When the Black Swan Comes From Within

Social and technological changes have elevated the amount of potential harm a rogue employee can do. Here’s what the general counsel should know.

Companies have always had to contend with the risk of an employee going rogue. But in recent years, the risk has grown alongside higher turnover rates. Departing employees are increasingly walking out the door with intellectual property (“IP”) or engaging in data theft, thus exposing sensitive information to the public. According to a March 2023 report from DTEX Systems, voluntary turnover rose 20% from pre-pandemic levels during the first half of 2022 and was accompanied by an alarming 35% increase in data theft incidents. The report also showed that 12% of departing employees took IP with them.¹

In addition to dealing with these risks, the general counsel is under pressure to monitor and control the explosion of sensitive data coursing through the company that employees access using external, unofficial or “off channel” communications like WhatsApp or Signal.

It’s not surprising, then, that the frequency of insider incidents is rising, as well as the annual cost for companies to address them, which is now estimated to be $15.4 million.²

These developments drive up expectations of the GC, who, even with strong company compliance and controls in place, must be ready to respond to and investigate a wide variety of crises that come from within. Knowing the best approach to take when a rogue employee is exposed can minimize the fallout and even mitigate future risks.

Launching an Investigation

The actions of a rogue employee can vary in severity, but most situations require some degree of internal investigation, and many can quickly escalate into a crisis. Accounting fraud, embezzlement and trade-secret theft are classic high-profile examples. The specific steps of the investigation will differ depending on the scope, scale and severity of the incident.

Almost half (45%) of GCs surveyed in The General Counsel Report 2023 from FTI Consulting and Relativity said their organizations have experienced new challenges associated with remote work. Among respondents, 30% reported that prolonged remote and hybrid work have directly influenced how they address their regulatory compliance and data privacy risks.³

If the identity of the rogue employee is established right away, for instance, the GC will need to ensure that the individual is immediately cut off from access to sensitive data systems and relieved of any professional responsibilities associated with company data. Although this may seem straightforward, the process can take significant time and effort given the proliferation of data and the multiple channels for accessing and sharing information across systems, accounts and devices.

Another factor is the way in which a rogue employee’s actions are discovered. If a known whistleblower is involved, the GC has a role to play early in the investigation to ensure that the person is properly interviewed and made aware of the appropriate internal policies (such as a corporate anti-retaliation policy), and that the company follows all applicable whistleblower protection laws.

Though the GC plays an instrumental leadership role in responding to an insider threat and investigating the incident, the burden does not need to rest solely on their shoulders. Rather, the GC should be viewed as central to a broader investigation team, positioned to holistically respond to all legal questions and implications in coordination with leaders across the full enterprise. Here are a few general principles the GC should follow to successfully execute such a role:

Name the Team. It is critical to define the investigation team, determine roles and identify who will be privy to information as it is collected. The GC should assign an internal point of contact who can influence their peers to respond to requests for information and can coordinate the overall action plan.

Establish a Timeline. The type of crisis and its extent will impact the pace of the investigation. Not every investigation needs a timeline, but establishing deadlines in areas such as data collection or evidence discovery can ensure that the investigation is conducted with proper urgency, is positioned to meet any related legal or regulatory data disclosure deadlines and is managed as cost-effectively as possible. Additionally, swift response will foster confidence among stakeholder groups, including the board, employees, partners and the public, as it demonstrates that management is serious about addressing the issue.

Keep It Contained. An open and transparent investigation signals integrity to stakeholders, which can benefit organizational reputation post-investigation. However, for many investigations, such as those relating to IP theft, accounting fraud or embezzlement, when discretion is needed and the underlying issue is not public, or when there is an ongoing security investigation, many details will need to remain private.

Ready to Self-Report? Knowing whether, or when, to take advantage of self-reporting options may reduce or even eliminate financial penalties, if any. Working directly with regulators toward a resolution can also demonstrate integrity about compliance efforts.

When To Look for External Help

Internal and crisis-driven investigations are often highly time-sensitive matters that stand to impact or disrupt stakeholder confidence, business operations, regulatory compliance, legal exposure in litigation, brand reputation and market value. No matter how well prepared or proactive a legal department may be, issues can arise before or during an investigation that will exceed the scope of the team’s experience. Additionally, the time and resources needed to effectively carry out an investigation can overtax the organization’s essential day-to-day operations.

An external firm with domain expertise in internal investigations and the type of crisis at hand can help expedite the matter and ensure a comprehensive and defensible approach, while the GC maintains the role of strategic team lead. Outside experts are often skilled in the areas that matter most during internal investigations, such as:

Third-Party Relationships: External counsel and advisor firms frequently employ professionals with regulatory experience. Established and strong relationships with regulatory agencies prior to a crisis can go a long way toward reducing financial penalties in self-reported whistleblower negotiations.
Technology: The vast number of communications devices and channels used today provide innumerable hiding places for digital evidence. While organizations have improved their surveillance programs and employee compliance training, a seasoned forensic specialist will have the tools and expertise needed to gain access to devices, systems and cloud platforms to find and access sources of high evidentiary value.
Strategic Communications: Is the communications department prepared to manage the crisis internally, along with the potential reputational impact? Is their communications strategy aligned with the legal strategy? When and how should employees be informed, and how often should they be updated? What is the timing and frequency of public-facing messaging, if any?

Reform, Commitment and Trust

The crisis that follows the discovery of a rogue employee can be extremely disruptive and take significant time and effort to investigate. But the situation also offers an opportunity for the GC to revisit risk management plans, such as ensuring proper compliance among employees, delivering effective ethics training and reevaluating internal controls.

While underway, the internal investigation can provide an organization with the time needed to implement new protocols and reforms so that when the findings become public, the company is in a position to highlight the proactive measures it has taken. By partnering with an external expert firm, the organization also demonstrates that it is committed to an objective and thorough investigation. All these efforts foster trust among stakeholders, including regulators, investors, customers and the general public.

Footnotes:

1: “2023 Insider Risk Investigations Report,” DTEX Systems, (March 2023).

2: Claire Meyer, “Infographic: How Much Do Insider Threat Incidents Cost Companies?” ASIS International, (April 17, 2023).

3: “The General Counsel Report 2023,” FTI Consulting, (July 6, 2023).

© Copyright 2023. The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, Inc., its management, its subsidiaries, its affiliates, or its other professionals.

About The Journal

The FTI Journal publication offers deep and engaging insights to contextualize the issues that matter, and explores topics that will impact the risks your business faces and its reputation.