For other areas of envrionmental law, visit
The Synergistic Cafe: Environmental Law and
Science on the Web since 1995.
This paper was presented at the Florida Chamber's
"Environmental Permitting Summer School"
at Marco Island in July, 1998. Our program
was entitled "Multimedia Compliance
Audits; Environmental Self Audits."
I. Overview
Today, business is faced with a bewildering array of regulatory requirements. Among these are the numerous laws and regulations addressing environmental protection and worker health and safety. Unfortunately, the risk of noncompliance with such regulations cannot generally be eliminated or covered in the traditional ways such as insurance. As a result, many businesses are discovering that there must be operational control to manage such risk. This paper will discuss one method which can be used by business to manage environmental and health and safety risks. The topic has been called by a number of names, including "Environmental Compliance Auditing" or "Operational Auditing." For simplicity, we will sometimes refer to this type of activity as "Auditing." This refers to a process of conducting regular internal examinations of the operation of a business and the condition of its assets to confirm that the business is in compliance with environmental and health and safety laws and, when it is not, to institute corrective action and to verify that the required corrections take place. Most businesses already perform various auditing functions of certain aspects of the business, for example, financial or inventory auditing. Environmental auditing merely extends this practice to a different aspect of management.
Many managers are correctly concerned that audits could lead to the disclosure of information which could injure the company, the management team, and its members. These concerns are real and should be addressed. Basically, there are three concerns:
Discovery of the information in civil litigation against the company or management involving personal injury or property damage claims;
Enforcement by environmental agencies based upon the information leading to civil and criminal penalties or cleanup costs; and,
Competitive effects from disclosure of confidential business information.
Addressing these in order, we will turn first to ways that might be used to prevent the introduction of information from the audit into civil litigation where employees, customers, neighbors, other "responsible parties" or other third parties are attempting to introduce evidence derived from the audit to the detriment of the company. In this context, the main issue revolves around the rules of evidence which dictate limitations on the introduction of factual information into the record to persuade the finder of fact.
The attorney/client privilege is based upon a rule of evidence. In Florida courts this is Rule 90.502. Essentially, it states that a client has a privilege to refuse to disclose, and to prevent any other person from disclosing, the contents of confidential communications when such other person learned of the communications because they were made in the rendition of legal services to the client. The idea behind the privilege is to encourage people to disclose all the information to an attorney without fear of disclosure in order to receive the legal advice they are seeking. Roberts v. Jardine, 366 So. 2d 124 (2nd DCA 1979).
A "client" is any person, public officer, corporation, association, or other organization or entity, either public or private, who consults a lawyer with the purpose of obtaining legal services or who is rendered legal services by a lawyer. The privilege clearly applies to corporations even though a corporation cannot assert the privilege against self incrimination based upon the Constitution. Radiant Burners, Inc. v. American Gas Association, 320 F.2d 314 (7th Cir. 1963). Shell Oil Co. v. Par Four Partnership, 638 So. 2d 1050 (5th DCA 1994).
A communication between lawyer and client is "confidential" if it is not intended to be disclosed to third persons other than those to whom disclosure is in furtherance of the rendition of legal services to the client or those reasonably necessary for the transmission of the communication. The privilege is the client's to assert and can be asserted by a representative of a corporation or the lawyer on behalf of the client.
There are circumstances where the privilege does not arise. For purposes of the present discussion, several may be relevant. First, the privilege does not apply where the services of the lawyer were sought or obtained to enable or aid anyone to commit or plan to commit what the client knew was a crime or fraud. Second, if there are subsequent disputes regarding the attorney-client relationship, the privilege may not apply. Third, in cases where there are cooperating parties, the privilege may not attach to litigation between those parties. Where a communication is relevant to a matter of common interest between two or more clients, or their successors in interest, if the communication was made by any of them to a lawyer retained or consulted in common, the information is not protected when offered in a civil action between the clients or their successors in interest. (This "common interest" exception to the privilege has resulted in a number of cases where insurers seek to obtain documents from the insureds in the context of coverage litigations. See, e.g. Remington Arms Company v. Liberty Mutual Insurance Company, 142 F.R.D. 408 (D.Del. 1992) and Pittson Company v. Allstate Insurance Company, 143 F.R.D. 66 (D. N.J. 1992) - where waivers were not found.)
Note that the privilege applies to the communications between the attorney and client or certain included agents and assistants. The underlying facts are not protected if they could be discovered from some other source. The privilege may be waived. Once the waiver has taken place, the privilege cannot by reinstated. Hamilton v. Hamilton Steel Corp. 409 So. 2d 1111 (4th DCA 1982). Finally, if measures are not taken to keep the information confidential after it is produced, the privilege can be lost.
In the context of Environmental Compliance Auditing, there are several issues :
1. The use of lawyers must actually be for the purpose of seeking legal advice. He or she cannot be acting as a business person because the protected exchange of information must take place in the context of legal advice. Further, merely giving the attorney custody or passing it through the attorneys' hands will not protect it. Radiant Burners, supra. Also see United States v. Chevron U.S.A., Inc. No. 88-6681, 1989 WL 121616 (E.D.Pa. 1989).
