Beginning an Internal Investigation: The US Perspective
This is an Insight article, written by a selected partner as part of GIR's co-published content. Read more on Insight
The aim of this chapter is to provide the reader with useful tools to navigate the beginning of an internal investigation. Mistakes made in the initial phases of an investigation can have costly repercussions down the road, and, for this reason, it is important to consider all the relevant legal, commercial and logistical factors in making strategic decisions early on.
8.2 Assessing whether an internal investigation is necessary
Information giving rise to the need for an internal investigation can come from a variety of sources, including customers, employees, whistleblowers, lawsuits, counterparties, news and social media, as well as from prosecutorial and regulatory authorities. Regulatory changes have created new incentives for individuals to come forward and report suspected wrongdoing. For example, the Sarbanes-Oxley Act of 2002 and its implementing rules require attorneys who appear and practise before the Securities and Exchange Commission (SEC) to report evidence of a material violation up the ladder to a company’s chief legal officer and chief executive officer. The reporting obligation is not discharged until the attorney reasonably believes the company has provided an appropriate response. Similar reporting obligations apply to issuers and auditors.
When confronted with information – from whatever source – that the company or its employees may have engaged in serious misconduct, in-house counsel’s first step is often to assess whether it would be in the company’s interest to conduct an internal investigation. Counsel will want to consider whether government authorities are already investigating, or are likely to investigate, the matter, whether civil litigation will follow and in what form, and the potential (or likely) need for remediation. Depending on the facts, counsel may also want to balance the costs of investigating and the potential disruption to normal business, as well as any potential reputational risk or commercial fallout.
In some instances, external legal obligations may require an investigation to be conducted. Board members and management, for example, have a fiduciary duty to protect the interests of the corporation and its shareholders, and in some cases that duty will include an obligation to investigate indications of serious misconduct at the company. An investigation may also be required in certain instances so that company executives can meet any affirmative certification obligations they have, whether under Sarbanes-Oxley or otherwise.
More often, however, counsel will want to conduct an investigation to make an informed decision about whether it is in the company’s interest to self-report the matter to law enforcement or regulators. Over the past two decades, the United States Department of Justice (DOJ) has placed an increasing focus on self-reporting both in charging decisions and in the degree of co-operation credit that will be afforded to a company. To guide the charging decisions of its own attorneys, the DOJ has set out a number of factors that prosecutors should consider in determining whether to charge a business entity, including co-operation and voluntary disclosure, the adequacy of the corporation’s compliance programmes, and any remedial actions or restitution undertaken. The DOJ has expanded on these factors through subsequent directives. In November 2019, the DOJ clarified that under its revised policy, a company seeking co-operation credit is expected to disclose ‘all relevant facts known to it at the time of the disclosure’. This clarification recognises that because ‘a company may not be in a position to know all relevant facts at the time of a voluntary self-disclosure, especially where only preliminary investigative efforts have been possible’, a full investigation is not required before disclosure, though a company should ‘provide a fulsome disclosure’ of the relevant facts known at the time. Just two years later, the DOJ restored prior guidance mandating that this disclosure identify all individuals involved in the misconduct, not merely those who were ‘substantially involved’, and the DOJ recently specified that such disclosure must be done on a timely basis for a corporation to receive co-operation credit. Additionally, in 2016, the Fraud Section of the DOJ launched a ‘Pilot Program’ announcing even greater emphasis on voluntary self-reporting in deciding whether to charge or how to resolve corporate criminal matters. The following year, this policy was formally implemented through the DOJ’s revised Foreign Corrupt Practices Act (FCPA) Corporate Enforcement Policy, which was announced in November 2017 and closely tracks the objectives of the Pilot Program, including the incentives for self-disclosure and co-operation with the DOJ’s investigations. In practice, if not through formal written policy, this emphasis on self-reporting extended to cases that came before the Department involving federal regulations beyond the FCPA. In September 2022, the DOJ officially directed all its components that prosecute corporate crime to adopt policies incentivising self-disclosure and specified that, across the DOJ, it would ‘not seek a guilty plea where a corporation has voluntarily self-disclosed, fully cooperated, and timely and appropriately remediated the criminal conduct’.
In light of these policies, for all practical purposes, an internal investigation is often necessary so that the company can identify what, if any, information should be disclosed to the DOJ, and whether co-operation credit is attainable. This, however, may be a false dilemma as, in many instances, a corporation’s co-operation can be the most significant determining factor in how the DOJ resolves a case, including the amount of any penalty.
