The Enemy Within

Association of Defense Counsel

White Paper

Author(s) ,

I. Introduction

The two quotes above are provocative because they turn standard logic on its head. The assumption of any nation is that its downfall, should it ever occur, will be the result of outside forces and influences. For this reason, history is full of empires and kingdoms that constantly sought to strengthen their respective fortresses and armies in anticipation of external foes. While important, such an approach does not necessarily take into account threats of a much different, and more intimate, nature.

Corporations tend to adopt a similar mindset in governing their own affairs. The focus is usually outward, primarily concerned about what information and data is released into the public domain. Thus, for example, companies devote significant resources to analyze the material contained in their financial disclosures, their responses to discovery requests, or the testimony of their corporate representatives. In modern times, whole teams are charged with carefully curating and monitoring every tweet and Facebook post bearing the company name. Rarely is such attention given to internal communications and operations.

Each day, companies develop and distribute countless documents and records that are never intended to be examined by the outside world. These can take the form of board minutes, compliance and risk management reports, or seemingly benign employee emails. The careful scrutiny applied to public materials is largely absent from the misperceived security of their internal counterparts. This disparity in treatment can have significant, and unexpected consequences.

What many companies fail to realize is that information intended solely for in-house use can be utilized to devastating effect. Internal memoranda, reports, and emails can effectively become the centerpiece of a Department of Justice (“DOJ”) investigation, enforcement action, or criminal prosecution. In short, companies quickly realize in the course of one of these proceedings that their greatest liability was not the carefully cultivated statements and figures that they crafted and openly shared with the world, but rather the content created behind the scenes. Given the potential risks posed by the latter category, companies are wise to be proactive and ensure that they have taken appropriate steps to protect themselves from self-inflicted damage.

II. The Enemies We Know

Before discussing the enemy within, it makes sense to first mention a few of the most common external adversaries that companies face every day. These entities have a wide array of weapons at their disposal with the potential to upend their chosen targets. As such, companies should not pursue any course of action without first considering possible repercussions with the following actors.

The Department of Justice

The DOJ is arguably the most formidable outside opponent that a company will ever face. One of the primary reasons for this is the DOJ’s ability to use civil investigative demands (“CIDs”) to gain significant leverage over a company. The False Claims Act (“FCA”)1 allows the DOJ to issue a CID where there exists “reason to believe that any person may be in possession, custody, or control of any documentary material or information relevant to a false claims law investigation . . . .”2 CIDs are powerful, pre-lawsuit administration tools whereby the government can collect documents, propound interrogatories, and conduct depositions.3 Moreover, because CIDs are conducted prior to the filing of a lawsuit, the targeted entity does not get the benefit of conducting discovery that might undermine the basis for the CID.

The FCA underwent significant changes during the Obama Administration which subsequently gave the DOJ more flexibility to issue CIDs. This change happened on May 20, 2009, when Congress passed the Fraud Enforcement and Recovery Act of 2009 (“FERA”).4Previously, the Attorney General had to personally approve all CID requests; however, the FERA amended the FCA to allow lower level officials within the DOJ (e.g., an individual U.S. Attorney) to issue CIDs.5 As a result, government officials can now quickly pursue CIDs without having to navigate the lengthy process of obtaining the Attorney General’s permission.6

The FERA amendments to the FCA made a significant impact. In 2012, Tony West, the head of the DOJ’s Civil Division, estimated that it filed six times as many CIDs as before the FERA amendments.7 Consequently, the Obama DOJ set a record for money recovered under the FCA in a single year,8 and recovered $31.3 billion total under the FCA, or 60% of all funds claimed under the FCA during the last 30 years.9

Moreover, the DOJ has begun to team up with the Consumer Financial Protection Bureau (“CFPB”) to pursue actions against financial services entities.10 On December 6, 2012, the DOJ and CFPB signed a Memorandum of Understanding to cooperate in the enforcement of federal fair lending laws.11 By its own account, the CFPB hauled in $11.7 billion during its first five years of operation (2011 – 2016).12 Together, these two entities have secured a number of multi-million dollar settlements against a variety of lenders and loan servicers.13

