From Greyball to Snowball: Uber’s Latest Travails, and How Multiple Investigations of Misconduct May Imperil the Attorney-Client Privilege

It emerged on May 5 that the Department of Justice opened an investigation into Uber’s use of software called “Greyball” that concealed the ride-sharing company’s operations from regulators in cities and countries that did not permit Uber’s services.  Since then, the Portland City Council has voted to subpoena documents concerning the program, and lawmakers in Philadelphia and Austin have said they are cooperating with DOJ investigation. Uber allegedly deployed Greyball not only in the United States (including in Boston, Philadelphia, and Las Vegas), but also in Australia, Paris, China, and South Korea.

The Greyball software allegedly allowed Uber to identify public officials and prevent them from being picked up by drivers, all in order to frustrate attempts to catch Uber operating without authorization. In attempting to identify public officials, Uber allegedly drew a digital fence (or “geofence”) around government buildings, monitored those who opened and closed the app frequently from those locations, analyzed credit card data to determine if a card was associated with a municipal credit union, and searched social media and other available online information.  If an individual who was identified as linked to law enforcement attempted to use the app, Uber allegedly displayed cars that did not exist or showed that no cars were available.  When public officials were able to contact real drivers, Uber allegedly called the driver and instructed them to cancel the ride.  The Greyball program was allegedly approved by Uber’s legal team.

The Snowball: Internal Investigations, More Governmental Inquiries, and the Risk of Losing Attorney-Client Privilege

Now that the probes by the Portland city government and the DOJ have been made public, Uber has publicly announced that it has retained a law firm to conduct an internal investigation, while the prospect of additional enforcement actions by state, municipal, and international regulators looms. Setting aside whether Greyball was criminal or merely an aggressive tactic in an under-regulated industry, what should a company like Uber be thinking about when it faces serious inquiries and potential charges now, and anticipates further investigations and litigation later? One key consideration is the extent to which a company can protect its confidential and privileged information as such investigations and litigation multiply.

First, the DOJ could push a company like Uber to waive its attorney-client privilege by attempting to leverage the “crime-fraud” exception, which does not protect attorney-client communications where a client sought legal advice to carry out or cover up an ongoing or future-contemplated crime. The client’s intent at the time the advice is sought is the focus on the inquiry, and courts will apply the exception even if the attorney had no knowledge of, and didn’t participate in, the actual crime or fraud.  The presence of the crime-fraud exception may be a factor in a company’s decision to waive its attorney-client privilege as part of a bid for cooperation credit.

Second, in circumstances like these, it is far from unusual to see tag-along actions or investigations by state attorneys general and international regulators. In multi national investigations, the ability to protect information from authorities on legal privilege grounds will depend on the law in each country.  For example, a recent UK decision held that a company subject to a UK Serious Fraud Office criminal investigation could not claim privilege over documents created during an internal investigation, including written reports prepared by external counsel, in part, because the documents were created to fact find and not for “the dominant purpose” of obtaining legal advice.  Such analysis may dictate where and how final investigations reports are discussed and distributed.  In addition, international investigations may also implicate data protection issues.  For example, in the European Union, authority over corporate email accounts resides in the employee.  As a result, a company seeking to process that data may have to get consent and provide notice to local regulators.  Furthermore, in multi jurisdictional investigations, a company’s disclosure or settlement in one jurisdiction may affect the company’s position in another jurisdiction.  This may be especially relevant where a company wants to seek cooperation credit for voluntary disclosures.  Coordinated multi jurisdictional settlements must also analyze the prospects of overlapping fines, follow on investigations, and cross-jurisdictional collateral consequences, such as debarment.

Finally, it bears noting that were Uber a publicly traded company, one could also expect follow-on securities fraud suits alleging that the company knowingly misled investors about the legality of its operations, as well as shareholder derivative suits alleging that the company’s directors failed to satisfy their Caremark duties to ensure legal compliance.  With respect to shareholder derivative suits in particular, a plaintiff might argue that she is entitled to see privileged documents, either because attorney advice is relevant to assessing the reasonableness of a demand refusal, or because the plaintiff purports to stand in the shoes of the company.  Uber is not a publicly listed company, so these types of suits are less likely against it.