Many regulatory agencies have likewise increasingly come to expect companies to perform a robust internal investigation of any potential legal or regulatory violations and to report such violations to the agency. For example, the Consumer Financial Protection Bureau (CFPB) has stated that ‘responsible conduct’ – namely proactive self-policing for potential violations, prompt self-reporting of identified violations, complete remediation of resulting harm and co-operation with the CFPB – would influence the CFPB’s resolution of an enforcement investigation. Similarly, the US Department of Treasury Office of Foreign Assets Control specifically provides companies with mitigation credit of 50 per cent off its base penalty amounts for voluntary disclosures and further mitigation for co-operation. The SEC similarly identifies ‘[s]elf-policing, self-reporting, remediation and cooperation with law enforcement authorities’ as the primary factors it will consider in determining an appropriate resolution.
Even apart from legal considerations, business and reputational concerns alone may provide grounds for conducting an internal investigation. Indeed, counsel will often need to have a baseline understanding of the underlying facts, and an informed sense of whether there is any substance to the allegations of misconduct, to make a reasonable assessment of the potential business and legal consequences and the need for corrective action. Commencing a thorough internal inquiry will often also be important to any related public relations efforts, and will be critical to maintaining the company’s credibility with its customers, business partners and other affected individuals.
8.3 Identifying the client
Once the company decides to commence an internal investigation, the next step is to determine who will conduct the investigation and for what specific client within the organisation. In large organisations, particularly those with multiple subsidiaries across the globe, counsel should think strategically about how to structure the investigation: where to locate the attorney–client relationship, to whom the investigating attorneys should report, and who will be making key decisions as the investigation proceeds. In making these decisions, counsel should consider what relationships will best protect the integrity and confidentiality of the investigation, the location and custody of relevant documents, and the overall aims of the investigation over the short and long term.
In some circumstances, counsel may also want to consider whether the investigation should be conducted on behalf of the board (or its subcommittee), with counsel reporting to and being directed by the board, rather than by management. In a shareholder derivative suit, having the board direct the investigation will be the norm, both because the conduct of management will often be at issue and so that the investigation will not be subject to the derivative-claim exception to the attorney–client privilege recognised in some jurisdictions. The board may also be best suited to lead an investigation when the allegations are particularly serious or could have serious consequences for the company, when the allegations concern the actions of senior management, or when reputational or other concerns require that the investigation be conducted independently of management. Making that decision in any particular case will depend heavily on the specific facts involved, the company’s business and position in the marketplace, the relationship dynamics at the company and the overall goals of the investigation.
Whatever decision is made, it is important that the company clearly documents who the client is, and the reporting and oversight structure for the investigation.
8.4 Control of the investigation: in-house or external counsel
Although routine matters can often be handled by in-house counsel, an outside firm should ordinarily conduct the investigation where the potential misconduct could produce significant adverse legal or commercial consequences for the company. Though internal investigations can be expensive and time-consuming, these concerns often pale in comparison to the possible legal, financial and reputational risks faced by the company, as well as the need to demonstrate independence. Hiring external counsel allows for a clearer application of the attorney–client privilege to the communications and work-product of the outside firm, especially where corporation counsel has both business and legal functions. Often, both commercial and legal concerns can precipitate an internal investigation, so using external counsel can decrease the risk of inadvertently waiving privilege. External counsel also brings expertise, experience and resources to support the company in challenging situations that are unlikely to arise with much frequency at any particular company.
Depending on the circumstances, in-house counsel may want to consider using external counsel that is not the company’s usual firm. Bringing in a separate firm that is less familiar with the company’s business, of course, will often involve additional time and expense. Whether this step is justified in a particular case will depend on the sensitivity and significance of the investigation, the level of management implicated in the conduct, the need for perceived independence of the investigation, and the attitude of potentially relevant regulators who may be assessing the quality and results of the investigation in considering whether the company deserves credit for co-operation.
8.5 Determining the scope of the investigation
The importance of clarifying the investigation’s scope and purpose at the outset cannot be overstated. First, a well-defined and memorialised purpose can help establish the legitimacy of privilege claims over attorney–client communications and work-product produced in the course of the investigation; the claim to the attorney–client privilege is likely to be much stronger if an independent investigation has been commenced or litigation is reasonably contemplated.
Additionally, defining the investigation’s purpose can impose a welcome discipline and accountability on the investigators themselves. Corporate counsel are quite familiar with the tangents that can cause an investigation to become rudderless and wasteful. As explained below, a short period of preliminary investigation can often be helpful in defining a purpose and scope to the investigation that is reasonably clear and realistic, while identifying key uncertainties and inflection points to come. In defining the scope of the investigation, it can also be valuable to consider how quickly the information is needed, whether based on requests from the government or internal time pressures.
8.5.1 Key documents and scoping interviews
Most investigations will begin with counsel’s review of a handful of critical documents that are at the heart of the information triggering the need for the investigation. In many instances, the documents themselves, rather than individuals, may have alerted the company to alleged wrongdoing and precipitated the need for an investigation. In almost every case, however, conducting a small number of initial scoping interviews will be a useful way for the investigators to focus in quickly on the truly important material.