Beyond concerns with the DOJ’s increased use of CIDs and coordinated enforcement actions, the Department also issued new guidance in 2015 that prioritized prosecution of company executives.14 This guidance came in the form of a September 9, 2015 memorandum, dubbed “The Yates Memo,” wherein Deputy Attorney General Sally Q. Yates declared, “One of the most effective ways to combat corporate misconduct is by seeking accountability from the individuals who perpetrated the wrongdoing.”15 Of note, the Yates Memo directed DOJ attorneys to “focus on individual wrongdoing from the very beginning of any investigation of corporate misconduct.”16 Moreover, the Yates Memo instructed that corporations should not receive credit for cooperating in an investigation if they did not turn over “all relevant facts relating to the individuals responsible for the misconduct.”17

Although the full implications of the Yates Memo are still unclear, it is certain that this new directive has transformed the manner in which the DOJ is pursuing its cases.18 At the onset of investigations, the government is now communicating with corporations about executives of special interest, prompting defense counsel to present “Yates binders” containing documents and emails pertaining to the individuals in question.19 One former Assistant U.S. Attorney observed that the Yates Memo is leading to increased cooperation between the different arms of the DOJ resulting in “a multi-faceted approach to individual culpability that each and every subject of an investigation should assume is being used to assure they are held accountable.”20 In sum, due to this new DOJ strategy, company executives must take extra precautions to protect themselves, in addition to their respective corporations.

The Securities and Exchange Commission

The Securities and Exchange Commission (“SEC”) also commands extensive regulatory powers that can cause serious issues for companies. All publicly-traded companies must disclose their financials through quarterly and yearly forms (e.g., 10-Q, 10-K, and 8-K forms) as well as offering documents to investors.21 Within their 10-Q and 10-K forms specifically, companies are required to disclose “any known trends or uncertainties that have had or that the registrant reasonably expects will have a material favorable or unfavorable impact on net sales or revenues or income from continuing operations.”22 In other words, the SEC requires disclosure of known uncertainties regarding potential returns of product and risk to future income.23 Inaccurate reporting on these disclosures can lead to cease-and-desists proceedings from the SEC as well as significant civil penalties.24 As evidence of the SEC’s intent to wield its powers, during the 2016 Fiscal Year, the SEC filed a record 868 enforcement actions and obtained judgments and orders totaling more than $4 billion in disgorgement and penalties.25

The Food and Drug Administration

One last agency that poses external threats to the companies that it regulates is the Food and Drug Administration (“FDA”), particularly with the authority that it commands under the Food, Drug, and Cosmetic Act (“FDCA”).26 Of special concern to pharmaceutical companies is the prospect of facing an FDA charge of “off-label” drug use or promotion. Under the FDCA, a company is required to specify the intended uses of a product in its new drug application to the FDA.27 In turn, “intended use” is defined as “the objective intent of the persons legally responsible for the labeling of drugs.”28 Once a new drug is approved, it may not be marketed for “off-label” uses—i.e. any use not specified in the application cleared by the FDA.29 Promotion of off-label uses can lead to serious action from the FDA, including civil and criminal liability.30

Private Litigation and Customer Complaints

Lastly, beyond concerns of facing punishment from government agencies, companies would be remiss to ignore the overarching threat of negative publicity posed by private litigation and customer complaints. Adverse judgments can harm a company’s reputation within a community and help develop a “pattern or practice” of wrongdoing that can be used to find liability and justify increased damages in subsequent litigation. Whereas negative social media reviews or news coverage can steer business away and stereotype the company as untrustworthy. Accordingly, while neither of these adversaries cut quite as imposing of a figure as the agencies mentioned above, their cumulative effect can be just as threatening.


III. Identifying the Enemies Within

As many companies have unfortunately learned, the destructiveness of the “enemies at the gate” discussed above stems in large part from the influence of the enemies within. In other words, without the aid of a company’s enemies residing internally, external foes would not be nearly as effective. Ironically, the company itself becomes the outside foe’s greatest asset in obtaining an adverse result. The commentary below identifies a company’s most common internal enemies and showcases how outside opponents can manipulate them to their advantage.

