In conversation: Robert Jett, Chief Privacy Officer, Crawford & Company

I have been working on data privacy since before it was a recognised area of law. When I started out, what is now understood as privacy was part of a company’s compliance programme and fell to its compliance officers. Of course, privacy still falls under compliance, but it has become a unique feature of the compliance programme.

To oversimplify things for the sake of making a point, privacy is just compliance with an IT flavour, and it is something I have been giving presentations on to boards of directors and executive management for over a decade.

It’s funny, because I still have a compliance-based approach. I come to the meetings with only four slides. At first, everybody looks at me like I am out of my mind, but they soon understand that we don’t need many more to understand what privacy is all about.

Essentially, privacy in an organisation can be reduced to four fundamental questions: Which data are we collecting? Why are we collecting it? What are we doing with it? And finally, where does it go to die?

In reality, privacy and compliance programmes have to be a lot more detailed, of course, but at the end of the day, if a company can effectively answer these four “Ws”, I would argue that it has a very robust programme.

While the fundamentals of privacy have stayed the same, the environment businesses operate in has not. In particular, the general public is becoming more aware of privacy issues, and the last of the four “Ws” has taken on a new importance. Companies cannot keep data forever and they must find ways to get rid of the data they do not need in a secure manner. Businesses must also remember that security is always key when it comes to privacy. If you’re storing data in the cloud then to a large extent you are relying on a third-party. The quality of its controls and server management may be exceptional, but it is a potential gap in your security.

As chief privacy officer, I work with the chief information security officer daily. Together, we have built an incident response plan for privacy and another for security, but the two are intertwined. My management agreed to it because we demonstrated that cybersecurity breaches are, almost invariably, a threat to privacy. That’s why I would advise counsel to always take the two threats together. You rarely discover one without the other.

Technically speaking, security has improved a lot in the last twenty years. We have created automated tools that can support anyone’s privacy policies. So much that nowadays, most ransomware attacks are due to human failure or insiders. The old approach of making a brute force attack on a server typically does not work anymore. Consequently, the bad people have gone back to tried-and-true technics, like spear phishing, which lead to attacks that take advantage of social behaviours.

I have seen an 80% increase in phishing attacks in the past few years and it has gotten even worse since the beginning of the pandemic. These are often very targeted and very well thought-out from a social engineering perspective. Hackers know that we work and live on our computers and smartphones, and it just takes one careless mistake form an employee for them to download IDs and then access all or part of your system. It is a little scary, and board members are generally very worried about phishing, but privacy professionals are here to help.

I have been tracking what may happen, during and after the pandemic, as regards to medical records. Form a privacy point of view, they have always been sacrosanct, and I think that we are going to start seeing that peel back a bit.

In the US, there has been a lot of hue and cry over vaccinations because there is this tension between the Occupational Safety and Health Administration’s requirements and the level of security that is reasonable to expect from companies. Employers have an obligation to maintain a safe workplace.
This includes protecting people from airborne diseases. Therefore, for them to carry out their duty, they should be allowed to inquire if their employees have been vaccinated against Covid.

These things have never really been allowed in our modern societies, so the ways in which this will play out should be of interest to every privacy professional and general counsel.

In conversation: Alex Tovitz, General Counsel, AbleTo Inc.

Alex Tovitz

The intersection of technology and health is truly fascinating. AbleTo, a leading provider of virtual behavioural healthcare, proves there is a hugely important role for technology to play in providing healthcare, but working out the right blend of technology and in-person connection is an important aspect to the successful delivery of this care.

Our technology can be used to assist people in finding the right therapy and programmes, and when it comes to behavioural healthcare people’s reliance on technology is only going to increase. Our telehealth tools strengthen the relationship between our therapist and our patients in a safe digital space.

Our services consist of a number of licensed therapists that provide virtual behaviour therapy to individuals and businesses. During the pandemic our company grew significantly. The strain of lockdown caused many people to turn to online health services in a way we had never seen before.

Given the centrality of tech to our offering, it is no surprise that our work in the legal team is also heavily reliant on technology to deliver service to the business. For example, we have been working with a number of vendors to implement a new contract management platform. Making all contract work digital will be our next step as a growing organisation.

We also operate a very distributed legal team, with professionals based everywhere from Florida to Texas and upstate New York. To be efficient with that set-up you need to coordinate effectively, and tech tools – even fairly simple ones like Google Docs – are essential in allowing the team to share documents and stay connected.

However, it is the not so simple tools that offer the most exciting possibilities. When I first started practicing law over 20 years ago, I could not have predicted where we are today when it comes to legal technology. The legal tech space is growing and there is really a wealth of options on the market now.

For any lawyer that is midway through their career, getting comfortable with technology and change is very important. I started my career in litigation and a large part of the job was manually looking up case law. A lot of what I did was stamping, numbering and producing documents. Just last year I was handling some legal matters and I could see how much legal tech has made the practice of law more streamlined and efficient.

This pace of change will continue and it will have a transformational impact on in-house teams. While artificial intelligence has been hyped for a long time, it is clear that practical applications now exist. Certainly, algorithms are being created that not only assist with contract management, but also generate basic legal advice. It is inconceivable that such tools will not be used to help improve team efficiency over the coming years.

Another interesting emerging technology is blockchain, AI and smart contracts. How quickly these spaces develop are yet to be determined. Nevertheless, I believe legal technology is bound to change the practice of law within the next ten years. Attorneys – including myself – should continue to embrace the change that comes with legal tech.

This is a potential danger for the career stability of lawyers – after all, in an already crowded market the last thing a lawyer wants to hear is that technology will make large parts of the job redundant. However, for general counsel, and perhaps also for professional advisers of all kinds, it is an intriguing opportunity.