Identifying the most useful individuals to speak with in these scoping conversations can be delicate, as investigators seek to strike a balance between speaking with individuals who are knowledgeable about the issue at hand but who are sufficiently removed from the potential misconduct that they can safely be viewed as reliable in terms of setting the scope and maintaining the confidentiality of the investigation. Of course, interviewing an employee at an early stage, without the benefit of a complete set facts or documents, could result in incomplete information and the need for a further interview.
One logical place for external counsel to start is to thoroughly debrief the in-house legal team and, potentially, the individual or individuals who brought the issue to the attention of the organisation. These interviews can serve to identify key custodians, the nature and volume of relevant documents, the ways documents are stored, and who has access to them. If there is an obvious investigation target, interviewing that individual in the initial stages may be more efficient, but this must be weighed against other strategic considerations, including alerting the target to the focus of the investigation and compromising the investigation later on. The timing and structure of these initial discussions may also be influenced by external deadlines or other business considerations involved in the review.
8.5.2 Identifying necessary partners
Another early consideration for counsel is what outside investigative partners may be needed. These can range from technical subject-matter experts to local counsel in foreign jurisdictions to data processing and hosting services to forensic accountants. Counsel ordinarily will want to interview a number of firms in deciding which vendors to use, and the discussions can sometimes yield helpful insight into the size of the tasks ahead, likely costs, potential alternative strategies and timing. Engaging these third parties at the outset of the investigation – even if their work is not needed immediately – will often be valuable in defining the scope and methods of the investigation. As noted above, given the consideration of the attorney–client privilege, generally external counsel will retain the third-party vendors on behalf of the company so that their work and work-product is undertaken on the instruction of external counsel in anticipation of litigation and thereby covered by privilege and attorney work-product protections.
8.5.3 Developing a work plan
Once the investigating attorney has identified the subject matter of the investigation (the who, what, when and where), the scope and the purpose of the investigation and a concrete plan for carrying it out should ordinarily be memorialised by external counsel in a written work plan. This type of memorandum allows for client input on the investigative process, gives in-house counsel clear expectations about how the investigation will progress, and provides investigating attorneys with a benchmark for strategic judgements as the investigation moves forward. It can also serve as a useful tool for dividing responsibilities among the investigating attorneys and tracking progress towards key investigative goals. Keep in mind that the work plan may be a document that the company decides to share with the criminal or regulatory authorities and should be drafted accordingly.
In building the work plan, counsel should consider the time frame and geographical range of the inquiry, as well as which entities of the company (e.g., subsidiaries, affiliates, departments) will be covered and, if applicable, the rationale for not covering other entities at this stage. The memorandum should clearly set forth the subject matter under investigation and, to the extent possible, (1) what company documents will be retrieved (and by whom), (2) how data will be processed (and by whom), and (3) how documents will be reviewed (and by whom). In collecting, reviewing and preserving documents, the investigating attorney should take into account any data privacy concerns that may arise.
Where possible, the work plan should list any interviews that have been or will be conducted, or at least the categories of people to be interviewed. To the extent there is a rationale for interviewing some individuals and not others, it should be stated. Likewise, if the involvement of other third parties, such as forensic accountants and industry experts, is foreseeable, the document should describe the scope of their expected engagement.
The work plan should also set a rough schedule for key deliverables in the investigation, and at least tentatively identify the form that the ultimate work-product will take. In particular, it is useful to know at the outset of an investigation whether the preparation of a written investigative report will be useful and in the company’s interest, or whether an oral presentation of findings to management or the board would be preferable. A written report will most often be advisable when the company believes providing the report to a third party or to the public will be beneficial, whether for reputational, business or legal reasons. In most other cases, an oral report will often serve the client’s interests just as well without creating a risk of inadvertent or compelled disclosure.
Finally, the work plan should be flexible. Although careful planning is always beneficial, investigations in the real world are not scripted affairs. The investigative team must adapt to new information and challenges as the investigation progresses, and the work plan should lay out a process for making those decisions – particularly in terms of who should be consulted and who should approve decisions – before the investigative team moves in a new direction not contemplated by the plan.
Certain investigations may implicate the general counsel or other members of senior management in alleged misconduct. In that circumstance, the investigating attorneys should report to the board (or a designated member or committee of the board) or to a senior executive who has no involvement in the facts at issue and who does not report to any member of management whose conduct may be under review.
8.6 Document preservation, collection and review
As soon as possible after learning of potential misconduct, the in-house attorney should implement a litigation hold and disseminate a document preservation notice to prevent the intentional or inadvertent destruction of relevant documents and material. In fashioning the document retention policy, it is ordinarily advisable to err on the side of overbreadth, at least at the beginning when the extent of any potential wrongdoing and the relevant actors are unknown. This is critical. Failure to successfully preserve relevant material could be viewed as a dereliction of the attorney’s duties and, in some cases, as obstruction of justice.
