauthorized access to, or the inadvertent or unauthorized disclosure of,
information relating to the representation of a client does not constitute a violation
of paragraph (c) if the lawyer has made reasonable efforts to prevent the access
or disclosure. Factors to be considered in determining the reasonableness of the
lawyer's efforts include, but are not limited to, the sensitivity of the information, the
likelihood of disclosure if additional safeguards are not employed, the
cost of employing additional safeguards, the difficulty of implementing
the safeguards, and the extent to which the safeguards adversely affect
the lawyer's ability to represent clients (e.g., by making a device or
important piece of software excessively difficult to use). A client may
require the lawyer to implement special security measures not required
by this Rule or may give informed consent to forgo security measures that
would otherwise be required by this Rule. Whether a lawyer may be
required to take additional steps to safeguard a client's information in order to
comply with other law, such as state and federal laws that govern data privacy or
that impose notification requirements upon the loss of, or unauthorized access to,
electronic information, is beyond the scope of these Rules.
For a lawyer's duties when sharing information
with nonlawyers outside the lawyer's own firm,
see Comments [3] and [4] to Rule 5.3.

Does security breach = loss of privilege since

information no longer confidential?
• 4th Amendment: Can’t use evidence illegally seized by gov’t.
– Could use evidence illegally obtained by private individual?
– Panama Papers: hack occurred outside the US, gov’t not involved
• Inadvertent disclosure: no waiver
• Carelessness in security: waiver?

Lawyers AS Phishing Bait

• Ethical as well as financial risk
• In-house counsel who wired $40,000
of an owed settlement to a routing
number sent by scammers posing
as the plaintiffs.
• Title company escrow agents duped
by e-mails using the same greetings
and in-jokes their actual clients use.
• 2013: Ring of scammers posing as clients bilked more than $70 million
from attorneys across the United States and Canada.
• Check before sending money!

3
 Technology and Compliance
• Do you know the compliance implications of these technologies?
– Block chain? Who is getting paid?
– IOT? My refrigerator is watching me
– Cross-device tracking? My phone is talking to my iPad
– Artificial intelligence: My medical diagnosis was wrong
– Automation: Fake Facebook/Twitter accounts since
no humans watching
• Do you have a system in place to review compliance issues each
time a new type of technology is adopted? Does each system have its own ethical
standards?
• To the extent you have any new technology in place, is there a way for it to
communicate with people, or for people to monitor / control?

10

Technology and Consumers:

FTC Report on Cross-Device Tracking (Jan. 23, 2017)
Entities with direct consumer-facing relationships and those working in cross-device
tracking behind the scenes need to:

1. truthfully disclose tracking to consumers and business partners;

2. offer consumers choices about how their cross-device activity is tracked;
3. obtain consumers’ affirmative express consent before engaging in cross-device
tracking on sensitive topics and before collecting and sharing precise
geolocation information; and
4. maintain reasonable security to avoid future unexpected and unauthorized
uses of data.

11

Rule 1.2(d): Can’t assist client in conduct known to be

criminal or fraudulent
• Marijuana legal in some form in 31 states, but
still illegal under controlled substances act, 21
U.S.C. sec. 812(b)(1)
• Comment 9: A "critical distinction between
presenting an analysis of legal aspects of
questionable conduct and recommending the
means by which a crime or fraud might be
committed with impunity.“
• Feds previously left enforcement to states.
Now? Yes? No?

This Photo by Unknown Author is licensed under CC BY-NC-

ND

4
 What to do when the client insists on
doing what you think is wrong?

Model Rule 1.13, SOX § 307

[W]hen the lawyer knows that the

organization is likely to be substantially
injured by action of an officer or other
constituent that violates a legal obligation
to the organization or is in violation of law
that might be imputed to the organization,
the lawyer must proceed as is reasonably
necessary in the best interest of the
organization. . . . (check state variants)

Can GC be Whistleblower?
Wadler v. Bio-Rad Laboratories
• 212 F. Supp. 2d 829 (N.D. Cal. Dec. 20, 2016)
– SOX preempts Calif. ethical rules regarding disclosure of privileged info
– Lawyer can use privileged info as basis for retaliation claim
– SEC agrees: Rule 205.3(d)(2)
• Viol of securities laws
• Perjury
• Substantial injury
• Jury (Feb. 2017)
– $11 million awarded for
whistleblower retaliation
– Claimed retaliation for reporting
China bribery
• Judgment confirmed (May 2017)
• On appeal to 9th Cir.