If tech can be used to reduce administrative work, and all the signs are that it can be used very effectively to do this, then more time can be spent on legal analysis and strategic legal work. Any form of technology that helps lawyers represent their clients more effectively and efficiently should be embraced. This is where I see legal technology making the biggest impact.

One of our top priorities at AbleTo when it comes to technology is privacy and protecting the health data of our users. Making sure we have the right privacy infrastructure is not only a legal imperative, but also a business one. Our participants share very personal data on our platform, and we work very hard to ensure it remains private and secure. I have a dedicated chief privacy officer who works to ensure this data remains secure. We also need to make sure we are compliant with all national and state laws when it comes to data protection.

Ritankar Sahu, General Counsel and Head of Compliance, MAXpower Group

I serve as the general counsel & head of compliance of MAXpower Group, Asia’s leading gas to power specialist and a key developer, owner and operator of small-to-medium gas-fired power plants. I also sit on the Board of the MAXpower-Mitsui & Co., a joint venture which operates a separate group of power assets in Myanmar. In addition to providing strategic business governance counsel to the Board, my work involves advising on power projects, turnaround management, FCPA enforcement and special situations M&A. Prior to joining MAXpower, I was the regional corporate counsel for Jacobs Engineering Group’s Asia operations, based in Singapore and Mumbai. I have also worked for Norton Rose Fulbright, at the firm’s London and Abu Dhabi offices with a practice focus on energy projects.

For MAXpower, white-collar crime exposure means unfavourable exposure to laws on bribery, sanctions, export control, anti-money laundering, internal controls, audit standards violations, etc. The potential breach of certain anti-bribery legislation like the US Foreign Corrupt Practices Act 1977 (FCPA) or the UK Bribery Act 2010 (UKBA) may pose a greater risk than others. The FCPA is the single biggest legislation affecting anti-bribery compliance programmes globally. The complexity of the application of the FCPA (or the UKBA) is that it is not dependent upon the existence of any contractual arrangements that a company may have in place. We have to engage in an extensive dialogue across all ranks of employees to socialise our exposure.

The biggest FCPA concern in emerging markets is pressure to pay. We try to tackle both the supply and demand side (more so under kleptocracies) of the bribery problem through a concentrated effort of top-level leadership, tone in the middle, a robust code of conduct, a tactical internal conduct code training process, ground-level determination, and ingenuity. We also try to convey the message to employees that penalties for non-compliance are severe, including imprisonment, unlimited fines (typically fixed at tens or hundreds of millions of US dollars), debarment from public procurement contracts, company director disqualification, asset confiscation, disgorgement of profits, adverse reputational consequences and substantial legal costs. To have greater impact, our training materials focus on figures (i.e. potential economic disruption) and flesh and blood references from past individual prosecutions.

The four broad components of a successful compliance programme consist of an analytical enterprise-wide risk management framework taking operating environments into consideration, broad institutional assent from participants, control structures within which the leadership can act to stem breaches, and monitoring by independent specialised actors. As general counsel, I play the independent monitoring role. We train our senior leadership to comprehend (with the understanding that the message will flow down) that in the case of foreign laws and regulations like the FCPA, a subject company has no means to contract out of potential liability.

‘Pre-conceived notions of what actually constitutes “misconduct” can also impact compliance efforts.’

Extra-territorial laws (like the FCPA) lack public assent in most emerging markets, which adds to compliance challenges. Pre-conceived notions of what actually constitutes ‘misconduct’ can also impact compliance efforts. Through our bespoke training and targeted employee engagement processes, and try to challenge such countervailing social norms. We also try our best to secure workforce assent to the compliance programme and aim for an institutionalised acceptance of the bribery and graft problem. As general counsel, I know that what may work for the developed world will not always work for emerging markets, and hence we deploy a risk-based approach. We, as a company, also realise that an eco-system of zero corruption is an illusion.

It is often the case with general counsel (no different in my case) that their formal authority falls far short of their responsibility, and their success is dependent on others outside their own chain of command. Therefore, general counsel (who also have responsibility for compliance) need to be a jack of all trades and be savvy enough to drive through crucial compliance controls. The right relationships inside a company (including by having the CFO and the Head of Procurement on speed dial) are very important.

As part of our corporate messaging, we also highlight that business conduct training is simply not moral rhetoric, but that breaches of applicable law can cause major economic disruption leading to loss of jobs, amongst other real-world consequences. The company leadership has also committed to encouraging reporting mechanisms of potential violations by offering a sense of assurance to employees that no retaliation will occur, subtle or overt, to ensure that employees feel safe to report concerns. We also realise that inconsistent moral messaging can be confusing for employees if legally enshrined moral principles (or organisational value systems) conflict with their own socio-cultural beliefs, as shaped by local standards and ways of doing business. We are conscious that a sound code of conduct crafted with the right ethical considerations will boost the company’s long-term competitiveness.

It is also important to realise that strategic legal or compliance personnel are not hired to be ‘liked’. Companies should remember that such personnel need to be respected as a voice of authority by employees of all ranks. In most listed companies, the chief compliance officer acts as an assurance for the public that the company is a good corporate citizen. Good compliance credentials will help in building public trust for the company.

Year on year, the world grows more tech-savvy. Most large in-house departments already use AI or automation tools in some form, and it does result in cost savings. From a white-collar crime angle, it is important to mention that the Criminal Division of the US Justice Department (DOJ) updated its memo on evaluation of compliance programmes in June 2020; this is a good reference document from a prosecuting agency setting out expectations on what a robust compliance programme should look like. The new subsection on access to data stresses the DOJ’s recognition that data access and monitoring is critical to the proper functioning of a compliance programme. Data analytics can help determine whether compliance failures are systemic or more aberrational. Such data can also help a company monitor investigations and discipline to ensure consistency, which the memo suggests is part of a compliance programme’s effectiveness. The focus on data analytics is thus a good indication that AI, machine learning and automation tools will play a more significant role in legal and compliance functions in the years to come.