In issuing preservation or ‘hold’ notices, the investigating attorneys should consider who should receive these notices (including the IT and records departments), what types of documents and data should be included, and how the investigation should be described. Where notices are sent to different jurisdictions, the investigating attorney may need to consider providing translations as well as addressing data privacy restrictions. The attorney implementing the litigation hold should record the distribution of notices and, where extra caution is warranted, have employees sign and return a copy of the notice or electronically acknowledge receipt so as to create a record. If the company has received a subpoena from law enforcement relating to the subject matter of the investigation, the subpoena will define the minimum universe of documents that require preservation, but counsel should consider whether additional material should be preserved for purposes of the internal investigation or otherwise.
The investigating attorneys should consult with the company’s records management department to preserve any hard-copy files, including those stored off-site in archives. The investigating attorney should also instruct the IT department to suspend any normal data destruction practices and to create and maintain a list of the relevant sources of data. Such sources may include documents maintained on the company’s servers and employees’ hard drives, emails saved on exchange servers, data held on employees’ home computers, and data saved on employees’ work-issued mobile and electronic devices – the collection of which may require additional considerations when employees have been furloughed or are working remotely. In recent years, regulators have been increasingly focused, not just on collecting and preserving email, but also on collecting and preserving text messages and other communications stored on mobile and other electronic devices. To the greatest extent possible, the company should take steps on its own to preserve this electronic data rather than relying on individual employees to preserve their own documents. The company should also take steps to prevent individuals from destroying or altering potentially relevant data. In some cases the facts will warrant proactive data capturing steps, including forensic images of employees’ laptops, desktops or mobile devices. Document custodians should be designated as soon as the investigating attorneys reasonably believe such individuals may possess documents relevant to the investigation.
It bears mention that sometimes the document collection process itself can come under scrutiny, particularly if authorities come to believe that relevant (and potentially damaging) documents may have been destroyed. In some extreme cases, someone with first-hand knowledge of the investigation may be called to provide sworn testimony in a deposition or in court. Attorneys should plan and document the collection process with this worst-case scenario in mind, and make clear to their clients the importance of treating the collection process – sometimes viewed as an administrative chore – with serious care and attention.
Once preservation measures have been implemented, the investigation can turn its attention to the collection of documents. Almost all investigations require judgement calls to be made on the scope of which documents to collect and from whom, including whether the investigation can be accomplished in whole or in part through collection within the company or, instead, requires collection from third parties. Company policies (e.g., codes of conduct) and local employment law also may impose limitations on the collection process. If the investigation contemplates the collection of personal health information, counsel should ensure that all data collection comports with the requirements of the Health Insurance Portability and Accountability Act of 1996. In such circumstances, counsel should take appropriate measures to safeguard personal health data, including assessing whether entering into a business associate contract is appropriate. By the same token, counsel should ensure that any other personally identifiable information collected as part of the investigation is similarly flagged during review and appropriately safeguarded.
For electronic data, the process of collecting data will often coincide with preserving it. Counsel should make sure that forensic copies of all relevant electronic data (including metadata) have been copied to a secure location, preferably with at least one backup maintained on a separate system. The data will then need to be loaded into a review platform for review. Evidence that has been collected in paper form will often be most easily reviewed by digitising it and loading it into the same review platform as the electronic documents that have been collected. The data vendor retained by the investigating counsel will provide the collection and hosting support to the company.
As with the preservation process, the steps taken in collecting documents should be recorded. In instances where requested documents cannot be located, the search efforts and results should also be documented.
Regarding the review of the documents, the investigating attorneys should carefully consider how best to manage the volume and formatting of documents. Outside vendors are a useful resource for these matters, and consulting with them early can often save time and money.
Where there is a large volume of documents to be searched, the key objective is to locate the responsive documents quickly and efficiently. Search terms should be broad enough to include responsive materials, but narrow enough not to bog down review teams with a large proportion of unnecessary documents. To the extent certain custodians or groups of documents are more likely to contain relevant content, their review should be prioritised.
In recent years, great advances have been made in the use of predictive coding in e-discovery to more quickly identify relevant documents and reduce the number of non-responsive documents that need to be individually reviewed. In our experience, the judicious use of predictive coding technologies is increasingly acceptable to regulators and prosecutors in the right context, so long as the specific methodologies and rationale for using those tools are clearly discussed with the authorities at the outset. Even in cases where a full human review of a document population is contemplated or required, predictive coding can be a useful tool for internal investigators in locating the most relevant documents quickly, before the full review is complete.
Taking these considerations into account, the investigating attorneys should draft a document review protocol that sets forth in as much detail as possible the purpose of the review, the responsive issues, and how documents should be tagged or marked. Devising the system of tags and codes is a critical step. Counsel should give careful consideration to how they may want to sort the data as the investigation progresses and devise codes that will make that work efficient. Counsel should take care, however, not to include so many codes that the review will be unduly slowed or overly confusing to reviewers.
