Editor: Please give our readers a snapshot of your background before coming to King & Spalding.
Hruska: I was a prosecutor for a number of years, first at the Manhattan District Attorney’s Office, where I prosecuted financial crime. Later I worked as senior counsel for Larry Thompson, the deputy attorney general in the Justice Department, where I focused on financial crimes. I left Main Justice to become the chief assistant U.S. attorney at the U.S. Attorney’s Office for the Eastern District of New York, where I supervised all criminal and civil matters, making a special point to develop a team that excelled in prosecuting financial crime – an area in which the office has been highly successful and where it really made a name for itself by virtue of having a number of excellent assistant U.S. attorneys on staff to handle those cases.
Editor: How has the regulatory framework and the environment affected the way internal investigations are conducted? What recent laws are largely responsible for the increase in internal investigations?
Hruska: While it’s hard to point to any one law, there are certain laws that definitely have caused a notable uptick in enforcement priority, but what’s more important is that there is a ratcheting up of attention by enforcement authorities to focus on a broader scope of conduct falling under the rubric of criminal investigation than was previously true 10 or 15 years ago. There are a number of different areas in the criminal law where you see an enlargement of this interest. There has always been a primary focus on fraudulent conduct, and appropriately so, but the idea and definition of what constitutes fraud has expanded. There has been a marked increase both in investigations concerning corruption, especially foreign corruption, and in criminal attention to the question of off-label marketing of pharmaceuticals and medical devices, as well as attention paid to a broader array of conduct seen as fraud in the financial arena – areas that within the last 10 years have received expanded attention. The number of agencies looking at those issues has expanded as well, such as the newly created Consumer Financial Protection Bureau, the FTC (with its increased attention to financial questions) and various parts of the Justice Department.
Editor: Do you consider the reputational risk to a company to carry equal weight with the regulatory risk?
Hruska: Those two risk areas are actually closely linked for companies, as both concern the way in which companies view their position in the outside world. Regulatory risk is a concern because violations of regulations are fundamentally bad business; companies want to abide by regulations. But more broadly, violating a regulation is bad for a company’s reputation, too. There are certainly situations where companies abide by regulations but nonetheless are rightly concerned about how particular conduct will affect their public reputation. The broader the regulatory reach extends and the broader the ambit of the necessarily gray area extends beyond the black-letter regulations, the more you are involved with reputational issues.
Editor: What measures should companies follow to test whether a contemplated action or inaction will be viewed by the public?
Hruska: It always comes down to a simple question: how would your conduct appear to the public looked at through the most skeptical prism? It is often phrased in terms of the “front page” test: how would you like your conduct displayed on the front page of a newspaper? More generally, you should view your conduct – and any policy likely to stem from it – as to how it will be viewed by the public when people who disagree with you try to frame it in the most negative way.
Editor: How do you counsel your clients to handle the press when a damaging leak occurs during an internal investigation?
Hruska: All investigations are different, so there is no ironclad rule. I have fortunately been working with companies that have done a good job in controlling leaks and also usually have very competent communications staff working alongside them. Rarely are lawyers alone the sole confidants of business leaders in those situations. In general, my rule is, never speak to the press unless you’re going to be truthful. Misleading the press not only is bad reputational policy, it’s also bad legal policy since it can cause all sorts of additional regulatory and criminal problems. The less said about investigations while they’re ongoing, the better. Investigations need to be done discreetly – as swiftly as possible – and arrive at a resolution on facts that the company understands and can back up.
Editor: What policy do you follow in advising companies to self-report to the various regulatory bodies?
Hruska: It’s hard to have a general policy on self-reports. Not all situations are the same. There are certain areas of the law and certain agencies you deal with where there is a safe harbor for self-reports, or where the advantage to the company with or without a safe harbor is so significant that it becomes desirable to self-report. Just to pick one example of a program that advantages first movers -- in an antitrust cartel situation, there are dramatic advantages for the first party in the door to report, advantages the Justice Department has done all it can to advertise and enhance. In nebulous situations where the facts are uncertain, it can sometimes be very difficult to make the decision to self-report. There’s always the risk of calling the government’s attention to an issue that they might not otherwise focus on. It is not always the right answer to self-report.
Editor: Do you advise your clients to conduct internal audits on a regular basis of various of their operations?