Oliver Jaberg, Deputy Chief Legal & Compliance Officer and Director of Integrity & Anti-Doping, FIFA

Generally speaking, there is a trend with political and public pressure continuing to drive significant changes in white-collar law enforcement throughout the world. In my opinion, it is important for in-house counsel to be on top of things in this area and particularly when it comes to advising our internal clients with the view to mitigate risk. In particular, recent developments in relation to the COVID-19 pandemic have put a lot of pressure on colleagues at the forefront. We deem that it is our duty as in-house counsel to provide practicable legal advice to the business, and at the same time adequately addressing the legal and compliance risks.

Our first aim has always been to help our internal clients and members make decisions that are in line with the applicable regulatory framework. This includes policies relating to ethical conduct such as – in our case – the FIFA Code of Ethics and the FIFA Code of Conduct. We aim to provide them with the knowledge and tools needed to identify legal risks in advance and make decisions that adequately address these risks.

In sports, when it comes to integrity and compliance, I always tell our clients – which include players, referee officials and other stakeholders – that it is usually too late when we need to open investigations into alleged violations of rules safeguarding the integrity of sports. When we have to investigate misconduct, the damage is already done. So, with efficient, proactive and preventative measures, such as training, online awareness campaigns and so on, we can ensure that all those concerned know what the rules are, and are able to avoid – as much as possible – things going wrong. However, when things go wrong, it is also key that we ensure that issues are addressed in a timely and thorough manner and that we bring to justice those who don’t play by the rules and who are responsible for bringing our sport into disrepute.

Football, similar to many other aspects of business life, is not exempt from the risks of bribery and corruption. We have seen that different individuals and companies who have been involved in football have been found guilty, amongst other things, of bribery and corruption. In that respect, it is very important to have the right tools in place, including the right regulations and processes to address risks. Equally, it is important to learn from mistakes that have been made in the past and to avoid making the same mistakes again.

FIFA has undergone a very thorough and comprehensive governance reform process over the past years with the aim of addressing certain deficiencies that were discovered. As an example, we have strengthened and formalised our compliance function. We have further strengthened the system of checks and balances, including the implementation of terms of office, and segregation of powers of the different bodies of the organisation. Also, we have strengthened the function of our audit and compliance committee, which consists mainly of independent members. We have established a confidential reporting system or whistle-blower hotline in order to encourage a culture of speaking up and flagging wrongdoing, as it is discovered. We have established eligibility checks including integrity and background checks for all of FIFA’s committee members. We have further strengthened the processes in the context of the funds we invest to develop the game of football. We have enhanced our processes when we check on the service providers and third party vendors with whom we do business. We have also massively revamped our bidding processes for FIFA competitions, including the FIFA World Cup and the FIFA Women’s World Cup. We have also amended our policies to make them more user-friendly and relevant in everyday business transactions. These are only a few examples, but all this was, amongst other reasons, also done to strengthen our position in terms of anti-corruption and anti-bribery.

‘We have a paramount responsibility to do whatever we can to best protect the integrity of our game.’

When focusing on the game of football, we see that match-fixing and doping are highly complex problems that require very stringent processes. Of course, the actions committed by the perpetrators concerned are also corrupt conduct, and here specifically in the context of sports, such corrupt and illegal actions go against the very essence of the game; the integrity of the sporting competition is destroyed, as is with the case with the use of doping. But what is more, if the unpredictability of the sporting result is jeopardised, the sport is basically deprived of its very essence, which is not to know in advance of a competition who the winner will be. If this element is lost, no one will watch football matches in the stadiums or in front of the TV, and the commercial partners that are helping generate revenue, which is reinvested in the sport, will no longer be interested. It is a vicious circle and we have a paramount responsibility to do whatever we can to best protect the integrity of our game.

This is also why we work with many different stakeholders to address the challenges of doping and match manipulation and why we are also dedicating a lot of resources and also expertise and effort to address these challenges.

When it comes to compliance and due diligence, we as an organisation have enacted many different initiatives, processes and tools. For example, our code of conduct serves as a one-stop shop; it provides direct access to the code in all different languages, and it provides for different and direct links to relevant directives, training materials and templates, including contract templates. We also have in person training, for example, we organised a compliance summit specifically tailored to the needs and challenges of our 211 members associations, the football confederations and other stakeholders. In fact, we are currently planning our next compliance summit which will be held online in Autumn.

Overall, when looking into the future, I personally am convinced that legal tech and artificial intelligence will be highly relevant and beneficial for in-house counsel. We have already evolved quite significantly, compared to where we stood five years ago. But, I believe that we are still in the early stages and that the technological revolution for in-house counsel is just beginning. What I am convinced of is that we as lawyers and in-house counsel need to be open to innovation and technology, amongst many other things to enhance our risk management.

Sergey Vitorov, Legal Compliance and Quality Director, BACIS, NOVO Nordisk

My role in Moscow is heading up the legal and compliance team. I am responsible for this whole area, which includes things such as: risk management, internal investigations, preparation and execution of compliance and legal plans, litigation, contractual work and really everything you can think of.

I am not aware of any multinational organisations nowadays which does not have a compliance policy and framework. Almost all of them have a compliance specialist or in-house legal person in place. In order to move forward, the biggest challenge nowadays is to foster a proper compliance mindset. This is so that people will not perceive compliance as merely a ‘tick the box’ exercise. That is the challenge that I believe remains in place in many parts of the world. Even many senior colleagues in large companies still view compliance as a ‘tick the box’ exercise. They view it as only being the responsibility of legal and compliance departments.