If the need to produce documents to outside parties is likely, responsive documents should be reviewed to see if they are privileged and, if so, which privilege would apply. Disclosure of privileged material to a third party, even the government, can sometimes constitute a waiver of privilege, although steps can be taken to limit the scope of such a waiver.
Gathering material in an investigation is a dynamic process. Discovery of documents will often require follow-up interviews, and information gleaned in interviews may reveal the need for additional search terms or custodians. Documents retrieved from one custodian may reveal that a previously unknown custodian may have responsive material. The document preservation notice and review protocol should be updated as needed throughout the course of the investigation as new information comes to light.
8.7 Documents located abroad
When documents are located in jurisdictions outside the United States, the first step is to look at the relevant country’s data privacy and bank secrecy laws (or whether blocking statutes or state secrecy laws are implicated), many of which may seem counter-intuitive to US practitioners. In the European Union, for instance, employees’ personal data can only be collected and processed under certain conditions, and law firms and their clients must protect this data from misuse and respect certain rights of the individual data owners. These requirements and the penalties for non-compliance have been heightened by the recent implementation of the General Data Protection Regulation, which superseded the Data Protection Directive governing data privacy and applies directly throughout the European Economic Area. Some countries also have procedural requirements (e.g., notification to a works council) that govern the processing, transfer, storage, maintenance and access to documents. Given the heightened scrutiny surrounding personal information, counsel should take care to collect and store only what the investigation requires, and consider whether any special arrangements, such as a cross-border data transfer agreement, would help mitigate collateral risk.
In the past, corporate counsel has sometimes relied on these foreign laws to avoid producing documents located abroad to US authorities. Recently, DOJ officials have expressed increasing scepticism towards explanations that documents cannot be provided to the DOJ in the United States because of data privacy restrictions, and, by virtue of handling many cases implicating foreign laws, have themselves become knowledgeable about their limitations and exceptions. In the DOJ’s view:
Corporations are often too quick to claim that they cannot retrieve overseas documents, emails or other evidence regarding individuals due to foreign data privacy laws. . . . A company that tries to hide culpable individuals or otherwise available evidence behind inaccurately expansive interpretations of foreign data protection laws places its cooperation credit at great risk.
In 2015, Leslie Caldwell, then head of the Criminal Division at the DOJ, stated that while ‘some foreign data privacy laws may limit or prohibit the disclosure of certain types of data or information’, the DOJ nonetheless will challenge what it perceives to be ‘unfounded reliance on these laws’ and encouraged companies to refrain from ‘making broad “knee jerk” claims that large categories of information are protected from disclosure’. The following year, Caldwell reiterated that the DOJ was leveraging its relationships with foreign enforcement partners ‘to obtain information when non-cooperative companies make invalid assertions about particular data privacy laws in an effort to shield themselves from [DOJ] investigations’. The DOJ’s FCPA Corporate Enforcement Policy now provides that ‘[w]here a company claims that disclosure of overseas documents is prohibited due to data privacy, blocking statutes, or other reasons related to foreign law, the company bears the burden of establishing the prohibition’, and that ‘a company should work diligently to identify all available legal bases to provide such documents’. As the then Deputy Assistant Attorney General Matt Miner stated in 2019, the DOJ’s ‘expectation is that a cooperating company will work to identify all available legal means to provide such evidence and, if the company determines that it is unable to provide such information, [the DOJ] will expect a detailed explanation as to why’. Most recently, a September 2022 memorandum authored by Deputy Attorney General Lisa Monaco stated: ‘Department prosecutors should provide credit to corporations that find ways to navigate such issues of foreign law and produce such records.’
This is not to say that companies should disregard or be cavalier with foreign data privacy laws. But counsel should look for solutions to this issue. Where potential strategies exist – even creative ones – for obtaining relevant documents that are located abroad, US authorities have clearly indicated they expect companies to do so to receive co-operation credit. This will almost always require coordination with skilled counsel in the relevant jurisdiction where the documents are located.
 Bruce E Yannett and David Sarratt are partners at Debevoise & Plimpton LLP.
 See Sarbanes-Oxley Act of 2002 § 307; 15 U.S.C. § 7245; 17 C.F.R. 205.3(b) 2021.
 See Securities Exchange Act of 1934 § 10A; 15 U.S.C. § 78j-1.