Hruska: Obviously, sometimes companies will do rifle-shot, deep-dive audits on specific issues, but putting that aside, I think that certainly any company ought to have a comprehensive audit and compliance regime, the main components of which should be promulgating an effective compliance policy – meaning, making sure that everybody understands what it is; that they’re trained on it on a documented, verifiable regular basis; and that the company follows up with audits to make sure that the employees are adhering to the policy. The primary reason is to ensure to the greatest extent possible that the company doesn’t have compliance failures that lead to regulatory or even criminal consequences. Even if that should occur, the company can then demonstrate that it instituted measures to try to prevent infractions from happening.
Editor: You’ve mentioned before that many modern compliance systems do not work. Have you seen an improvement in the efficacy of compliance systems today?
Hruska: When compliance systems don’t work, it’s often because they are organized and executed in a very programmatic and one-dimensional way. They consist of creating boxes and having compliance personnel and auditors check the boxes without thinking about the greater purpose that the policy is supposed to serve, and without examining facts or instances that arise in the course of business beyond the narrow confines of that template that the compliance policy has erected. Put concisely, if compliance officers or auditors are looking very narrowly at specific conduct and not understanding or asking questions more broadly about how that conduct fits in an overall context, they may lose the proverbial forest for the trees. They may not see that a failure of a minor issue that seems very routine, such as failure to preserve files or obtain signatures, could speak to a broader problem that the compliance policy was originally imposed to avoid. For instance, the defrauding of a company by its employees might have been avoided if their smaller, more specific policy violations had tipped off the compliance structure to the broader future problem. If those small violations are missed, not only do you miss an opportunity to correct small infractions, but the company winds up hurting itself in the eyes of regulators or prosecutors who later come in to inspect a flawed compliance system.
I’ve seen issues with compliance policies at all stages along the continuum, and it’s hard to know whether overall there is improvement in their efficacy. I have seen many good compliance systems in recent years, but also some big misses. I do get called in for compliance consulting, at which times I get a more comprehensive view of companies’ compliance structures, but again, that is a skewed data set because the companies that will call me in are often ones that are the most forward thinking in terms of enhancing their compliance regimes.
Editor: What is the board’s responsibility for assuring that the company has adequate internal procedures?
Hruska: Boards have very significant responsibility for internal compliance procedures as attested to by the boards I’ve worked with. Among other things, regulators have put increasing responsibility on companies and boards of companies to ensure that they have effective compliance systems and have defined the efficacy of those systems on a number of fronts, from anticorruption compliance to data security to general fraud and other areas. If a board isn’t thinking seriously about the adequacy of its compliance regime, then the board is missing a very significant element of its duties.
Editor: What are the standards one should follow in conducting an effective and ethical investigation?
Hruska: Beyond the baseline of the lawyers’ ethics rules, which are quite stringent in many areas, in terms of the effectiveness of an investigation, one must try to obtain such facts that are available to the client and the most effective means for developing them. One size does not fit all. In very serious matters, such as those that might threaten criminal exposure, it’s important to move quickly to get the information, working through available documentary information first and then moving on to get information from individuals who are within the company’s control. In order to do that ethically, always bear in mind that while there is tension between the individual’s interests and the company’s, your client is the company. It’s your goal to ethically develop the information, and if you do wind up encountering regulators or prosecutors as a result of the conduct underlying the investigation, you should honestly present the facts and try to put them in the best light for your client. Lawyers in this area of practice handling major investigations tend to be repeat players, and your reputation for straight dealing – or the lack thereof – will quickly precede you with the government.
Editor: Is there anything more on the subject of investigations you would like to add?
Hruska: A couple of things: first, I am surprised by the great number of different directions the development of government investigations have taken, especially criminal investigations. I find myself engaged on more fronts than I can count in a given day – from criminal tax to anti-corruption to bank fraud to banking regulation to economic sanctions. I know that many lawyers focus intently on one law or one agency, but we find in our practice that our true expertise lies in identifying information, assembling it quickly and effectively, working with the client to understand its meaning, and in those situations where we do encounter the government, presenting that information in the best light for the client. We’ve also found an expanding number of international enforcement challenges where we’re representing companies whose locations are outside the United States and there is coordination or lack thereof between U.S. and foreign authorities. There are even some situations where we’re called upon to do investigations in an international area that does not yet fall under the aegis of an enforcement agency but companies are concerned that the activity might do so in the future.