Erhart v. Bofi Holding, Inc.,

269 F. Supp. 3rd 1059 (S.D. Cal. Sept. 11, 2017)

• Internal auditor filed whistleblower retaliation claim under

SOX & Dodd-Frank.
– Counterclaim of violation of Calif. Law by sharing confidential
information with N.Y. Times and deleting emails from laptop
– Stock price plummets
• Erhart notified SEC that Bank had falsely answered SEC
subpoena, and other matters reported to SEC and OCC
• Employee covered by SOX if
– “Reasonably believes” conduct was a violation
– Employer knew or suspected protected activity
– Employee suffers adverse action
– Protected activity contributed to adverse action (inference based
on temporal proximity)

15

5
 Erhart v. BofI (cont’d)
• Allegations already reported in N.Y. Times, so court would
not review whether Erhart violated “some privilege or right
of privacy.”
• Erhart permitted to disclose information if
“reasonably necessary” to pursue retaliation claim.
– Strong public policy in favor of protecting whistle-
blower who report fraud against the government.
– Citing Wadler and Ruhe v. Masimo Corp., 929
F. Supp. 2d 1033, 1039 (C.D. Cal. 2012).

16

Ex-Department of Justice Lawyer Faces Penalties in

Leak of N.S.A. Program
The N.Y. Times Jan. 17, 2016

Lawyer concerned that certain warrants received “special

Treatment” at FISA Court that violated the law

Admitted violation of Rule 1.6, accepted public censure

17

You cannot ignore the obvious

Rule 1.0(k)[or 1.0(f)]:

knowledge can be
inferred from
circumstances

6
Federal Sentencing Guidelines: “Willfully Ignorant”
“An individual was ‘willfully ignorant of the offense’ if the individual did not
investigate the possible occurrence of unlawful conduct despite knowledge of
circumstances that would lead a reasonable person to investigate whether
unlawful conduct had occurred”.

FRCP 26: Make a

reasonable inquiry.

Federal Sentencing Guidelines: Promptly Report

. . . the organization will be allowed a reasonable period of time to conduct an
internal investigation. In addition, no reporting is required . . . if the
organization reasonably concluded, based on the information then available,
that no offense had been committed.

Advocate or Conscience?
• Model Rule 2.1
–Exercise independent professional
judgment
–In addition to law, consider moral,
economic, social, psychological, and
political factors
• Model Rule 3.1
–No frivolous actions, but
–Can defend vigorously

7
Rule 8.4: Misconduct

Maintaining The Integrity Of The

Profession
Rule 8.4 Misconduct

It is professional misconduct for a

lawyer to:
. . . (g) engage in conduct that the lawyer knows or reasonably should know is harassment or
discrimination on the basis of race, sex, religion, national origin, ethnicity, disability, age,
sexual orientation, gender identity, marital status or socioeconomic status in conduct related
to the practice of law. This paragraph does not limit the ability of a lawyer to accept, decline or
withdraw from a representation in accordance with Rule 1.16. This paragraph does not
preclude legitimate advice or advocacy consistent with these Rules.
Adopted 8/16 by ABA house of Delegates by overwhelming majority. But only adopted in
Vermont; other states have similar, but narrower rules.
Opposition by Christian Legal Society and Federalist Society. Argument: NIFLA v. Becerra
(6/18) ruled that there were no rules for “professional speech.” All regulations based on the
content of speech subject to strict scrutiny. More leeway to regulate conduct that incidentally
involves speech.
22

Code of Ethics for Compliance

& Ethics Professionals

• Obey spirit and letter of the law (prevent misconduct,

cooperation, take action if aware of misconduct)
• Serve employing organizations with highest sense of
integrity (assist in complying with law, investigate
allegations, advise senior management, no retaliation,
confidentiality, no conflicts of interest)
• Strive to uphold integrity and dignity of the profession (act
with honesty, protect confidentiality, no false statements,
maintain education)
• [Full text at end]

• Legal advice
–Communication within scope of duties
–For purpose of obtaining legal (not
business) advice
• Work product: Is litigation anticipated?
• Self-Evaluative Privilege: Nope

8
Barko v. Halliburton (D.D.C. 2014), rev’d, In re Kellogg
Brown & Root (D.C. Cir. 2015)
• No attorney-client privilege or work product
protection for investigation conduct by Office of
Business Conduct
– Investigation required by law and corporate
policy, not for purpose of obtaining legal advice
– Investigation conducted by non-lawyers
• Reversed: investigation to obtain facts and ensure
compliance with law
– Conducted under auspices of legal department
acting in legal capacity
• Involve lawyers in investigations at early stage
– Investigators should report to lawyers
– Can disclose nonprivileged facts without
waiving privilege