 See Holder Memorandum, Bringing Criminal Charges Against Corporations, Dep’t of Justice, Dep. Att’y Gen. Eric Holder (16 Jun. 1999). The DOJ recently emphasised that it closely evaluates corporate compliance programmes during investigations and after resolutions and gives ‘significant credit to companies that build strong controls to detect and prevent misconduct’. Assistant Attorney General Kenneth A Polite Jr Delivers Remarks at NYU Law’s Program on Corporate Compliance and Enforcement (25 Mar. 2022), available at https://www.justice.gov/opa/speech/assistant-attorney-general-kenneth-polite-jr-delivers -remarks-nyu-law-s-program-corporate. Additionally, the DOJ is considering requiring the chief executive officer and chief compliance officer to certify at the end of the term of corporate resolutions ‘that the company’s compliance program is reasonably designed and implemented to detect and prevent violations of the law . . . and is functioning effectively’, and in instances where a monitor is not imposed, the DOJ is also considering requiring the chief executive officer and chief compliance officer to ‘certify that all compliance reports submitted during the term of the resolution are true, accurate, and complete’. Id. The DOJ used such certification requirements in its recent resolutions with Glencore International AG, Glencore Ltd, and GOL Linhas Aéreas Inteligentes SA. See Assistant Attorney General Kenneth A Polite Delivers Remarks at the University of Texas Law School (16 Sep. 2022), available at https://www.justice.gov/opa/speech/assistant-attorney-general-kenneth-polite-delivers-remarks-university-texas-law-school.
 See Thompson Memorandum, Principles of Federal Prosecution of Business Organizations, Dep’t of Justice, Dep. Att’y Gen. Larry D Thompson (20 Jan. 2003); McCallum Memorandum, Waiver of Corporate Attorney–client and Work Product Protections, Dep’t of Justice, Acting Dep. Att’y Gen. Robert D McCallum (21 Oct. 2005); McNulty Memorandum, Principles of Federal Prosecution of Business Organizations, Dep’t of Justice, Dep. Att’y Gen. Paul J McNulty (12 Dec. 2006); Filip Memorandum, Principles of Federal Prosecution of Business Organizations, Dep’t of Justice, Dep. Att’y Gen. Mark Filip (28 Aug. 2008); Yates Memorandum, Individual Accountability for Corporate Wrongdoing, Dep’t of Justice, Dep. Att’y Gen. Sally Q Yates (9 Sep. 2015); Monaco Memorandum, Corporate Crime Advisory Group and Initial Revisions to Corporate Criminal Enforcement Policies, Dep’t of Justice, Dep. Att’y Gen. Lisa O Monaco (28 Oct. 2021) (2021 Monaco Memorandum).
 United States Department of Justice (DOJ), Justice Manual § 9-47.120 (updated Nov. 2019) (Justice Manual).
 Justice Manual § 9-47.120 n. 1. The revised policy also provides that a company must let the DOJ know ‘where the company is aware of relevant evidence not in the company’s possession’. For the purposes of determining the appropriate form of any resolution or prosecution, including any monetary penalties or compliance obligations contained in any corporate criminal resolution, the DOJ recently clarified that prosecutors should consider the corporation’s ‘timely completion of thorough investigations’, as well as ‘what investigation resources were in place to investigate suspected misconduct, and the nature and thoroughness of the company’s remedial efforts’. DOJ, Evaluation of Corporate Compliance Programs 1, 6, 14 (updated Jun. 2020).
 See 2021 Monaco Memorandum (noting that ‘to receive any consideration for cooperation, the company must identify all individuals involved in or responsible for the misconduct at issue, regardless of their position, status, or seniority, and provide to the Department all nonprivileged information relating to that misconduct’ and that ‘[t]his requirement includes individuals inside and outside of the company’); Dep. Att’y Gen. Lisa O Monaco Gives Keynote Address at ABA’s 36th National Institute on White Collar Crime (28 Oct. 2021), available at https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco-gives-keynote -address-abas-36th-national-institute.
 See Monaco Memorandum, Further Revisions to Corporate Criminal Enforcement Policies Following Discussions with Corporate Crime Advisory Group, Dep’t of Justice, Dep. Att’y Gen. Lisa O Monaco (15 Sep. 2022) (2022 Monaco Memorandum) (‘[T]o receive full cooperation credit, corporations must produce on a timely basis all relevant, non-privileged facts and evidence about individual misconduct such that prosecutors have the opportunity to effectively investigate and seek criminal charges against culpable individuals.’). Conversely, ‘undue or intentional delay in producing information or documents – particularly those that show individual culpability – will result in the reduction or denial of cooperation credit’. Dep. Att’y Gen. Lisa O Monaco Delivers Remarks on Corporate Criminal Enforcement (15 Sep. 2022), available at https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco -delivers-remarks-corporate-criminal-enforcement; see also 2022 Monaco Memorandum.
 Leslie R Caldwell, Criminal Division Launches New FCPA Pilot Program (5 Apr. 2016) (noting that ‘[i]f a company opts not to self-disclose, it should do so understanding that in any eventual investigation that decision will result in a significantly different outcome than if the company had voluntarily disclosed the conduct to us’).