Obviously, corporate ethics is not only about compliance with applicable laws and regulations, it is also about sustaining the long-term business success of an organisation. It is up to us lawyers to understand technicalities. But when it comes to business clients, they have to understand the principles behind why specific rules were introduced. Also, the more our internal clients believe and understand corporate ethics, the fewer number of white-collar crimes will be committed, and in-house counsel will be able to dedicate their time to other important matters. Promoting ethical culture means not only constant training efforts in this direction, but also fostering the right mindset. It is important for us to ensure our clients will understand not only the letter of the law, but also its spirit, and the rationale behind a certain legislative provision, therefore enabling them to make the right choice in a dilemma.

When looking at my own team, further improvements can be made to promote ethical business culture. For instance: making legal and compliance functions independent from the business (solid reporting lines should flow into that function and not into business. Legal and compliance should have their own independent budget); making sure that legal and compliance directors are part of the management teams for respective business units; and when deciding where to hire a legal and compliance professional it is necessary to take into account not only business considerations (size of the business, its growth and profitability) but also a risk profile of a given jurisdiction.

When it comes to bribery and corruption and due diligence, the pharmaceutical industry is highly regulated. It inherently requires us to deal a lot with governmental officials (while registering products, running clinical trials, selling medicines to the government etc). Moreover, due to the state-owned nature of many healthcare systems, administrators in clinics and doctors can be classified as governmental officials from both the FCPA (Foreign Corrupt Practices Act) and UKBA (UK Bribery Act) angles. Thus, bribery risks are at the top of the agenda of international pharma companies. Due diligence risks primarily relate to the difficulties in identification of real ultimate beneficiaries in high risk jurisdictions (Latin America, CIS, Southeast Asia) due to the sophisticated techniques used by those who try and conceal real ownership.

‘Bribery risks are at the top of the agenda of international pharma companies.’

For instance, we had a case where the real ownership of one of our distributers was concealed. According to the official registers the shareholder of the company was person X, but it transpired that the real beneficiary behind was a completely different person. In fact, that person was a governmental official. This created a lot of legal risks. We hired a private investigator to run an in-depth compliance check mandated by our compliance policy and procedure. When we received the report from the investigator, we took a risk-tailored approach and discussed each and every red flag related to the situation. As a team we tried to find a meaningful solution. We then took it to the senior levels of our company so that management would be aware and endorse our actions, and offer their advice based on their knowledge and experience. We of course took independent legal advice as well. In the end we decided to run more enhanced due diligence checks over our critical high-risk partners.

Also, when it comes to crisis management, we have a very solid risk management framework in place which enables us to address crises in a speedy and coherent way. For example, we ran a whole risk assessment when things started to go off recently due to the coronavirus outbreak. We immediately decided to make all our sales calls virtual, even in regions where the government had not yet mandated it. Legally, it was permissible to do face to face meetings in some countries at the start of the pandemic. However, we considered the safety of our customers and our own personnel, and we decided to take everything virtual. We also created some new platforms, and as a result tweaked our compliance rules and procedures to the virtual working environment.

I think when we look to the future, white-collar crime is going to become more sophisticated. If we look back five or ten years ago, if a person wanted to defraud a company, he or she would simply use his or her credit card improperly. Now, corporate fraud is more sophisticated. People are becoming more underhanded when it comes to white-collar crime; it is getting harder to detect and prevent. In addition, the regulatory framework for the pharma industry is not getting easier.

Cyber-crime is also a growing risk area going forward. The main thing here is to make people aware of the core techniques that criminals can use. It is important to be on high alert and to no longer perceive the virtual world as not real; it is very much real. Also, people should not look at cyber-crime as purely the responsibility of IT. It is the responsibility of every employee and people should be trained to detect phishing emails and be aware of their VPN when sending corporate sensitive data.

When overcoming these future and current challenges, it helps when compliance and legal teams come together in a co-ordinated effort. They may be two separate functions, but a collaborative approach is best when preventing white-collar crime.

Seshani Bala, Group General Counsel & Corporate Assurance, Chartered Accountants ANZ

My past in-house roles were in fast moving consumer goods (FMCG) companies where I had international remit and exposure to the benefits of legal operations and using digital solutions in European and US markets. Having a cross-border perspective has really shaped my legal career and how I view in-house lawyering, particularly with respect to ensuring in-house legal teams join the data world so they can make data-driven decisions in this digital economy.

In terms of how I got to my current role, I have always loved problem solving and driving outcomes. When I was in high school I really focused on science and maths subjects, but decided I wanted a complete change when I entered law school at university. I ended up doing a combined Law and Arts degree at The University of Auckland and then did the usual ‘kiwi’ thing of working in large corporate law firms before heading off overseas for the traditional ‘OE’ (overseas experience).

I really enjoyed the fast-paced M&A and private equity deal work in private practice, but I never got the opportunity to view business transactions across their life cycle, because I always had to move onto the next deal so quickly. I did a brief in-house secondment and loved it – everyone told me that once you go in-house, you will never go back! My first in-house role was as international general counsel for an FMCG company where I had remit for all legal matters across 43 markets globally. I gained wonderful experience about customer needs and how to provide business-ready advice. In my current role at Chartered Accountants ANZ, a professional membership body with over 125,000 members globally, I lead the legal, governance, risk, compliance and operational excellence teams which provide integrated assurance and enable the organisation to grow, react and adapt to a changing environment across Australia, New Zealand, Asia and the United Kingdom.