Texas Brine v. Dow Chemical

• E.D. La. 2017: communication must be confidential, to a lawyer or his
subordinate, for primary purpose of securing legal opinion, legal services, or
assistance in legal proceeding.
• No privilege when in-house counsel merely copied on emails.
• Accord: SodexoMAGIC, LLC v. Drexel University (E.D. Pa. 2018)

S.E.C. v. Herrera
(S.D. Fla. Dec. 5, 2017)

• Orally disclosing summaries of witness interviews were functional equivalent

of underlying notes and memoranda.
• DOJ may demand full cooperation: specificity and detail for mitigation
• Specify that disclosure is only fact, and not substance of any privileged
communications.

9
Are compliance programs privileged?
• Should they be?

28

Attorney-Client Privilege
• Client requests legal advice = creates privilege
– Client wants business advice: no privilege
– Mixed?
• Client is the company. What happens when compliance
investigation requires interviews of employees?
• Upjohn: advise employee that lawyer represents
company, the company controls the privilege
• Model rules allow joint representation
• Penn State GC sued for malpractice
for representing individual administra-
tors and the University in GJ investiga-
tion of child molestation

29

Former Employees
• Upjohn: No distinction between current and former employees
• Newman v. Highland School Dist. No. 203, 381 P.3d 1188 (Wash. 2016): if no
ongoing employment relationship, no privilege
• Problem: How to get historical knowledge?
– More thorough exit interviews?
– Should be key part of compliance program.
• How to learn what is working.
• Get honest reports on problem
managers when no longer anything
to fear.

10
 Crime-Fraud Exception
• Communications made in furtherance of a crime or fraud are outside the claim
of attorney-client privilege (and may be disclosed). Required PF showing of
elements of ongoing crime or fraud. Not proof beyond a reasonable doubt.
Often in camera review of materials by judge before deciding.
• Manaford & Gates former attorney ordered to testify before GJ regarding limited
aspects of representation relating to allegedly misleading representations to the
DOJ regarding work on behalf of Ukraine.
• http://www.dcd.uscourts.gov/sites/dcd/files/17-mc-
2336_MEM_OP_REDACTED%20FOR%20UNSEALING_20171030.pdf
• In re Grand Jury #3 (3rd Cir. 2017)
– There must be “a reasonable basis to suspect (1) that the
[lawyer or client] was committing or intending to
commit a crime or fraud, and (2) that the . . .
attorney work product was used in
furtherance of the alleged crime or fraud.“
– No punishment for merely thinking about a
bad act
– Unclear what acts will qualify as actual use of
legal advice in furtherance of fraud.

No good deed goes unpunished . . .

• Michael Cohen pleads guild to making false statements, tax evasion, and
campaign finance violations (United Stated v. Cohen, No. 1:18-cr-00602,
SDNY 8/21/18)
• Per Lanny Davis: Cohen testified under oath that Trump directed him to
commit a crime.
– Was there a duty of confidentiality to Trump? (not if business advice)
– Could Cohen implicate Trump to defend himself? (maybe)
– If conversations were privileged, was privilege wiped out by crime-fraud
exception? (unclear)
• Conviction of felony = automatic disbarment.

32

The Apple Compliance Monitor’s 3d Report

• Still some resistance to providing information sought
• Argues about intrusiveness
• Claims that portions of compliance program, such as the risk assessment, are
privileged and need not be disclosed

33

11
Domestic Drywall Antitrust Litigation
MDL No. 2437 (E.D. Pa. Oct. 9, 2014)

• Defendant seeks to prevent discovery of compliance program, arguing that it

met the technical requirements for privilege (a communication maintained in
confidence for the purpose of providing legal advice between privileged
persons).
• The court disagreed
– privilege limited to legal advice leading to a decision by the client.
– antitrust program was general, did not contain any specific advice, was more akin to a
reference or instructional guide, and was primarily a business policy.
– policy not maintained in confidence
• distributed to more than 120 employees
• posted on an intranet site
• not labeled as confidential or privileged.

34

In re Sulfuric Acid Antitrust Litigation

235 F.R.D. 407 (N.D. Ill. 2006) and 432 F. Supp. 2d 794 (N.D. Ill. 2006)

• Antitrust compliance manuals contained a series of hypothetical questions

posed that were distributed to marketing, sales, and production management
employees
• Certain portions of compliance manuals not
privileged, since they did not reveal client confidences
and were nothing more than an articulation of
company policies
• Hypotheticals not privileged
– influenced by historic cases or were entirely the product
of counsel’s imagination.
– Ct: like giving a talk on experiences or writing an article
on antitrust concerns to the sulfuric acid industry.
– Did not contain any client confidences

35

In re Loestrin 24 Fe Antitrust Lit.