Risk Management and Compliance Departments

Companies utilize risk management and compliance departments to ensure that potential business risks are properly evaluated, and that internal protocol lines up with regulatory requirements and is being effectively followed. While these departments have unique roles, they are increasingly merging as companies understand that compliance should be viewed as an aspect of risk management,31 and that “the effectiveness and efficiency of an organization’s compliance efforts are dependent upon the quality of the risk assessment process.”32 That said, while the combined aims of these departments are essential, there can be significant liability in their execution.

A key component of any properly-functioning risk management or compliance department is to “blow the horn” when they encounter a potential issue. While this type of vigilance is important for company health, it can also lead to some highly problematic results. First, information is distributed to too many, unnecessary individuals. Rather than limiting their reports to a tightly-controlled arena, risk management and compliance teams have a tendency to cover their bases and copy a plethora of individuals up-and-down the chain of command on their communications. Second, within their communications, these teams may not be precise with their wording, incidentally overstating or mischaracterizing identified problems. This effect can be compounded where non-lawyers incorrectly interpret the law or employ legal terminology in an unexperienced manner. Lastly, risk management and compliance teams frequently identify problems without the requisite follow-up needed to solve them. This breakdown can lead to the same problems repeatedly being raised in quarterly and annual reports with no clear solution implemented to address them. Consequently, the company appears to be willfully ignoring a known problem rather than taking corrective actions.

Over the last several years, government agencies have grown skilled in exploiting these defects. For instance, the DOJ has repeatedly used CIDs to amass company risk management reports that it subsequently turns into a damning statement of facts that forces settlement.33 In one example, the DOJ was able to secure a large settlement against an investment firm by using its own due diligence reports to show that the firm was knowingly issuing various residential mortgage-backed securities in violation of accepted underwriting guidelines.34 To make matters worse, the firm’s due diligence manager informed his superior of the loosening of these underwriting guidelines via two different memoranda over two consecutive years; however, no action was taken.35 In another DOJ CID, the DOJ found that a bank’s internal reviews revealed multiple instances of borrower fraud and misrepresentations about borrower credit in connection with loan originations; nevertheless, the bank did not take steps to remedy these issues.36 Lastly, the DOJ garnered a large settlement with an automobile manufacturer after internal engineering reports repeatedly showed evidence of product defects that were “high risk,” “critical,” and a “safety issue.”37 Despite the information contained within these reports, the manufacturer failed to make proper disclosures and even issued a directive to its engineers to not implement design improvements as it wanted to avoid the impression “that we have admitted having defective vehicles.”38

Similarly, the FDA has successfully prosecuted pharmaceutical companies for “off-label” promotion largely based on internal memoranda discussing the negative results of a drug’s clinical trials.39 In one instance, a pharmaceutical company noted in a monthly report that a drug’s studies had been “disappointing” and could not support a finding that it was effective in treating childhood depression.40 Despite these findings, the report stated that it would be “commercially unacceptable to include a statement that efficacy had not been demonstrated” as it would significantly undermine the drug’s profile.41 The company proceeded to market the drug for this “off-label” use and ultimately paid a significant fine.42

Finance and Accounting Departments

A company’s finance and accounting departments are largely responsible for managing a company’s books and financial audits, and ensuring that financial controls are properly maintained and followed. Additionally, these departments oversee both a company’s internal and external financial reporting. Significant issues can arise when the former does not comport with the latter.

Companies run into trouble when they internally discuss uncertainties or risks that may affect their financial health without subsequently disclosing that information to investors and the SEC via 10-K, 10-Q, and 8-K forms. This is because publicly-traded companies are obligated to report material events and information “that would cause reported financial information not to be necessarily indicative of future operating results or of future financial condition.”43 Accordingly, finance and accounting departments must avoid internally discussing trends or uncertainties that will affect the company share price while neglecting to report the same in external disclosures.

Should a disparity between internal and external reporting exist, the SEC can use it as prima facie evidence of a violation of the Securities Exchange Act.44 For example, the SEC filed a cease-and-desist order against a bank where the bank failed to disclose its financial forecasts regarding an increased amount of contested foreclosures that could result in significant loss.45 Consequently, the bank’s failure to report what it internally dubbed an “emerging risk” resulted in large fines.46

Employee Communications

The last of the enemies within is the most ubiquitous, and, while seemingly innocuous, arguably poses the greatest risk to a company’s well-being. Every day, countless emails are traded between colleagues, discussing subjects that range from the mundane to the highly sensitive. Although employees are repeatedly trained to be thoughtful with their emailing, the convenient, informal, and instantaneous nature of electronic mail continues to be the forum of choice for conversations that may be better held in person.