 See Dep. Att’y Gen. Rosenstein Delivers Remarks at the 34th International Conference on the Foreign Corrupt Practices Act (29 Nov. 2017), available at https://www.justice.gov/opa/speech/deputy-attorney-general-rosenstein-delivers-remarks-34th-international -conference-foreign; Justice Manual § 9-47.120. The DOJ and Securities and Exchange Commission (SEC) have since noted that they both ‘place a high premium on self-reporting, along with cooperation and remedial efforts, in determining the appropriate resolution of FCPA matters’. DOJ and SEC, ‘A Resource Guide to the US Foreign Corrupt Practices Act’ (2d ed. 2020). For example, the DOJ recently declined to prosecute the World Acceptance Corporation for FCPA violations, citing the company’s ‘prompt, voluntary self-disclosure of the misconduct’ and its ‘full and proactive cooperation’. Letter Declining to Prosecute World Acceptance Corp. (5 Aug. 2020).
 See Letter Declining to Prosecute Barclays PLC (28 Feb. 2018) (stating: ‘The Department’s decision to close its investigation of this matter is based on a number of factors, including . . . Barclays’ timely, voluntary self-disclosure.’); see also Press Release, Dep’t of Justice, Three Portfolio Managers and Allianz Global Investors U.S. Charged in Connection with Multibillion-Dollar Fraud Scheme (17 May 2022), available at https://www.justice.gov/opa/pr/three-portfolio-managers-and-allianz-global-investors-us-charged-connection -multibillion (noting that the DOJ charged Allianz Global Investors US LLC with securities fraud in connection with a multibillion-dollar scheme allegedly perpetrated by three portfolio managers because, among other factors, the company ‘failed to self-report their crimes’).
 2022 Monaco Memorandum. The DOJ also announced it would ‘not require the imposition of an independent compliance monitor for a cooperating corporation that voluntarily self-discloses the relevant conduct if, at the time of resolution, it also demonstrates that it has implemented and tested an effective compliance program’. Id. But DOJ officials have warned that ‘companies with “substandard” compliance programmes that also do not self-report . . . will be at greater risk of prosecution’. Ana de Liz, ‘SDNY Official Outlines Approach to Charging Decisions’ (21 Sep. 2022), available at https://globalinvestigationsreview.com/just-anti-corruption/article/sdny-official-outlines-approach-charging-decisions.
 See U.S.S.G. § 8C2.5(g), cmt. 13 (2021); see also Deputy Attorney General Lisa O Monaco Delivers Keynote Remarks at 2022 GIR Live: Women in Investigations (16 Jun. 2022), available at https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-o-monaco -delivers-keynote-remarks-2022-gir-live-women (stating: ‘The math is simple: self-disclosure can save a company hundreds of millions of dollars.’).
 CFPB Bulletin 2020-01, Responsible Business Conduct (6 Mar. 2020).
 31 C.F.R. Part 501, Economic Sanctions Enforcement Guidelines (9 Nov. 2009).
 Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 and Commission Statement on the Relationship of Cooperation to Agency Enforcement Decisions, Release No. 34-44969 (23 Oct. 2001) (Seaboard Report). For example, the SEC accepted Gulfport Energy Corporation’s settlement offer and declined to pursue a civil penalty because of the company’s prompt remedial acts and significant co-operation with the SEC. Order Instituting Cease-and-Desist Proceedings Pursuant to Section 21C of the Securities Exchange Act of 1934, Making Findings, and Imposing a Cease-and-Desist Order, Release No. 91196 (24 Feb. 2021); see also SEC’s Fraud Case Against Silicon Valley-Based HeadSpin, Inc.’s Former CEO Is Ongoing, Litigation Release No. 25320 (28 Jan. 2022), available at https://www.sec.gov/litigation/litreleases/2022/lr25320.htm (announcing that the SEC ‘settled fraud charges without a penalty against HeadSpin, Inc., a private technology company that made significant remedial efforts in the wake of an internal investigation into misconduct by its now former CEO’).
 In rare circumstances, some facts will be so clearly unlawful on their face (e.g., if an employee is providing clearly and materially false information to investors) that the company should consider notifying the relevant law enforcement or regulatory authorities even before conducting a complete internal investigation, particularly where time is of the essence and, if appropriate, continue with the internal investigation in parallel.
 See, e.g., United States v. Ruehle, 583 F.3d 600, 606–12 (9th Cir. 2009) (statements made for the purpose of disclosure to outside auditors not privileged); Wultz v. Bank of China Ltd., 304 F.R.D. 384, 391 (S.D.N.Y. 2015) (documents generated during a company’s investigation were not privileged where the company failed to show that the documents were created at the direction of counsel for the purpose of rendering legal advice); see also In re Gen. Motors LLC Ignition Switch Litig., 80 F. Supp. 3d 521, 528 (S.D.N.Y. 2015) (noting that a company’s privilege claim was stronger because its investigation was conducted by outside counsel). In the United States, however, investigations conducted solely by in-house counsel may fall within the scope of the attorney–client privilege if they are carefully conducted. See, e.g., In re Kellogg, Brown & Root, Inc., 756 F.3d 754, 758 (D.C. Cir. 2014) (‘Upjohn does not hold or imply that the involvement of outside counsel is a necessary predicate for the privilege to apply.’). The extent to which an investigation conducted by in-house counsel outside the United States would be protected by privilege varies widely by jurisdiction.