MDL No. 2472 (D.R.I. Nov. 29, 2017)

• Request to produce all policies, whenever created, related to antitrust

compliance, as well as business conduct or ethics standards .
• Plaintiffs want every version of every such policy ever
reated by any of the covered entities.
• Court limits production or time period surrounding
formation of agreements at issue, instead of back to the
beginning of time.

12
 Miller v. Smith Barney
No. 84 Civ. 4307, 1986 U.S. Dist. LEXIS 28787, Fed. Sec. L. Rep. ¶ 92,498 (S.D.N.Y. Feb. 27, 1986).

• internal compliance manuals were not privileged

– Disclosed in prior litigation
– Required to be maintained by the NYSE and NASD (and thus could not be deemed
confidential)
– As a compendium of operating procedures and rules, not considered to be legal opinions.
• The fact that they were authored by an attorney was not the test of the
privilege’s applicability.

37

O'Brien v. Board of Ed. of New York

86 F.R.D. 548 (S.D.N.Y. 1980)

• Hypothetical questions were put to counsel

• The answers revealed the mental processes of the clients and various
alternative strategies, all of which was entitled to protection

38

ABA: Can’t avoid confidentiality rule by

claiming scenarios are theoretical if they
aren’t (3/18)
• Rule 1.6 might provide an exception for
information that is publicly and generally
known
• “A violation of Rule 1.6(a) is not avoided
by describing public commentary as a ‘hypothetical’ if there is a
reasonable likelihood that a third party may ascertain the identity or
situation of the client from the facts set forth in the hypothetical.”
• “Hence, if a lawyer uses a hypothetical when offering public
commentary, the hypothetical should be constructed so that there is no
such likelihood.”

39

13
Is a compliance program evidence of anything?
• Not the law: The judge instructions the jury.
• Can’t admit the compliance program since might mislead jury
• MM Steel LP v. Reliance Steel & Aluminum Co., No. 4:12-cv-1227 (S.D. Tex.
Dec.16, 2013), citing United States v. North, 2007 WL 1630366 (D. Conn.
June 5, 2007).

40

Internal Investigations & Individual Liability

• Yates Memo (9/9/15)
• To be eligible for any cooperation
credit, corporations must provide
to the Department all relevant facts
about the individuals involved in
corporate misconduct.
• Both criminal and civil corporate
investigations should focus on individuals
from the inception of the investigation.
• Liability for directors? SEC thinks that directors should exercise actual oversight of
management, not to serve as ‘mere figureheads or rubber stamps.’
– Involvement in wrongdoing?
– Blind eye?

41

Antitrust Division Doesn’t Like to Give Credit for

Compliance Programs

42

14
U.S. Attorney’s Manual
“It is entirely proper in many investigations for a prosecutor to consider the
corporation’s pre-indictment conduct, e.g., voluntary disclosure, cooperation,
remediation or restitution, in determining whether to seek an indictment.
However, this would not necessarily be appropriate in an antitrust
investigation, in which antitrust violations, by definition, go to the heart of the
corporation’s business. With this in mind, the Antitrust Division has
established a firm policy, understood in the business community, that credit
should not be given at the charging stage for a compliance program, and that
amnesty is available only to the first corporation to make full disclosure to the
government.”

Roundtable on Criminal Antitrust Compliance

(April 9, 2018)
https://www.justice.gov/atr/public-roundtable-antitrust-criminal-
compliance

• “Discussion to explore the issue of corporate

antitrust compliance and its implications for
criminal antitrust enforcement policy.”
• "Corporate compliance is key to the Antitrust
Division's ultimate goals of preventing and
uncovering criminal antitrust violations and
protecting consumers and small businesses," said
Assistant Attorney General Makan Delrahim. The
Division values continued engagement with
corporate counsel, the antitrust bar, and other
stakeholders on this important topic."

US v. Kayaba Industry
Crim. No. 1:15CR 098 (S.D. Ohio Sept. 16, 2015)

• Plea agreement recognizes compliance program implemented after criminal

charges brought regarding
alleged conspiracy to fix
prices.
• Possible fine range: $103 –
207 million.
• DOJ sought $62 million based on
cooperation and acceptance of
responsibility and . . .