The privacy and cyber landscape is constantly evolving across the globe – we are seeing an increase in disruptive technologies, a move to digital delivery, the rise of the ‘no touch’ economy, the commercialisation of consumer data and consumer demand for delivery at pace. But in parallel, we are also faced with an increase in privacy regulation and the risk of cyber threats. In fact, in 2020, we’re experiencing a year like no other, as we all navigate through a global pandemic! Privacy and cyber security are front of mind as our business balances rapid digital transformation with ensuring our post-COVID operating model is relevant in this new world.

For example, the rapid change from an on-premise technology operating model to a ‘cloud model’ has resulted in a proliferating of data across platforms and increased external cyber exposure to corporate systems. This will surely increase to the point where data will no longer reside in a traditional on-premise location, changing how we manage and protect both cyber and data privacy forever.

‘Looking towards the future, I think in-house legal teams need to be much more tech savvy.’

Digital solutions are also key in managing areas like whistleblowing. Recent legislative changes support the trend towards whistleblowers being seen as a corporate asset and key to maintaining a culture of good corporate governance.

Businesses can have a good whistleblowing policy which contains anti-victimisation provisions and provide for anonymous disclosure but this needs to be operationalised – using a secure digital platform is the best way of mitigating risks in this space.

External counsel certainly do play a role when it comes to the investigations process, but that depends on the type of investigation. Some investigations need to be conducted under legal professional privilege and using an external firm assists with maintaining privilege. It also provides a level of independence, and external law firms are also able to offer practical guidance on how to manage an issue based on their experience with other clients and regulators. There are definitely benefits with using external counsel, but not with every investigation. A lot of things can be done in-house, so it really depends on the risk profile of an organisation and the cost/benefit analysis.

Looking towards the future, I think in-house legal teams need to be much more tech savvy. Innovation intelligence and being a quick adopter of technology is one of our legal team’s KPIs. Technology was previously a job for IT teams, now it is a whole of business function focused on protecting data. I think in-house counsel are well placed to show leadership in this space due to the privacy, governance and risk management responsibilities they have. In-house legal teams need to get a deeper understanding of technology and need to partner very closely with IT teams. There are huge opportunities for in-house legal teams to step up in this space – it’s an exciting time to be an in-house lawyer!

Enforcement Predictions for 2021

Since November 2020, white-collar defense lawyers have faced one question: will the Biden administration change US priorities when it comes to pursuing a range of economic crimes?

Generally, it takes a relatively long time for a new administration to have an impact on white-collar crime enforcement. White-collar matters often take a long time to process: cases that are not already being investigated can take months to appear on the radar, and the decentralised nature of the US system means that changes at the national level are often less consequential than appointments of US Attorneys at key offices throughout the country. In addition, the previous administration did not roll back on its enforcement pursuits to the extent many had anticipated. For example, aggressive FCPA enforcement continued through the last four years, in contrast to many expectations.  All that said, we expect the next four years will bring rigorous white collar crime enforcement across a spectrum of white-collar cases.

Early indications of the new administration’s approach can already be seen in the appointments made by various regulatory agencies, with Obama-era alumni returning to senior positions. Given the likelihood of similar appointments at the DOJ, the SEC, and other relevant regulatory bodies, the next four years could be marked by a return to the priorities set in the Obama era, which alone would mean an increase in the volume of white-collar work.

While it is still too early to judge exactly how the legislative and regulatory priorities of the new administration will impact business, existing features of the enforcement landscape will continue to have a big impact on international business.

First, we expect to continue to see a sustained emphasis on anti-money laundering enforcement, and the FCPA will remain one of the most important US federal laws for multinational companies. Second, sanctions and trade controls will similarly continue to exert a substantial influence on enforcement in the US and beyond, largely because – in the United States – there is rare bipartisan consensus on the value of sanctions as an instrument of national policy. One area we expect an uptick in enforcement is securities fraud investigations against both corporations and Wall Street institutions, both civil and criminal, as we expect the new Administration will be highly motivated in this area.  Lastly, the aftermath of COVID-19 will likely result in heavy scrutiny of potential fraud related to various COVID relief programs and in their related significant federal investment.

General counsel will need to mitigate these and other emerging risks in the coming months.

Compliance from home

Almost without exception, all major policies and procedures related to compliance presuppose that employees are physically present in an office; that employers know where data and other records are stored; and that compliance teams have the ability to directly monitor staff activity.

For many companies, the global pandemic has introduced new remote working environments where the physical presence of a company’s employees is largely uncertain, data may be stored across a wide range of depositories, and training is limited to formal interactions over webcam. For the past year, corporate compliance has taken on an entirely new identity.

Finding ways to ensure proper oversight of employees in a remote environment is a work in progress, and it remains to be seen how regulators will evaluate the measures taken by employers. Even without worrying about the stance regulators are likely to take, businesses must work out how to build and maintain a strong culture of compliance in a remote working environment. Establishing the right tone and culture is, of course, much more difficult without physical interaction; nevertheless, it is a challenge businesses and GCs must reconcile for the future.

Regulatory cooperation and conflict

For multinational companies, the list of potentially relevant prosecutorial authorities grows with every year. We continue to see increasingly aggressive white-collar enforcement in many countries around the world, accompanied by closer international cooperation among governmental authorities.

At the same time, conflict of laws between jurisdictions is becoming more common, meaning multinationals must navigate a world where they face competing laws in different markets. For example, US authorities have come to recognise that companies are limited in what they can lawfully do to cooperate when an enquiry requires the production of European data. Governmental authorities will be pushed to cooperate ever more closely because US authorities often will only be able to obtain necessary data only from their foreign counterparts.  As a result, multijurisdictional investigations will increasingly be coordinated between the different national bodies involved in investigating and prosecuting a case.