 See In re John Doe Corp., 675 F.2d 482, 491 (2d Cir. 1982) (recognising that when corporate counsel finds evidence of criminality protected under Upjohn ‘the wiser course may be to hire counsel with no other connection to the corporation to conduct investigations’).
 For example, for a company to receive full credit for timely and appropriate remediation in FCPA matters, the DOJ expects companies to implement ‘appropriate guidance and controls on the use of personal communications and ephemeral messaging platforms that undermine the company’s ability to appropriately retain business records or communications or otherwise comply with the company’s document retention policies or legal obligations’. Justice Manual § 9-47.120; see also Principal Associate Deputy Attorney General Marshall Miller Delivers Live Keynote Address at Global Investigations Review (20 Sep. 2022), available at https://www.justice.gov/opa/speech/principal-associate-deputy-attorney -general-marshall-miller-delivers-live-keynote-address (‘[A] company’s ability to produce relevant work-related communications – whether on-system or off – will be an important factor in assessing a corporation’s cooperation during a criminal investigation.’).
 The Rules under the Health Insurance Portability and Accountability Act of 1996 generally require that covered entities enter into contracts with their business associates to ensure that the business associates will appropriately safeguard protected health information. See 45 C.F.R. Parts 160 and 164.
 In the civil context, ‘it is now black letter law that where the producing party wants to utilize TAR for document review, courts will permit it’. Rio Tinto PLC v. Vale S.A., 306 F.R.D. 125, 127 (S.D.N.Y. 2015). The DOJ has supported the use of technology-assisted review as a timely and cost-effective way to accomplish a document review in a criminal matter. See Cohen v. United States, No. 18-MJ-3161 (S.D.N.Y. 26 Apr. 2018), ECF No. 28.
 For example, a recent decision in the District of New Jersey held that where a company conveyed summaries of interviews to the government orally or in writing, the company waived privilege as to all memoranda, notes, summaries and other records of the interviews, as well as documents and communications whose contents were directly conveyed in the summaries or other presentations to the DOJ during its investigation. United States v. Coburn, No. 19-CR-120, 2022 WL 357217, at *7 (D.N.J. 1 Feb. 2022).
 In some cases, data privacy regimes can also apply to documents located within the United States if the data resides there in connection with the activities of a non-US entity. This is true, for example, of the European Union (EU) General Data Protection Regulation, which has extraterritorial effect in certain circumstances.
 See the EU General Data Protection Regulation adopted in April 2016, which came into effect on 25 May 2018 and superseded the EU Data Protection Directive (Directive 95/46/EC). Other notable data privacy laws include Brazil: General Personal Data Protection Law (Law 13,709/2018); China: the Personal Information Protection Law (Chairman’s Order No. 91); Hong Kong: Personal Data (Privacy) Ordinance (Cap 486); Japan: the Act on the Protection of Personal Information (Law No. 57 of 2003); and Russia: the Russian Federal Law ‘On Personal Data’ (No. 152-FZ).
 See, e.g., Austrian Labour Constitution Act (Arbeitsverfassungsgesetz (ArbVG)), Articles 91, 96 and 96a.
 Remarks by Principal Deputy Assistant Attorney General for the Criminal Division Marshall L Miller at the GIR Live conference, New York (17 Sep. 2014), available at https://www.justice.gov/opa/speech/remarks-principal-deputy-assistant-attorney -general-criminal-division-marshall-l-miller.
 Remarks by Assistant Attorney General Leslie R Caldwell at the Compliance Week Conference (19 May 2015), available at https://www.justice.gov/opa/speech/assistant -attorney-general-leslie-r-caldwell-delivers-remarks-compliance-week-conference.
 Remarks by Assistant Attorney General Leslie R Caldwell at the American Bar Association’s 30th Annual National Institute on White Collar Crime (4 Mar. 2016), available at https://www.justice.gov/opa/speech/assistant-attorney-general-leslie-r-caldwell-speaks -american-bar-association-s-30th.
 Justice Manual § 9-47.120.
 Remarks by Deputy Assistant Attorney General Matt Miner at the American Bar Association, Criminal Justice Section Third Global White Collar Crime Institute Conference (27 Jun. 2019), available at https://www.justice.gov/opa/speech/deputy-assistant-attorney-general-matt- miner-delivers-remarks-american-bar-association.
 2022 Monaco Memorandum (‘Conversely, where a corporation actively seeks to capitalize on data privacy laws and similar statutes to shield misconduct inappropriately from detection and investigation by U.S. law enforcement, an adverse inference as to the corporation’s cooperation may be applicable if such a corporation subsequently fails to produce foreign evidence.’).