15
Kayaba Compliance Program
• Required training of senior management and all sales
personnel
• One-on-one training with high risk jobs
• Testing to verify effectiveness of training
• Prior approval of all contacts with competitors & reporting
of contacts
• Certify that all prices independently determined
• Hotline
• Discipline of employees

Changing the Culture

• From the moment the defendant corporation received notification
of the government’s investigation, “management committed to
instituting policies that would ensure that it would never again
violate the antitrust laws.”
• President directed these new policies
• “[T]he company sought to change the culture of the company to
prevent recurrence of the offense.”
• Employees involved in cartel demoted and no longer had sales
responsibilities.

AU Optronics
United States v. AU Optronics Corp., No. CR-09-
0110 (N.D. Cal. Sept. 11, 2012)(Sentencing
Memorandum)

• After conviction, DOJ recommends

“Corporate Antitrust Compliance Program”
– FCPA and antitrust violations
– "[T]he government recommends that AUO be required to hire (at its own expense) an
experienced, independent antitrust attorney as a compliance monitor to review its current
compliance program and to ensure that AUO develops a program containing the
recommended elements. This is the most reasonable, efficient, and effective way to
accomplish the vital task of creating a legitimate, non-criminal business culture at AUO for
the first time and thereby create a foundation for good corporate citizenship and a
necessary safeguard against future collusion.“
• No auditing requirement; no incentives requirement
• Monitor (Tarun), appointed for 3 years, likes ICC Toolkit.

16
DOJ Fraud Section FCPA Pilot Program
(April 5, 2016 through ?)

• Timely and appropriate remediation

– “implementation of an effective compliance and ethics program”;
– "appropriate discipline of employees, including those identified by the [disclosing
company] as responsible for the misconduct, and a system that provides for the possibility
of disciplining others with oversight of the responsible individuals”; and
– “any additional steps that demonstrate recognition of the seriousness of the [disclosing
company’s] misconduct, acceptance of responsibility for it, and the implementation of
measures to reduce the risk of repetition of such misconduct, including measures to
identify future risk.”
• See also SEC FCPA Resource Guide

FCPA Pilot Program

• Implementation of an effective compliance and ethics program, the
criteria for which will be periodically updated and which may vary
based on the size and resources of the organization, but will include:
– Whether the company has established a culture of compliance, including an
awareness among employees that any criminal conduct, including the
conduct underlying the investigation, will not be tolerated;
– Whether the company dedicates sufficient resources to the compliance
function;
– The quality and experience of the compliance personnel such that they can
understand and identify the transactions identified as posing a potential risk;
– The independence of the compliance function;
– Whether the company's compliance program has performed an effective risk
assessment and tailored the compliance program based on that
assessment;
– How a company's compliance personnel are compensated and promoted
compared to other employees;
– The auditing of the compliance program to assure its effectiveness; and
– The reporting structure of compliance personnel within the company.
50

The Stealth Compliance Guidance:

“Evaluation of Corporate Compliance Programs”
(DOJ Criminal Division, Fraud Section Feb. 8, 2017)

11 Topics 46 sub-topics 119 questions

1. Analysis and Root Cause Analysis What is the company’s root cause
Remediation of analysis of the misconduct at issue?
Underlying What systemic issues were identified?
Conduct Who in the company was involved in
making the analysis?
Prior Indications Were there prior opportunities to detect the
misconduct in question, such as audit
reports identifying relevant control failures
or allegations, complaints, or investigations
involving similar issues?
What is the company’s analysis of why such
opportunities were missed?
Remediation What specific changes has the company
made to reduce the risk that the same or
similar issues will not occur in the future?
What specific remediation has addressed
the issues identified in the root cause and
missed opportunity analysis?

17
 Compliance Officer Can be Part of the Violation
• Robert Riley, VP Regulatory Affairs & Chief
Compliance Officer of AbTox, Inc.
• Submitted false or misleading data regarding
safety of sterilizer units.
• Judge Castillo in United States v. Caputo,
456 F. Supp. 2d 970, 984-85 (N.D. Ill. 2006):

“Caputo selected Riley to serve as AbTox's Chief Compliance Officer for

all the wrong reasons. Caputo knew that he could manipulate and
dominate Riley based on his prior personal and business experiences
with him. Riley did not have any real training as a compliance officer. . . .
Riley aided and abetted Caputo's illegal marketing plans. Riley chose to
use whatever regulatory expertise he had to further, shield, and cover up
the offenses proven at trial.”