Before highlighting examples of problematic email content, it is worth discussing flaws with employees’ email practices in general. First, there is a tendency in the corporate sphere to carbon copy an excessive amount of individuals. Not only does a large group of recipients tend to compromise confidentiality, it also provides regulatory agencies and private litigants with more targets to question and investigate. This means that the company will potentially have to hire separate legal counsel for each person copied to avoid potential conflicts that may arise. Second, employees are too liberal in copying legal counsel on emails. They mistakenly believe that the attorney-client privilege will protect their communications, even where the employees are not explicitly seeking legal advice. Unless attorney-client privilege is tightly monitored and relates to legal questions, the government or private plaintiffs may be able to overcome an asserted privilege and access candid statements made under a false sense of security.

Turning to the actual emails themselves, damaging statements can quickly become “Exhibit A” in a CID or other regulatory action. While examples unfortunately abound, the following illustrations provide a good sampling of realistic emails that employees might send in any given day. In one case, the DOJ initiated a CID that uncovered an email where an investment firm’s employee wondered why he needed to review mortgage loans when the firm “is going to keep them regardless of issues? . . . Makes you wonder why we have due diligence performed other than making sure the loan closed.”47 In another DOJ CID involving mortgage fraud, the government relied on a bank employee’s email where he stated that he “went thru the Diligence Reports and think that we should start praying . . . I would not be surprised if half of these loans went down.”48 Turning to a different case, the DOJ highlighted an email from an auto manufacturer’s employee praising the company for successfully avoiding a recall of potentially dangerous vehicles and thereby saving over $100 million in “unnecessary costs.”49 The defect in these vehicles caused multiple deaths soon after.50 Finally, in a lawsuit against a pharmaceutical company, the FDA cited communications from executives recommending that a dementia drug be promoted as safe for elderly patients, despite studies to the contrary.51 The primary justification for this decision was that the drug was “the foundation” of the company’s “[long-term care] portfolio.”52

In summary, all of these emails share a common thread—they painted the companies involved in an extremely negative light and helped secure a finding of liability for each one.

IV. Defeating the Enemy Within

Although the enemies within pose a serious threat, they are not impervious to defeat. That said, it is not enough for a company to merely identify where it is susceptible to attack. Fortunately, there are practical, proactive steps that companies can immediately pursue to safeguard themselves and prevent future harm.

First, companies should prioritize increased communication between their legal departments or outside counsel, and their risk management and compliance teams. In most companies, there is a divide between legal and risk/compliance departments as the former would generally prefer to limit communications and the latter would like to ensure that their reports are comprehensive and reach a sufficiently broad audience. Although this tension is inherent in any company, these departments can work to strike an appropriate balance and add significant value to their companies if they work together to identify, contain, and solve problems. In that vein, attorneys should frequently review reports from the risk and compliance groups to ensure that the company is not inadvertently creating exposure for itself. Further, a company’s legal team can greatly assist with refining the language, legal or otherwise, included in reports.

Second, companies should invest appropriate resources in training their employees in best communications practices. As part of this effort, a company should “Mirandize”53 all of its employees and inform them that anything they put in an email can, and will be used against the company in a court of law. In light of this, companies should stress that employees should never state in an email that “we broke the law” or “we violated company policy.” If employees are concerned about potential issues, they should immediately meet with the legal department before raising a potentially false alarm and memorializing it in a written report. Lastly, companies must educate their employees about the limits of the attorney-client privilege. Employees need to know that carbon copying a lawyer does not automatically exempt their emails from discovery. Indeed, the privilege is only guaranteed where an employee is specifically seeking legal advice, and not where the employee is merely referencing legal concepts or seeking a business opinion. Although some of these suggestions appear intuitive, their consistent implementation remains a challenge for many companies, leaving them open to the possibility of severe financial repercussions.

