Tue, Feb 7, 2023

Attorney Considerations Amid Rise of Tech-Enabled Investigations

This article was originally published by Law360.

2022 was a watershed year in which technology and data took center stage in corporate investigations. Turmoil in the cryptocurrency markets brought blockchain investigations into the national consciousness, and it coincided with heightened government expectations about the sophistication of corporate compliance programs, document retention systems, and support  expected from companies seeking cooperation credit from the U.S. Department of Justice (DOJ) or civil regulators such as the U.S. SEC, U.S. Commodity Futures Trading Commission and others.

The rise of complex, technologically dynamic and intensive investigations is significant in its own right, but these investigations also raise additional ethical considerations for practitioners.

While attention to the identity of the client and the particulars of joint defense agreements, discussed more below, is certainly not new, it takes on particular significance with the costs and burdens of tech-savvy investigations that leading enforcement agencies now demand.

New Developments in Crypto

The relentlessly increasing tempo of prosecutions, enforcement actions and calls for cryptocurrency regulation throughout 2022 was remarkable.

The increasing demands for regulation from retail customers are likely to continue fueling pressure on prosecutors, regulators and lawmakers to focus on this area in 2023.

At the same time, 2022's enforcement activities have revealed that the government is using an increasingly sophisticated toolkit to investigate cryptocurrency-related cases, including: (1) novel sources of intelligence on the movement of crypto assets and methods of obtaining the private keys necessary to seize ill-gotten funds and (2) better understanding of blockchain technology and the use of blockchain ledgers to prove movement of funds.

Practitioners handling cryptocurrency-related and cryptocurrency-adjacent cases must similarly develop their understanding and capabilities to conduct investigations, and trace transactions, through the blockchain.

Finally, while high-profile bankruptcies and allegations of financial fraud have received substantial attention, it bears emphasis that much of the government's attention remains focused on anti-money laundering, counterterrorism and sanctions enforcement. It is likely that the government will continue to focus on services that might be used to launder or obscure ownership of digital assets in 2023.1

For institutions engaged in cryptocurrency businesses or providing services to them, anti-money laundering processes are critical and must be reviewed regularly.

Organizations that serve as custodians of cryptocurrency assets, including professionals acting as escrow agents, and organizations taking novel roles in the rapidly evolving decentralized finance space should ensure that they have: (1) real and meaningful technical safeguards in place (2) effective know-your-customer and AML controls, regardless of their perceived exposure to the U.S. and (3) all necessary state and federal licenses.

New Government Expectations

The DOJ and other enforcement agencies have made it clear that they expect organizations to understand their data and make the preservation and integration of that data a central part of corporate compliance programs.

At the DOJ, the Criminal Division's Fraud Section recently retained a full-time data and compliance specialist to complement new chief Glenn Leon, a tech-savvy former chief compliance officer.

As a matter of policy, Deputy Attorney General Lisa Monaco's September 15 memo emphasized the DOJ's expectation that organizations are responsible stewards of corporate data, whether in personal or corporate devices.2

The SEC's crackdown on ephemeral messaging in the financial industry reflects the increasingly high expectations of a wide range of regulators — not just the DOJ — when it comes to ephemeral messaging.

As the stakes continue to increase, it is ever more important for organizations to weigh the benefits of bring-your-own-device policies and to have robust IT policies and testing in place. 
Similarly, the Monaco memo also signaled that the DOJ has limited patience for companies that invoke foreign data privacy laws, blocking statutes or other foreign law protections. Placing the onus on companies seeking cooperation credit to resolve these issues and warning that companies that attempt to capitalize on data privacy laws to conceal wrongdoing may not be eligible to receive credit for cooperating with investigators.3

Accordingly, companies should be mindful of their technological infrastructure and whether it is engineered in a way that respects the laws of the jurisdictions where it operates, while maintaining the company's ability to use data and other electronically stored information when necessary.