52

Lawyer Can be Part of Violation

• Turing Pharmaceuticals increased
price of drug by more than 5000%
• CEO Martin Shkreli charged with
securities fraud
• Outside counsel and corporate
secretary, Evan Greebel, indicted
for conspiracy: aiding and abetting the conduct of Shkreli.
• Gatekeeper concept: those with a direct, formal governance
authority
– In-house lawyer should serve as “gatekeeper” to protect company
– Also includes directors, public accounting firms, outside counsel

53

Corporate Manager Can be Liable: Texas v. Morello

547 S.W. 3d 881 (Tex. Feb. 23, 2018)
• State sued member/manager of LLC for
violations of Texas Water Code
(groundwater contamination) based on
LLC’s failure to satisfy compliance plan
accompanying its hazardous waste permit.
• Tex. Ct. App.: Liability protection under Tex.
Bus. Org. Code. State failed to show that
failures to satisfy compliance plan were the
type of “tortious or fraudulent” acts for which
corp. officers can be held personally liable
• Tex. S. Ct.: Rev’d. Notwithstanding statutory
language, this individual liable based on
both the Water Code and the individual’s own actions, which subject him to
liability regardless of whether he was acting as an agent of the LLC.
54

18
Accountants warned: Felonies are forever
Houston Chronicle (Mar. 20, 2013)

• Helen Sharkey: 30 days in prison for conspiracy to commit securities fraud.

• "Did I feel in my gut it was wrong? Absolutely. Did I think it was illegal? No
way," she said.
• Accountant as gatekeeper?

55

Lawyer as Compliance Officer?

• How do things get

done?
• Lawyer can make
noisy withdrawal.
Can others?
• HHS: GC can’t be
compliance officer

Lawyer as your gladiator?

57

19
 Lawyer as your confidential advisor.
• Except in investigations, compliance program
should be as open as possible.
• Lawyer must maintain client confidences. Cannot
use information gained from prior representation in
a way adverse to the former client, unless consent
or “generally known.” Rule 1.9; Formal Opinion
479
• Public availability not enough; must be generally
known in the relevant geographic area or widely
recognized in the former client’s industry, profession
or trade.
• If you blog, can’t reveal confidential information.
Rule 1.6; Formal Opinion 480.
• Who is the
58
client? Usually the company.

Poster Children: Violation Based on the “Compliance

Officer” Title and Careless Attestations
• Mark Kipnis – Hollinger
– 2007 – Conrad Black and others
convicted
– Kipnis did not get any money from
the fraud
– Judge Amy St. Eve: Kipnis was
“clearly the least culpable person in
his scheme”
– No jail, but 5 years probation, loss of
law license.
– 2010: S. Ct. overturns convictions
based on “honest services fraud”
• Christi Sulzbach – Tenet
– Resigned 2003
– Litigation continued until 2010
– But took home huge compensation

59

Theranos and Its Counsel

• Blood testing device never worked
• Board members never inquired
• David Boies (attorney & board member) used
intimidation to stop Theranos whistleblowers
• Previously worked to suppress stories about
Harvey Weinstein including hiring undercover
investigators to investigate reporters
“You don’t know all the facts when you take on a client . . .
but once you do, you have a duty of loyalty. You can’t
represent them halfway. If, as a
lawyer you start to value how you are going to look to the
media, as opposed to how your client will look, then you
should find a new profession.”
J. Stewart, “David Boies Pleads His Own Case,” N.Y. Times (Sept. 23, 2018)

60

20
Lawyers and Compliance
• Lawyer as ethical gatekeeper?
• Concern about image rather than ethics?
• Should a lawyer have a financial stake in a client?
– Necessary for start-ups?
– Every employee has an interest in keeping job.
• Should a lawyer be a board member?
– Defending interests of management
– vs. fiduciary duty to protect interests of investors

61

General Counsel as Chief Compliance Officer according to Sen.

Grassley: “It doesn't take a pig farmer from Iowa to smell the
stench of conflict in that arrangement.”

Whatever our role . . .

. . . let’s not forget to bring home the compliance “ bacon”

63

21
 Thank you!

64

Code of Professional Ethics for Compliance and Ethics

Professionals (Society of Corporate Compliance & Ethics)
Principle 1: Obligations to the Public
Compliance and ethics professionals (CEPs) should abide by and promote compliance with the spirit and
the letter of the law governing their employing organization’s conduct and exemplify the highest ethical
standards in their professional conduct in order to contribute to the public good.

R1.1 CEPs shall not aid, abet or participate in misconduct.