Continuing on this theme, companies should institute a clear chain of communication for the types of issues that they routinely face. To prevent the intermittent copying of numerous individuals, companies should provide employees with clear direction as to which departments and individuals need to be included in any given situation. This will help contain sensitive issues and limit the ability of the government and private litigants to go on a fishing expedition. Additionally, given the influence of the Yates Memo, companies should have clear escalation procedures to avoid needlessly involving company executives and making them a target for a potential DOJ investigation.

Finally, companies must strive to close the gap between the identification and resolution of problems. Risk management and compliance reports quickly turn harmful when the problems that they identify remain unaddressed. In such a scenario, these reports, often submitted for consecutive years to little effect, condemn a company by showing that the company (1) had actual knowledge of the issues in question; and (2) did nothing to cure them. To avoid this outcome, companies should direct their risk and compliance departments to only memorialize an identified problem once they have developed a tangible solution to the same. This solution should also contain an estimated completion date, as well as scheduled check-ins at appropriate intervals. In this way, companies can show regulators that they are actively addressing problems rather than letting them languish from year to year.

V. Conclusion

As noted by the proverb at the beginning of this paper, if a company can overcome the enemies within, it stands a much greater chance of prevailing against its external foes. With the changing of the presidential administration, however, companies may be tempted to delay adopting the strategies recommended above. This is likely because President Trump has promised, “We think we can cut regulations by 75 percent, maybe more.”54 And while Trump’s DOJ may be less aggressive than its predecessor during the Obama Administration, companies are still wise to look inward and invest the necessary resources to make changes. The Yates Memo is a prime example of why. As Sally Yates commented before her termination, she believes that her eponymous memo will persist as there are multiple investigations in the pipeline impacted by the memo’s guidelines.55 Further, some individuals argue that Trump will continue to follow the memo due to his tough stance on anti-corruption, assisted by former prosecutor, and current Attorney General, Jeff Sessions.56 In any event, companies should not find any reason to ignore their internal enemies, because such neglect all but guarantees a stinging defeat.

[1] 31 U.S.C. §§ 3729 - 3733

[2] 31 U.S.C. § 3733(a)(1).

[3] Id.

[4] Pub. 2. 111-21, 123 Stat 1617 (2009).

[5] Marcia Coyle, Fears Rise Over New Fraud Law, NAT’L L. J. (May 25, 2009), available at; see also 31 U.S.C. § 3733(a)(1).

[6] See id.

[7] William C. Athanas & Jennifer L. Weaver, What to do When the Government Asks for Everything: Strategies for Healthcare Companies to Negotiate the Scope of Civil Investigative Demands in False Claims Act Investigations, American Bar Association Health eSource, available at

[8] The U.S. Department of Justice obtained a record $5.69 billion in settlements and judgments from civil cases involving fraud and false claims against the government in the fiscal year. U.S. Department of Justice, Justice Department Recovers Nearly $6 Billion from False Claims Acts Cases in Fiscal Year 2014 (Nov. 20, 2014),

[9] U.S. Department of Justice, Justice Department Recovers Over $4.7 Billion from False Claims Act Cases in Fiscal Year 2016 (Dec. 14, 2016),

[10] U.S. Department of Justice, Justice Department and Consumer Financial Protection Bureau Pledge to Work Together to Protect Consumers from Credit Discrimination (Dec. 6, 2012),

[11] Memorandum of Understanding Between the Consumer Financial Protection Bureau and the United States Department of Justice Regarding Fair Lending Coordination (Dec. 6, 2012), available at

[12] Consumer Financial Protection Bureau, Consumer Financial Protection Bureau: Enforcing Federal Consumer Protection Law (July 2016), available at

[13] E.g., U.S. Department of Justice, Justice Department and Consumer Financial Protection Bureau Reach $169 Million Settlement to Resolve Allegations of Credit Card Lending Discrimination by GE Capital Retail Bank, (June 19, 2014),; Id., Justice Department and Consumer Financial Protection Bureau Reach $98 Million Settlement to Resolve Allegations of Auto Lending Discrimination by Ally (Dec. 20, 2013),

[14] Matt Apuzzo & Ben Protess, Justice Department Sets Sights on Wall Street Executives, N.Y. Times (Sept. 9, 2015),

[15] Memorandum from Deputy Att’y Gen. Sally Quillian Yates, Individual Accountability for Corporate Wrongdoing (Sept. 9, 2015), available at

[16] Id.

