Since 2007, the surge in Foreign Corrupt Practices Act (FCPA) cases has been among the most dramatic international enforcement storylines. In addition to the sharp increase in the number of FCPA cases filed each year—and the resulting fines—the Justice Department and the Securities and Exchange Commission now employ increasingly aggressive tactics in corruption investigations, including wiretaps and sting operations. These trends show no signs of abating. Assistant Attorney General Lanny Breuer recently indicated that he expects FCPA actions to expand and intensify in the years to come.
Whenever corruption allegations arise, companies must act fast to determine the veracity of the claims and the scope of the behavior in question. Time is of the essence, because self-reporting FCPA violations to the U.S. government has the potential to reduce any eventual penalties. But speedy investigations are often thwarted by foreign data protection laws that govern data privacy, corporate confidentiality and state secrets. In other words, companies can’t access or transfer regulated data to the U.S. that could either vindicate them or help ameliorate the consequences of violations.
Some large or high-risk companies have hired a dedicated data privacy counsel—a lawyer tasked with understanding the data laws in each of the countries in which the business operates. The best way to minimize regulatory entanglements is to understand the legal landscape and have a discovery plan prepared ahead of time. Companies that have prepared local discovery plans can move faster and more effectively to avoid local compliance violations and work around data restrictions where possible.
Such plans may require that e-discovery related document review occurs on-site to limit data transfer in line with local data protection laws. Performing document review on-site necessitates additional travel and logistical expenses but offers many advantages. Companies can quickly identify critical documents and determine which ones may require special treatment. In some cases, documents may be removed from the country with user consent. In other cases, companies may be able to file special applications with local governments to release documents. When obtaining the complete document is not possible, a local team can work with to perform redactions of regulated personal data while preserving information material to the case.