Common Legal Issues in Internal Investigations

Lesley Brovner & Mark Peters
February 13, 2024

An internal investigation is a formal inquiry conducted by an organization to determine whether external laws or regulations or internal policies have been violated and to allow either discipline of wrongdoers and/or changes to internal compliance policies. An internal investigation can also allow an organization to respond to inquiries from law enforcement and regulators, improve internal procedures and respond to public inquiries and manage reputational risk. Below are some areas of law to be mindful of when determining whether to conduct an internal investigation, and if so, how to proceed while avoiding common mistakes.

Data Privacy and Security

When conducting internal investigations (or cooperating with government investigations) there are a variety of data privacy issues that must be considered and that can restrict the data that is collected and supplied to outsiders.

Unlike Europe, there is no one set of federal laws that control. Rather, investigators need to be mindful of a patchwork of state and federal laws that restrict what companies may do with data in their possession. These include federal laws like HIPPA and laws in certain states, that restrict what can be done with their residents’ data.

In addition, there are common law privacy rules set out by different state courts that also impact what data can be collected and distributed.

Finally, for companies that do business in Europe (or collect data from European citizens) there are the EU’s rules on data privacy which are far stricter and more comprehensive than those in the United States.
The bottom line is that in any internal investigation, before beginning, the company in question should consult legal counsel to make sure that the data collection needed by the investigation does not run afoul of the various data protection laws that may cover the entity and investigation in question.

Whistleblower Protections

Both the federal government and New York State have whistleblower protection statutes that cover a broad array of areas. Given the serious penalties that can result from a whistleblower violation (including, in some cases, treble damages for any government loss due to fraud) it is often important for companies to get ahead of any such claims by conducting its own internal investigation of an employee complaint. In the conduct of such an investigation, it is important to keep in mind the strict and serious prohibitions in these statutes on any form of retaliation against the whistleblower.

Labor Laws and Employee Rights

There are numerous Federal, State, and City laws that regulate how employers must treat salaried employees, including laws related to paid overtime for working more than forty hours a week. It is important that employers understand these interlocking laws. Some areas that may require an internal investigation include:

  • Salaried Employment
    • Salaried workers in New York City are protected by federal, State and City laws that govern the ways in which employers must compensate employees as well as rules regulating their working hours and conditions.
    • The federal Fair Labor Standards Act (FLSA) prescribes standards for wages and overtime pay, which affect most private and public employment.
  • Overtime Regulations
    • Pursuant to the FLSA, covered nonexempt employees must receive overtime pay for hours worked over 40 per workweek (any fixed and regularly recurring period of 168 hours – seven consecutive 24-hour periods) at a rate not less than one and one-half times the regular rate of pay.
  • Minimum Wage Requirements
    • The federal minimum wage is $7.25 per hour.
    • In New York State the minimum wage varies depending upon geographic location.
    • In New York City, the Minimum wage is $15 per hour and must be paid for every hour worked. If an employee works more than 40 hours per week, that employee must be paid time-and-a-half for any additional hours.
  • Leave Entitlements
    • The federal Family Medical Leave Act (FMLA) entitles eligible employees of covered employers to take unpaid, job-protected leave for specified family and medical reasons with continuation of group health insurance coverage under the same terms and conditions as if the employee had not taken leave.
    • New York State goes further and provides that employers must provide paid leave in certain circumstances to: bond with a newly born, adopted, or fostered child; care for a family member with a serious health condition; or assist loved ones when a spouse, domestic partner, child, or parent is deployed abroad on active military service.
  • Retaliation
    • Employers may not retaliate against employees for reporting violations of wage laws. For example, FLSA states that it is a violation for any person to “discharge or in any other manner discriminate against any employee because such employee has filed any complaint or instituted or caused to be instituted any proceeding under or related to this Act, or has testified or is about to testify in any such proceeding, or has served or is about to serve on an industry committee.”
    • State law similarly prohibits retaliation for reporting violations to the State Department of Labor.

Regulatory Compliance

Regulatory compliance involves adherence to laws, regulations, guidelines and specifications established by the government. Violations of regulatory compliance often result in legal punishment for individuals and organizations, including fines and debarment from future government programs and contracts.
A regulatory attorney can help to advise clients on a variety of City and State regulatory matters, including:

  • Conducting a detailed Internal investigation to help an organization determine whether they are in compliance with all relevant City and State and federal laws and regulations, and if not, how to get and stay in compliance.
  • When an investigation culminates in liability for a client, an attorney can help to persuade the investigating authorities that the sanction should be just and reasonable.

The 6 Most Common Types of Compliance Risk

Compliance risk refers to the potential damage a business or nonprofit faces when they fail to comply with industry standards, laws, and regulations.

There are numerous broad categories of compliance risk, any of which may require an internal investigation.

These include:

  • Privacy and Data Security Breaches
    One of the greatest challenges that business and nonprofits face is protecting both their employees’ and customers’ private information.
    There are several laws in place that regulate the way in which such information must be handled, including, for example, HIPPA and FERPA.
    It is critical to have policies and procedures in place to fight against malware, fishing, and hacking and to train on those procedures.
  • Accountability Act (HIPPA).
    It is critical to have policies and procedures in place to fight against malware, fishing, and hacking and to train on those procedures.
  • Corrupt and Illegal Activity
    Another area of compliance risk is Corrupt and illegal activity. This includes fraud, theft, bribery, money laundering, sexual assault and sexual harassment.
    Under certain situations, businesses can be held liable for the conduct of their employees, for example, sexual harassment in the workplace is a form of employment discrimination that violates federal, State and local law in New York. Employers are required to take steps to prevent sexual harassment and, if sexual harassment is reported, to take immediate action to address the situation.
  • Workplace Health and Safety
    All employers have a basic obligation to protect the health and safety of employees in the workplace.
    The rules on workplace safety are enforced by multiple agencies including the Occupational Safety and Health Administration (OSHA).
    In addition to taking steps to ensure worker safety, in some instances there are also reporting requirements when an accident does occur.
  • Environmental Impact
    Environmental issues that businesses and nonprofits must contend with include preventing/protecting from mold and asbestos and managing for poor air quality/lack of ventilation.
    Environmental Compliance requires meeting multiple different legal requirements including regulations of the Environmental Protection Agency as well as various laws including the Clean Air Act, the Clean Water Act, the Resource Conservation and Recovery Act among others.
  • Process Risks
    Process risk refers to the day-to-day work of your business or nonprofit, that may violate the rules and regulations of your industry. Examples of process risk include, reporting failures, accounting errors and inadequate quality assurance.

Contact an Attorney Today

The investigative attorneys at the law offices of Peters Brovner LLP have decades of experience conducting complex investigations. Before founding Peters Brovner LLP, Mark Peters and Lesley Brovner served as Commissioner and First Deputy Commissioner of New York City’s Department of Investigation (“DOI”), one of the oldest law enforcement agencies in the country. At DOI, they oversaw the Inspectors General for all New York City agencies and oversaw hundreds of investigations that resulted in criminal prosecutions and major agency reforms.

Prior to DOI, Lesley was a prosecutor for many years at the New York State Attorney General’s Office where she focused on complex, white collar investigations and Mark was chief of the public corruption unit at the Attorney General’s Office.

If you or someone you know is seeking legal advice concerning an internal investigation conducted, please reach out to the lawyers at Peters Brovner LLP for a free consultation.