The more white-collar crime is viewed as a matter for collaboration among national regulators, the more likely a jurisdiction will expect its laws to play some part in mitigating the alleged misconduct. As any multinational legal or compliance team knows, misconduct often occurs in countries that do not have a well-established judicial system or, in some cases, effective rule of law. This situation makes the resolution of any potential compliance issues in such countries challenging at best.

Additional complexity can result by “blocking statutes” increasingly prevalent in certain jurisdictions, effectively prohibiting compliance with US sanctions. This creates a challenge for GCs of multinationals, who must navigate an increasingly interconnected world while also adhering to sometimes completely incompatible sets of laws and regulations.

General counsel will need to be sophisticated at navigating the relevant laws to avoid trouble. The world is becoming more complicated and risks to businesses are growing. This means their advisers will have to find unique solutions to a host of difficult challenges. The days of rolling out the same playbook for every problem are over.

Above all, GCs should remember the first law of compliance: when problems arise, one cannot ignore them in the hopes that they will disappear. At minimum, GCs will need to identify and act on potential problems as soon as possible. Waiting to see how something evolves is no longer an option in a world where every country has the ability to bring sanctions, and coordination among international regulators is the norm. Pick up the phone and call someone who can help you avoid compliance problems that will prove far more expensive than taking the necessary actions to prevent them.  And, when an investigation arises, GC’s will need experienced counsel who can ensure the company cooperates when appropriate, but who can also advocate aggressively, when necessary.

Authors:

Douglas Greenburg, Global Chair of the White Collar Defense & Investigations Practice, is a partner in the Washington, DC office of Latham & Watkins LLP

Benjamin Naftalis, Global Vice Chair of the White Collar Defense & Investigations Practice, is a partner in the New York office of Latham & Watkins LLP

Nathan Seltzer, Global Vice Chair of the White Collar Defense & Investigations Practice, is a partner in the London office of Latham & Watkins LLP

Leanne Geale | EVP, General Counsel, Corporate Governance and Compliance | Nestlé

Everything we do at Nestlé is rooted in our core values of respect: respect for people, respect for the planet, and respect for diversity and difference of thought. Nestlé has one of the most diverse consumer bases of any company, with activities in nearly 200 countries globally. There is no way to understand that consumer base if we do not embrace diversity in our operations, looking at things from different perspectives to get the best outcome possible.

When I joined the executive board in 2019 I was conscious of how seriously the company takes its commitments to D&I and was excited to propel the D&I programme forwards. While I see my role more as a supporting force to the broader company initiatives, there is still a lot that a GC can do to help drive change.

It starts with being purposeful with your own team, asking: Is it diverse enough? Are we building the right culture? Are we benefiting from diverse thought and approaches? How do we know? Are we actively identifying areas where we might be short? If so, how can we fill those, whether through external hiring or searching harder within the organisation?

The freedom to speak up

To get the best out of your people, you need to create an environment where they feel free to speak up. This underpins more than diversity and inclusion. Business methodologies from Lean to Six Sigma teach us that when teams are empowered to speak up, they improve performance; likewise, the ability, freedom and trust to speak up can enable strong safety and compliance cultures. A culture that supports D&I also supports innovation and idea generation and. allows you to examine a problem or opportunity from multiple perspectives and ultimately find the most robust answer.

Leanne Geale
Leanne Geale | Nestlé

For a legal function, having the freedom to speak up is doubly important. An environment where people feel comfortable to express what they feel is ethical or the right thing to do enables my team to act as a guardian of our core values more effectively. Targets and metrics are important ways to measure progress, but they are not the end goal. Creating a welcoming and open culture should be the first concern of any GC.

I am also a big believer in creating a working environment where everyone can bring their full self to work and perform at their best. Ultimately, strong performance and inclusive, collaborative behaviours are the most valued and valuable to a complex multinational organization.

Not-so-hidden talent

For female lawyers, the advice I commonly give is to just be yourself. Don’t try to fit in a mould. Build on your strengths and use those strengths to create a more inclusive environment. Christie Smith, the former vice president of inclusion and diversity at Apple once said the most important thing you can do to promote diversity is to say hello. That is a very powerful idea. That one simple gesture creates an environment that is more inclusive in an instant.

Even if you are not in a leadership position you can be a leader in everyday circumstances. For example, if you notice there are people who haven’t had a chance to speak, you can create space for them and encourage them to give their views. That way we can all be leaders in creating an inclusive environment.

Beyond that, I am proud to support Nestlé’s goal of having at least 30% women among its top 200 managers by 2022. That is an ambitious goal, but our approach has been to say, “We have almost 300,000 employees globally; with more women at the top, we reinforce our inclusive culture, make Nestlé an even better company and contribute to shaping an equal society. All of this helps drive our business performance.”

When the UK introduced a similar target for female representation on UK company boards, it was a success. I remember one board chair commenting that it’s amazing how many qualified candidates you can find once you look. That is often the case: the talent is there, you just need to change how you are looking for it.

To succeed

The biggest step you can make as in-house counsel is to get out from behind your desk – even if it’s a virtual tour. You need to visit operations, understand the business rationale, and see how things work on the ground. Whether you’re at a mine, at a retail gas station, or in a supermarket. That gives you a more holistic perspective and allows you to contribute more meaningfully, not only in a legal sense but in a broader commercial sense.

On an interpersonal level, it’s about asking yourself the right questions continuously: how you can help someone, how you can create space where people feel free to share their experiences and collaborate, or how you can share your knowledge and experience and open doors for people to progress their careers.