[17] Id.

[18] Rachel K. Paulose, 1 Year After Yates Memo: Measuring Its Impact, LAW360 (Oct. 11, 2016),

[19] Id.

[20] Brandon K. Essig, Yates Memo Thoughts for Compliance Professionals: The Scope of Risk May Be Broader than You Think, LinkedIn, (Mar. 3, 2017)

[21] See 15 U.S.C. § 78m.

[22] 17 C.F.R. § 229.303.

[23] Panther Partners Inc. v. Ikanos Commc’ns, Inc., 681 F.3d 114, 122 (2d Cir. 2012).

[24] 15 U.S.C. § 78u-2.

[25] Securities and Exchange Commission, SEC Announces Enforcement Results for FY 2016, (last visited Mar. 12, 2017).

[26] See 21 U.S.C. § 301 et seq.

[27] 21 U.S.C. § 355(a).

[28] 21 C.F.R. § 201.128.

[29] See 21 U.S.C. §§ 331(d), 355(a), (b), (d); 21 U.S.C. §§ 331(a), 352; 21 U.S.C. § 321(p).

[30] As illustration of this, GlaxoSmithKline, LLC was forced to pay $3.1 billion in 2012 to resolve its criminal and civil liability arising from the company’s “off-label” promotion of certain prescription drugs. U.S. Department of Justice, GlaxoSmithKline to Plead Guilty and Pay $3 Billion to Resolve Fraud Allegations and Failure to Support Safety Data, (July 2, 2012) available at

[31] Rachel Wolcott, Time to Merge Risk Management and Compliance?, Reuters (Apr. 5, 2012),

[32] A Chief Compliance Officer’s Role in Risk Management, Enterprise Risk Management Institute (Oct. 26, 2015),

[33] See, e.g., U.S. Department of Justice, Bank of America Corporation Statement of Facts, available at

[34] See id. at Merrill Lynch – RMBS (pp. 2 – 6).

[35] Id. at 5.

[36] U.S. Department of Justice, JPMorgan Statement of Facts, Annex 1 to JPMorgan Settlement Agreement, available at

[37] U.S. Department of Justice, Toyota Statement of Facts, available at

[38] Id.

[39] See, e.g., United States ex. rel. Greg Thorpe, et al. v. GlaxoSmithKline, PLC and GlaxoSmithKline, LLC, Case No. 11-10398-RWZ, United States’ Complaint (D. Mass., Oct. 26, 2011), available at

[40] Id. at 6.

[41] Id.

[42] 7.

[43] 17 C.F.R. § 229.303.

[44] See, e.g., Securities and Exchange Commission, In the Matter of Bank of America Corporation, Order Instituting Cease-And-Desist Proceedings Pursuant to Section 21c of the Securities Exchange Act of 1934, Making Findings, and Imposing Cease-And-Desist Order and Civil Penalty, available at

[45] See id.

[46] See id.

[47] Merrill Lynch – RMBS, supra note 30, at 3.

[48] U.S. Department of Justice, Citigroup, Inc. Statement of Facts, available at

[49] Toyota Statement of Facts, supra note 33, at 3.

[50] See id.

[51] United States of America ex rel. Victoria Starr v. Janssen Pharmaceutica Products, L.P., Case No. 04-cv-1529, United States’ Complaint in Intervention (E.D. Pa. Nov. 4, 2013), available at

[52] Id. at 14.

[53] See Miranda v. Arizona, 384 U.S. 436, 444 (1966) (landmark Supreme Court case holding, amongst other things, that police must inform persons of their right to invoke the Fifth Amendment and remain silent).


[54] Adam Edelman, Trump Kicks off First Week in Office with Exec Order on Trade and Vows to Cut Regulations by ‘75%, maybe more’, N.Y. Daily News (Jan. 23, 2017), available at

[55] See C. Ryan Barber, DOJ’s Sally Yates is ‘Optimistic’ Trump Won’t Trash Namesake Enforcement Memo, NAT’L L. J (Nov. 30, 2016), available at

[56] James E. Connelly, Trump Administration Likely to Maintain Yates Memo Priorities on Corporate Wrongdoing, MONDAQ (Feb. 28, 2017), available at