Familiar Ethical Considerations Take on Heightened Importance

The speed at which cases have developed, and seemingly daily shifting casts of heroes and villains in the cryptocurrency markets, emphasize the importance of carefully evaluating the proper scope of joint defense agreements, or JDAs.

While the particulars of joint defense agreements allowing parties with common legal interests to share privileged information, without waiving privilege, can vary widely depending on the agreement of the parties in a case, they remain based on the common interest doctrine and fundamental presumption that the parties in fact share common interests.

With the World Cup fresh in mind, the U.S. District Court for the Eastern District of New York's 2017 admonition in the prosecution of Juan Angel Napout seems particularly apt.    In the former president of the South American soccer confederation CONMEBOL’s case, the JDAs are not enforceable in cases where an organization is the alleged victim and an individual constituent of the organization seeking to invoke a JDA is the alleged perpetrator — even where the "the parties apparently [do] not recognize this distinction during the relevant time period".4

This cautions careful consideration of what information should, or should not, be disclosed during rapidly evolving crises.

Similarly, disruptive business environments and charismatic leadership can make the careful delivery of Upjohn warnings especially awkward.

The core elements of the warning that an attorney represents an organization, not the officer or employee individually can create a challenging dynamic. And that while communications between counsel and the organization's constituents are privileged, the organization, not the individual, owns the privilege and has the right to decide what information will be disclosed during an investigation.

However, the confidentiality restrictions imposed by the American Bar Association Model Rules 1.8(b) and 1.9—which generally prohibit using information from a representation to the disadvantage of a current or former client—make it particularly important for practitioners to be clear about the identities of their clients.

In addition to maintaining the integrity of the profession, while prosecutors are generally not able to prohibit joint defense arrangements, the DOJ's corporate enforcement policy makes it clear that companies that disable themselves from providing information to the government "by virtue of a particular joint defense or similar arrangement" bear the risk of potentially being disqualified from receiving cooperation credit.5

Ensuring control over evidence developed during an investigation—particularly costly data and electronically stored information—requires carefully policing both JDAs, as well as avoiding inadvertently creating joint representation scenarios that may have the same effect.


Finally, all these developments underscore that lawyer, including in-house counsel, white-collar defense practitioners and prosecutors, must be comfortable with technology, big data and data analytics.

While technology may have, at one time, been exotic to the legal profession, it is simply too ubiquitous to be ignored in practice—whether in situations that involve technology as evidence in cases more broadly or as part of an effective compliance program across industries.

Antonio Pozos is a partner at Faegre Drinker Biddle & Reath LLP. He formerly served as a federal prosecutor with the DOJ's Criminal Fraud Section.

Jordan Strauss is a managing director in the Forensic Investigations and Intelligence practice at Kroll LLC. He formerly served as a special assistant U.S. attorney for the Eastern District of Pennsylvania.

Kroll Forensic Investigations and Intelligence Director Hugo Hoyland contributed to this article.

The opinions expressed are those of the author(s) and do not necessarily reflect the views of their employer, its clients, or Portfolio Media Inc., or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.  

1https://home.treasury.gov/news/press-releases/jy0916; https://www.justice.gov/opa/pr/two-arrested-alleged-conspiracy-launder-45-billion-stolen-cryptocurrency; https://www.law360.com/articles/1538994/doj-s-top-crypto-cop-says-mixers-tumblers-are-in-focus
4United States v. Napout, No. 15-cr-252, 2017 WL 980323, at *4 (E.D.N.Y. Mar. 10, 2017)

Forensic Investigations and Intelligence

The Kroll Investigations, Diligence and Compliance team are experts in forensic investigations and intelligence, delivering actionable data and insights that help clients worldwide make critical decisions and mitigate risk.

Data Insights and Forensics

We are the leading advisors to organizations, providing expertise and solutions to address complex risks and challenges involving technology and data. We advise clients with services to address risks in disputes, investigations and regulatory compliance.