Jennifer Salinas | Executive Director of Global Litigation | Lenovo

“This is what a lawyer looks like”

I have always been a strong believer in the value of engaging with communities directly. During my time as president of the Hispanic National Bar Association (HNBA) I made community engagement my mission. HNBA representatives would go into schools in primarily black and brown communities wearing these t-shirts that had “This is what a lawyer looks like” printed on them and the kids would say, “Wait, you’re a lawyer?”. It was awesome to see that we could change their perceptions of what a lawyer looks like and make them realise they can do this job.

When I think back to my own experience of education and entry into law, I can see how useful that sort of awareness would have been. I am always very open about my experiences because I want people who find themselves in a similar situation to know these experiences are not incompatible with a successful career. I went to law school with a baby and graduated top of my class!

I was raised in a predominately Latino community where young women were not necessarily encouraged to pursue an education. I was the first person in my family to graduate high school. I married young and had my first baby when I was in college. I didn’t have any guidance on which college to apply to or any of the important questions students should take for granted: What do you want to pursue? Is this the right school? Is this the best school? Frankly, I based where I was going to study on its proximity to my boyfriend.

At college, and especially at law school, it was very, very lonely. I didn’t feel like I belonged. If you are from a background where higher education is not the norm you carry a kind of imposter syndrome around with you. Even now, after a successful 20-year career that sense of being an outsider occasionally lurks back in. Every so often I will hear a comment and think, “oh my gosh, maybe this was all just a lucky streak”. Rationally, I know that is not true, but it is something I know a lot of minorities have to deal with in the workplace, and it was certainly something I had to deal with in my early career. I was surrounded by people who did not look or sound like me, and who very likely did not have the same experiences as me.

I was a Hispanic woman, married with a kid; I just didn’t fit the mould of a successful lawyer. At law school, I was counselled by the career service team not to mention that I had a child when applying for jobs. I had to pretend to be someone I was not, and went through the first few years of my practice as a lawyer almost as two separate people living parallel lives. But I’m not someone who ever backs down. I used negative comments and prejudices to fuel me. Besides, as a young mother there was more at stake than just myself. The ability to fail was not n option.

More than a ‘diversity hire’

Majority communities can have a hard time understanding the sense of isolation or otherness that comes with being a minority in the workplace. Any complaints are seen as an attack on affirmative action programmes and minority-inclusive hiring practices. This is missing the point. As diverse candidate you naturally approach an interview thinking, “Am I here as a potential diversity hire? Does the company want me because of all the things I’ve done, or does it want me because I am a woman, and especially a woman of colour?” This is not a case of being paranoid, ot is just reporting the facts.  As any minority will know, people actually do say these things.

A few years ago, I was at a dinner with a law firm and we got to talking about a particular judge who was African American. One of the partners dismissed this judge’s experience on the grounds that he was, “an affirmative action hire”. He was discussing a federal judge who went to a phenomenal school, yet felt comfortable using that language.

A couple of years later we had a partnership retreat that included a D&I component. When it came to questions from the audience, I stood up and told this story. The lawyer who had made those comments was in the audience and knew exactly what I was talking about. I wasn’t going to publicly name and shame him, but it was my way of demonstrating the point that someone will sit through a discussion of D&I without being aware of this hypocrisy, or of how outrageous and damaging these beliefs are. This sort of prejudice in the legal profession is far more widespread that is commonly acknowledged.

Leading by example

If you want to judge whether a company is truly diverse, look at the makeup of its wider management. Don’t just look at the diversity and inclusion committee, which is where you tend to find diverse people – look at who the decision-makers are and whether they are diverse. Then ask, what does that company consider a diverse team looks like? Is it just having a woman on the board, or is it a real mix of people who have got there because the company is prepared to promote talent wherever it sees it?

In that sense, it is incredibly refreshing to work at a global company like Lenovo, where I deal with a diverse set of people from all over the world. We have a CEO who is compassionate and passionate about all issues that concern underrepresented or disadvantaged people. At the start of the pandemic, he put his own personal money and effort into sending laptops to poor communities throughout China, with a personal letter from him to the recipients.

When Black Lives Matter took off, we held some really honest townhall meetings to discuss how staff felt about the movement and what more could be done to improve the workplace. We held roundtable discussions where people were free to ask bold questions about how we were going to deal with the issues BLM raised, or to make sure that all our people felt included. Not only that, but the company matches our financial contributions to social causes one to five, which made a big difference.

That commitment to D&I bleeds through everything at Lenovo. I don’t feel like my gender or my ethnicity has any bearing on how people approach me as a lawyer. Corporations are doing so much better with diversity and inclusion than law firms in the US. Law firms could really learn a lot from their clients.

The 0.2%

Of course, counsel we can say that law firms need to change until they’re blue in the face. Let’s focus on actions rather than words. In a role where you are looking at candidates, dealing with vendors, or spending money, you have the power to effect the kind of change you are preaching. Leaders in any senior-level executive position have the power to move the dial, and there is a duty to be very intentional when it comes to diversity.

I am proud to say that my entire team is diverse. I require all my outside counsel to have a diverse team. We request biannual reports giving the various demographics within the team, and more importantly we check what role each lawyer will play on a particular piece of work. Diverse talent needs to have an actual, critical, material role in the work, it can’t just be somebody who is there for optics.

One thing that I absolutely know for sure is that until we can give equal access to underrepresented communities, and particularly to black and brown communities, we are going to find ourselves dealing with these issues in the law continuously.

The legal profession remains of the least diverse professions in the US. Just 5% of lawyers are of Hispanic heritage, even though such people make up about 18% of the population. In the IP space it is even worse. Latinas make up less than 0.2% of IP lawyers. Just think about that number for a second. A community makes up about 18% of the US population accounts for less than 0.2% of IP lawyers.  That level of disparity is not something that will change without intentional efforts on the part of GCs and senior counsel.