R1.2 CEPs shall take such steps as are necessary to prevent misconduct by their employing
organizations.
Commentary: The CEP’s actions to prevent misconduct must, of course, be legal and ethical. Where a
CEP has done what he or she can to prevent misconduct within the bounds of the law and business ethics,
but is nonetheless unsuccessful in preventing misconduct, he or she should refer to Rule 1.4.

R1.3 CEPs shall exercise sound judgment in responding to or cooperating with all official and legitimate
government investigations of or inquiries concerning their employing organization.

Commentary: While the role of the CEP in a government investigation may vary, the CEP shall never
obstruct or lie in an investigation.

65

SCCE Ethics Code (cont’d.)

R1.4 If, in the course of their work, CEPs become aware of any decision by their employing organization
which, if implemented, would constitute misconduct, the professional shall: (a) refuse to consent to the
decision; (b) escalate the matter, including to the highest governing body, as appropriate; (c) if serious
issues remain unresolved after exercising “a” and “b”, consider resignation; and (d) report the decision to
public officials when required by law.

Commentary: The duty of a compliance and ethics professional goes beyond a duty to the employing
organization, inasmuch as his/her duty to the public and to the profession includes prevention of
organizational misconduct. The CEP should exhaust all internal means available to deter his/her
employing organization, its employees and agents from engaging in misconduct. The CEP should escalate
matters to the highest governing body as appropriate, including whenever: a) directed to do so by that
body, e.g., by a board resolution; b) escalation to management has proved ineffective; or c) the CEP
believes escalation to management would be futile. CEPs should consider resignation only as a last resort,
since CEPs may be the only remaining barrier to misconduct. A letter of resignation should set forth to
senior management and the highest governing body of the employing organization in full detail and with
complete candor all of the conditions that necessitate his/her action. In complex organizations, the highest
governing body may be the highest governing body of a parent corporation.

66

22
SCCE Ethics Code (cont’d.)
Principle II: Obligations to the Employing Organization
Compliance and ethics professionals (CEPs) should serve their employing organizations with the highest
sense of integrity, exercise unprejudiced and unbiased judgment on their behalf, and promote effective
compliance and ethics programs.
R2.1 CEPs shall serve their employing organizations in a timely, competent and professional manner.
Commentary: CEPs are not expected to be experts in every field of knowledge that may contribute to an
effective compliance and ethics program. CEPs venturing into areas that require additional expertise shall
obtain that expertise by additional education, training or through working with others with such expertise.
CEPs shall have current and general knowledge of all relevant fields of knowledge that reasonably might
be expected of a compliance and ethics professional, and shall take steps to ensure that they remain
current by pursuing opportunities for continuing education and professional development.
R2.2 CEPs shall ensure to the best of their abilities that employing organizations comply with all relevant
laws.
Commentary: While CEPs should exercise a leadership role in compliance assurance, all employees
have the responsibility to ensure compliance.

67

SCCE Ethics Code (cont’d.)

R2.3 CEPs shall investigate with appropriate due diligence all issues, information, reports and/or conduct that relates to
actual or suspected misconduct, whether past, current or prospective.
Commentary: In organizations where other professionals (such as the Legal Department) are responsible for
investigation of suspected misconduct, CEPs satisfy this Rule by reporting suspected misconduct to such professionals
in accordance with established reporting procedures.
R2.4 CEPs shall keep senior management and the highest governing body informed of the status of the compliance and
ethics program, both as to the implementation of the program and about areas of compliance risk.
Commentary: The CEP’s ethical duty under this rule complements the duty of senior management and the highest
governing body to assure themselves “that information and reporting systems exist in the organization that are
reasonably designed to provide to senior management and to the board itself timely, accurate information sufficient to
allow management and the board, each within its scope, to reach informed judgments concerning both the corporation’s
compliance with law and its business performance.” In re Caremark International Inc., Derivative Litigation, 1996 WL
549894, at 8 (Del. Ch. Sept. 25, 1996)
R2.5 CEPs shall not aid or abet retaliation against any employee who reports actual, potential or suspected misconduct,
and shall strive to implement procedures that ensure the protection from retaliation of any employee who reports actual,
potential or suspected misconduct.
Commentary: CEPs should preserve to the best of their ability, consistent with other duties imposed on them by this
Code of Ethics, the anonymity of reporting employees, if such employees request anonymity. Further, they shall conduct
the investigation of any actual, potential or suspected misconduct with utmost discretion, being careful to protect the
reputations and identities of those being investigated.
68

SCCE Ethics Code (cont’d.)

