Insights & Reports > Kroll Global Fraud Report

A client – a United States-based employee working for the Panamanian subsidiary of a public company headquartered in the US – recently asked Kroll about the legality of administering a polygraph to one of the subsidiary’s employees, a citizen of Singapore. The latter had accused a co-worker of fraud, and the company wanted to verify the truth of these claims before launching a full scale investigation.

This case provides a good example of the legal pitfalls that can arise in transnational internal investigations involving employees. When a multinational corporation conducts such an inquiry, different national law may apply depending on the geographical location of the investigation, the company’s citizenship, the employee’s citizenship, or the countries in which the company operates.

While the client knew of no Singaporean prohibition against administering polygraphs to employees there, the client was concerned that America’s Employee Polygraph Protection Act of 1988 (EPPA) might prohibit the polygraph, even in Singapore. The EPPA generally prevents private employers from administering polygraphs – real or fake – to employees. There are situations and employees, however, that may be exempt from the EPPA, such as in the case of certain ongoing theft investigations or for certain workers, such as government contractors or security officers. EPPA violators may face employee liability and civil penalties of up to US$10,000.

The client was right to be cautious. The EPPA covers not only operations of all companies – foreign and domestic – within the United States, its provisions also “extend to any actions relating to the administration of lie detector... tests which occur within the territorial jurisdiction of the United States, e.g., the preparation of paperwork by a foreign corporation in a Miami office relating to a polygraph test that is to be administered on the high seas or in some foreign location.” Based on this language, it seems that the US planning of the polygraph in Singapore may have been enough to trigger EPPA coverage.

Another, this time hypothetical, example further illustrates how complicated regulations governing transnational internal investigations can be. The US parent company of a European subsidiary receives an anonymous tip that one of the latter’s executives is embezzling and that evidence of this exists in the person’s corporate email account. Sarbanes-Oxley requires that the parent company investigate. The quickest, most efficient way to do so would be to review the executive’s email. For argument’s sake, say that the parent company and subsidiary share the same email system on a US-based server, and that the email will be reviewed in the US where courts have ruled that employees generally have no expectation of privacy when using their employer’s email system.

However, many European countries have strict privacy laws that could prohibit the surreptitious, systematic review of an employee’s email correspondence unless specific conditions are met. For example, the employer may have to comply with certain notice provisions or have an email policy that complies with local law and permits the review of employee email. Additionally, in some jurisdictions, the employer may not be able to review emails deemed by the employee as personal communication, such as email communication with a spouse, even though the communication involved the employee’s business email address.

Even if compliant with local law, however, the company must also be cognizant of any applicable European Union data protection, privacy, and electronic communications directives and the various ways in which they have been implemented by national governments and interpreted by local courts.

The company’s failure to comply with local law and European Union directives could expose the company to fines or other sanctions and employee liability.

As these examples show, before rushing into a transnational investigation, companies should be mindful of factors such as geographical location and citizenship that could trigger multiple nations’ – or regional – laws. Companies should then identify the legal systems and laws that might come into play. Companies should also consider hiring outside local counsel or experts who are familiar with relevant national and regional laws and regulations governing investigations and the collection of information.

Mysti Hillis, a licensed attorney, joined Kroll in 2000 and is head of the firm’s investigative practice in Dallas. She specializes in pre-transaction due diligence investigations, many of which are international in scope, and litigation support investigations.