Of course, we need to think about what constitutes “diversity”, that diversity programmes are truly inclusive and not alienating any group. I have thought about this many times. Should we make diversity an economic issue, for example? Communities of colour are disproportionately poorer, but many other groups face socio-economic exclusion. The reality is this: white privilege is still white privilege. We need to address the disadvantages inherent to being a person of colour in the United States before we can look at bigger issues.

It is also a problem we can solve. Black and brown communities are abysmally underrepresented in the legal profession. As GCs we may not be able to change everything, but we can change that.

Luis-Xavier Hernández | General Counsel, Data, Privacy & Digital | Unilever

For GCs, the very first question you need to ask yourself is how much of a diverse and inclusive mindset you have as a leader. Only then can you successfully analyse how diverse and inclusive your current team is, both with respect to hard numbers but also in terms of its culture.

Luckily, I work for a company that is perhaps one of the most diverse in the world. This helps tremendously when looking at the composition of teams, but most importantly at the culture of the organization.

Diversity and Inclusion brings more value than most people think. Companies with successful D&I cultures grow faster, stronger and more sustainably. D&I attracts the best talent, it provides a much stronger management base that takes into account a more robust view of business, society, customers and consumers, and it allows you to contribute to positive change in society.  At the end of the day, we are here to leave a better place for the next generation. Embracing diversity and being inclusive will certainly contribute to that.

Luis-Xavier Hernández | Unilever

Deploying D&I policies on a global scale is one of the biggest challenges for any type of global corporation, particularly one with a footprint like Unilever’s. We have to understand that a diversity and inclusion agenda means respecting different cultures in different parts of the world. It is hard to come up with a rigid approach to certain metrics that may have varying degrees of relevancy in different parts of the world. You have to really understand and cater for that, because the main reason for having a diversity and inclusion agenda is to make sure that every individual in the company has the exact same opportunity to succeed as anyone else. To do that, you need to cater for realities and cultures in different places.

From my perspective, values rest on universal principles that should apply everywhere, like treating everyone in the organization with respect, providing equal opportunities no matter the gender, race, age, religion, sexual orientation or any personal beliefs.  Living and breathing these values makes us richer, stronger, and more united in every corner of our organization.

While it could be challenging to drive consistent metrics across regions with their own cultural characteristics and idiosyncrasies, I think the best way to reconcile that tension is to ensure that values are never compromised, no matter the circumstances.  That to me is a must and reflects the culture of your organization.

Better business in the digital sphere

As head of Unilever’s legal team overseeing data privacy and digital, I frequently find myself balancing the value of certain data related propositions with the complexity and cost required to execute them in a legally compliant manner.  It always comes down to finding that reasonable balance. What I have found helpful is to start our assessments by asking the question ‘what is the purpose of collecting personal data, in this case related to diversity and inclusion?’ This data point will lead to other relevant questions about proportionality and transparency but understanding the purpose works an effective gate and it’s definitely a strong start.

Most large organization have stats and metrics to measure their diversity and inclusion efforts, but few people realize how complicated and sensitive it is to process such information. When it comes to diversity and inclusion, most personal data is considered sensitive personal information, and for a good reason. The potential harm to the individual is heightened compared to other types of personal data, and as such organizations need to think very carefully about how such data is collected, used, and protected. The stakes are high.

From a data privacy perspective, the rules governing what sort of data organizations are permitted to hold will only get tighter. The entire ecosystem, from individuals to regulators and lawmakers, is taking more interest in use and misuse of personal data. That means we need to be ahead of the game and think through how and why we collect information. But there is an even more important question to be considered. The question of ethics.

Transitioning from what is legally required to what is ethically expected is a challenging but powerful journey that I think all players in this space should consider. It’s not only the right thing to do but also what most stakeholders would expect in these times. .

Ultimately, we want to be compliant with data protection laws while helping advance our D&I agenda, do the right thing for our employees, for the company, and for the whole ecosystem of partners, suppliers, customers, and consumers. I want to make sure that any information we collect is strictly necessary to achieve the ultimate purpose of advancing our D&I agenda and do something that is aligned with our corporate values and high ethical standards, while protecting individual privacy rights.

I think data and digital professionals will continue to face the challenge of finding the right balance between supporting legitimate business initiatives and remaining in compliance with the spectrum of regulations on a country-by-country basis – including sometimes outdated regulations.

Unilever is one of the leaders in the brand safety movement, which concerns itself with ensuring that our brands are presented to consumers in safe environments and of course a key part of this effort is holding media outlets and agencies accountable for that. It’s not as simple as it sounds though,  mainly because the digital space is formed of so many different players that it has become a complex, non-linear ecosystem. However, I believe that  all players but in particular the most influential ones have a degree of social responsibility to improve the digital ecosystem in the interest of millions of viewers who consume media and as a consequence advertising.

I have the privilege to serve as a board member of the Better Business Bureau National Programs Inc, a globally recognized organization that fosters consumer trust in advertising which is the reference point in the United States with regards to self-regulation and many other globally relevant programs. The BBB National Programs is a great example of an organization that really has the consumer interests at its heart. It truly stands for transparency and fairness in advertising. As such there is very much similarity in values between Unilever and the BBB National Programs and that’s why I accepted the board role without hesitation.

It has been a great experience being part of BBB NP’s board, it has given me an invaluable platform from which I can contribute my experience and passion for certain topics and perhaps shape in some way or form the strategic agenda of the organization. It has also given me an external perspective of the market place, consumers, and companies in many different industries. As GC, I have learned that having an external perspective of the world and the industry where your company operates is an invaluable enabler of a diverse vision. It also energizes me to continue to drive positive change.