R2.6 CEPs shall carefully guard against disclosure of confidential information obtained in the course of their
professional activities, recognizing that under certain circumstances confidentiality must yield to other values or
concerns, e.g., to stop an act which creates appreciable risk to health and safety, or to reveal a confidence when
necessary to comply with a subpoena or other legal process.
Commentary: It is not necessary to reveal confidential information to comply with a subpoena or legal process if the
communications are protected by a legally recognized privilege (e.g., attorney client privilege).
R2.7 CEPs shall take care to avoid any actual, potential or perceived conflicts between the interests of the employing
organization and either the CEP’s own interests or the interests of individuals or organizations outside the employing
organization with whom the CEP has a relationship. CEPs must disclose and ethically handle conflicts of interest and
must remove significant conflicts whenever possible. Conflicts of interest may create divided loyalties. CEPs shall not
permit loyalty to individuals in the employing organization with whom they have developed a professional or a personal
relationship to interfere with or supersede the duty of loyalty to the employing organization and/or the superior
responsibility of upholding the law, ethical business conduct and this Code of Ethics.
Commentary: If CEPs have any business association, direct or indirect financial interest, or other interest that could
influence their judgment in connection with their performance as a professional, the CEPs shall fully disclose to their
employing organizations the nature of the business association, financial interest, or other interest. If a report,
investigation or inquiry into misconduct relates directly or indirectly to activity in which the CEP was involved in any
manner, the CEP must disclose in writing the precise nature of that involvement to the senior management of the
employing organization before responding to a report or beginning an investigation or inquiry into such matter, and must
recuse him or herself from such investigation or inquiry, if appropriate. Despite this requirement, such involvement in a
matter subject to a report, investigation or inquiry will not necessarily
69
prejudice the CEP’s ability to fulfill his/her
responsibilities in that regard.

23
 SCCE Ethics Code (cont’d.)
R2.8 CEPs shall not mislead employing organizations about the results that can be achieved through the
use of their services.
Commentary: CEPs should not create unreasonable expectations with respect to the impact or results of
their services.
Principle III: Obligations to the Profession
Compliance and ethics professionals (CEPs) should strive, through their actions, to uphold the integrity
and dignity of the profession, to advance the effectiveness of compliance and ethics programs and to
promote professionalism in compliance and ethics.
R3.1 CEPs shall pursue their professional activities, including investigations of misconduct, with honesty,
fairness and diligence.
Commentary: CEPs shall not agree to unreasonable limits that would interfere with their professional
ethical and legal responsibilities. Reasonable limits include those that are imposed by the employing
organization’s resources. If management of the employing organization requests an investigation but limits
access to relevant information, CEPs shall decline the assignment and provide an explanation to the
highest governing authority of the employing organization. CEPs should diligently strive to promote the
most effective means to achieve compliance.

70

SCCE Ethics Code (cont’d.)

R3.2 Consistent with Rule 2.6, CEPs shall not disclose without consent or compulsory legal process confidential information
about the business affairs or technical processes of any present or former employing organization. Such disclosure could
erode trust in the profession or impair the ability of compliance and ethics professionals to obtain such information from others
in the future.
Commentary: CEPs need free access to information to function effectively and need the ability to communicate openly with
any employee or agent of an employing organization. Open communication depends upon trust. Misuse and abuse of the work
product of compliance and ethics professionals poses a serious threat to compliance and ethics programs. CEPs shall not use
confidential information in any way that violates the law or their legal duties, including duties to their employing organizations.
When adversaries in litigation use an organization’s own self-policing work against it, the credibility of CEPs may be
undermined. CEPs are encouraged to work with legal counsel to protect confidentiality and to minimize litigation risks. It is not
necessary to reveal confidential information to comply with compulsory legal process if the confidential information is protected
by a legally recognized privilege (e.g., attorney client privilege).
R3.3 CEPs shall not make misleading, deceptive or false statements or claims about their professional qualifications,
experience or performance.
R3.4 CEPs shall not attempt to falsely damage the professional reputation of other compliance and ethics professionals.
Commentary: In order to promote collegiality and civility in the profession, CEPs shall not make any statements concerning
other CEPs that are defamatory in nature.
R3.5 CEPs shall maintain their competence with respect to developments within the profession, including knowledge of and
familiarity with current theories, industry practices, and laws.
Commentary: CEPs shall pursue a reasonable and appropriate course of continuing education, including but not limited to
review of relevant professional and industry journals and publications, communication with professional colleagues and
participation in open professional dialogues and exchanges through attendance at conferences and membership in
professional associations
71

24