Internal investigations are fraught with danger. Jonathan Fisher and Francesca John explain how to avoid criminal and civil liability


As technology company Hewlett-Packard (HP) has recently found out, an internal investigation must be carefully managed if it is to avoid creating more problems than it addresses. Following a US court's decision on the HP case, the company's top executives have branded its infamous internal investigation a 'wake-up call' that has prompted a shake-up in the company's operations.



The case, where private investigators hired by HP obtained directors' telephone records, is a high-profile example of an internal investigation which imploded in spectacular style. In March, a California judge dismissed the charges against former HP chairwoman Patricia Dunn and ordered three other defendants to complete community service. Ms Dunn and others lost their jobs in the furore, and the case has generated significant negative publicity for the company.



Inevitably, occasions arise when a business must conduct an internal investigation. These investigations are a critical means for businesses to uncover and address issues of fraud and other misconduct. A successful investigation will root out the misconduct and leave the business better able to prevent such activity in future.



However, the consequences of a badly conducted investigation can be severe - it may allow the perpetrators of misconduct to get away with or even continue their activity without recrimination. It may mean that lost funds cannot be traced or recovered, or that more money is lost. In the worst-case scenario, failures can trigger a number of criminal offences as well as expose a business's officers to civil liability.



At some point during an investigation, a business may want to covertly monitor the actions of its employees. When doing so, it must comply with the Regulation of Investigatory Powers Act 2000 (RIPA) and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000, which together provide a framework for monitoring electronic data processing equipment and communications.



RIPA makes it a criminal offence to intercept any communication 'in the course of its transmission'. There are certain exemptions allowing a business to monitor systems which it owns and operates, such as computers and telephones. However, any monitoring must be proportionate to the severity of the suspected misconduct. Broad monitoring of employees for no specific purpose will fall foul of RIPA and expose the company (or its officers/employees) to statutory liability.



The regulations give businesses the ability to monitor employees' activities in certain business-related circumstances. The regulations require that any interception is carried out exclusively for keeping a record of, or monitoring, 'communications relevant to the business'.



The Employment Practices Data Protection Code provides guidance on complying with the Data Protection Act 1998 and applies, among other things, to the monitoring of employees at work. Generally, failure to comply with the Act will have civil consequences, although an unauthorised disclosure of information may constitute a criminal offence.



Article 8 of the European Convention on Human Rights, which preserves the right to respect for private and family life, is now being used to challenge invasions of privacy in the workplace, including employer surveillance. To date, the courts have generally decided in favour of the employer where it can justify the surveillance. However, if a business were to implement a campaign of covert surveillance, without considering alternatives and without sufficient justification, it will open itself up to claims under article 8.



Interviews with employees who may be witnesses to the misconduct are an important investigative tool. In deciding to interview witnesses and suspects, the business will need to consider various questions, such as whether the employee should have independent legal advice. The Police and Criminal Evidence Act 1984 and related codes should also be considered, as compliance with the Act will determine whether evidence obtained in the course of an interview is admissible in any ensuing criminal proceedings.



It may be that a police investigation is proceeding at the same time as the business's own internal investigation. Businesses are strongly advised to maintain good relationships with the police and regulators as there is significant scope for mutual co-operation. Police and regulators will support an internal investigation, especially where serious fraud or market misconduct is suspected, and may be able to assist in the preservation and recovery of assets. Non co-operation with a simultaneous investigation may lead to disciplinary action against the business, which is an additional incentive for good relations.



The Money Laundering Regulations and the Proceeds of Crime Act 2002 require all those in regulated sectors to make suspicious activity reports (SARs) to the Serious Organised Crime Agency (SOCA). While a business may have chosen not to report a fraud to the police, an accountant, auditor or other person who falls within the regulated sector is legally bound (unless exempted in the particular circumstances by the legal professional exception) to make a SAR. Failure to do so is a criminal offence under section 330 of the Act, punishable by a maximum of 14 years' imprisonment.



The dilemma for a business investigating an internal irregularity is the approach it should adopt when the misconduct is initially discovered. Should it make a SAR to SOCA or not? If the company makes a SAR and subsequently interviews an employee who is suspected of being involved in the misconduct, it may be guilty of the offence of 'tipping off' by prejudicing an investigation which might be conducted, knowing that a report to SOCA has been made. If a SAR is not made immediately, the investigating business may be guilty of prejudicing an investigation under section 341, on the basis that when the SAR is finally made it could be argued that in delaying making the SAR, the business has removed investigative initiatives that may have been available to the authorities. In addition to making a SAR, where a listed company discovers a fraud which may impact adversely on the company's projected financial performance or undermine its previously stated results, it will also need to make a public disclosure of that fraud in the market-place.



Maintaining the secrecy of an investigation is the key to its success. Businesses should implement a 'need-to-know rule', keeping those who are aware of the investigation to a minimum. Every precaution should be taken to ensure it remains a secret - such as refraining from discussing it by email and holding investigatory team meetings off-site. Needless to say, if the perpetrators of misconduct are forewarned, it is likely that they will attempt to cover their tracks or destroy evidence, thus scuppering even the best-intentioned investigation.



Conducting an internal investigation is fraught with pitfalls. Circumstances giving rise to a need for an investigation necessarily mean that a business is under pressure to act quickly and decisively, which can lead to errors. At a minimum, businesses should ensure they are fully aware of their legislative obligations and limitations, and that they do not open themselves up to civil or criminal liability. Ideally, a well-conducted investigation will put an end to the misconduct, weed out the perpetrators, recover the monies lost and, ultimately, leave the business with a more robust understanding of such matters so that it can minimise similar risks for the future.



Jonathan Fisher QC is at 23 Essex Street in London and Francesca John is a solicitor in the dispute resolution department of McGrigors' London office