2. The assistance of technical consultants is crucial to the process and care must be taken to bring the consultant within the protection of the privilege as an assistant to the attorney. Where the contact is tenuous and there are numerous meetings with the consultant without the attorney, the privilege can be lost. Confidential communications from defendant to expert hired to assist in defense regarding specific facts of a crime are privileged under the attorney-client privilege. Morgan v. State, 639 So.2d 6 (Fla. 1994). Several recent cases indicate that where the point is to receive technical consulting advice rather than provide legal advice, there will be no privilege. Bituminous Casualty Corp. v. Tonka Corp. 140 F.R.D. 381, 387 (D.Minn. 1992). In Re Grand Jury Matter 147 F.R.D.82 (E.D.Pa. 1992).
3. The types and numbers of employees of the audited company which can come within the privilege are by no means clear. Generally, those involved should only be those with a need to know based upon their position and job duties. Upjohn v. United States, 449 U.S. 383 (1981).
The most recent clarification in Florida as to the issues in corporate application of the attorney-client privilege is found in Southern Bell Tel. & Tel. Co. v. Deason, 632 So.2d 1377, (Fla. 1994) in which the Florida Supreme Court set forth the following guidance:
"(W)e set forth the following criteria to judge whether a corporation's communications are protected by the attorney-client privilege:
(1) the communication would not have been made but for the contemplation of legal services;
(2) the employee making the communication did so at the direction of his or her corporate superior;
(3) the superior made the request of the employee as part of the corporation's effort to secure legal advice or services;
(4) the content of the communication relates to the legal services being rendered, and the subject matter of the communication is within the scope of the employee's duties;
(5) the communication is not disseminated beyond those persons who, because of the corporate structure, need to know its contents." Id. at 1383.
Under Florida Rule of Civil Procedure 1.280(b)(3), materials prepared in anticipation of litigation by or for a party or its representative are protected from discovery, unless (in the case of factual investigation) the party seeking discovery has need of the material and is unable to obtain the substantial equivalent without undue hardship. A similar rule applies to criminal cases. The rationale for the doctrine is that "one party is not entitled to prepare his case through the investigative work product of his adversary where the same or similar information is available through ordinary investigative techniques and discovery procedures." Dodson v. Persell, 390 So.2d 704, 708 (Fla.1980). Fact work product traditionally protects that information which relates to the case and is gathered in anticipation of litigation. State v. Rabin, 495 So.2d 257 (Fla. 3d DCA 1986). Ordinary investigations for routine business purposes will not suffice. Opinion work product consists primarily of the attorney's mental impressions, conclusions, opinions, and theories. Id at 262. Whereas fact work product is subject to discovery upon a showing of "need" and "undue hardship," opinion work product generally remains protected from disclosure. See Southern Bell.
In the case of Environmental Compliance Audits, the most difficult issue in using this theory to protect the audit is the routine nature of the audit and the lack of a real threat of litigation. In the Southern Bell case cited above, for example, the court distinguished between internal auditing of service performance which was done for business, as opposed to litigation purposes and held that audits performed for the utility for purposes other than litigation were not protected by the Work Product Doctrine:
"Although Southern Bell regularly conducts audits for regulatory purposes and to ensure that its operations are running efficiently, the audits at issue were not conducted for either of these purposes. Rather, they were conducted at the request of counsel in direct response to the PSC's investigation. Thus, the audits were prepared in anticipation of litigation and are protected as fact work product." Id. at 1384-5.
Another issue is that opposing parties can obtain the factual information if it can be demonstrated that there is a need for the information and that an "undue hardship" would be created if access were denied. Florida Rule of Civil Procedure 1.280(b)(3) permits the disclosure of work product if the party seeking discovery "has need of the materials in the preparation of the case and is unable without undue hardship to obtain the substantial equivalent of the materials by other means." Southern Bell at 1385. In the case of complex technical facts available only at one point in time, for example, measurements of recording devices, those asserting access may well argue that the factual information should be produced.
Another potential protection for audited data is the "self evaluative" or "self critical analysis" privilege. This relatively recent evidentiary privilege is based upon the idea that it is socially beneficial to encourage evaluations of performance after things go wrong. Thus, the courts would decline to allow admission of documents related to the review of incidents after they occur. The privilege first arose in the context of medical malpractice where it was held that the notes from hospital peer review staff meetings would be excluded from evidence. Bredice v. Doctor's Hospital , Inc. 50 F.R.D. 249 (D. D.C. 1970), affirmed, 479 F. 2d 920 D.C. Cir. 1973. Although the privilege has been applied in a number of other contexts, it has not generally been a successful one for protecting audit results. See e.g. United States v. Dexter Corp. 132 F.R.D. 8 (D. Conn. 1990) and Arkwright Mutual Insurance Company, National Union Insurance Company of Pittsburgh, Pa. 1990 WL 14448 (No. 90 Civ.7811 S.D.N.Y 1993). Recently, however, the privilege was applied to protect environmental audit in the case of Reichhold Chemicals, Inc. v. Textron, Inc. 39 ERC 1328 (N. D. Fla. 1994).
Reichhold, the owner of contaminated property in Pensacola, Florida, sought in federal court to collect the costs from prior owners on the basis of federal and state claims. In the litigation, the defendants sought to obtain records from Reichhold regarding investigations done by the company. Reichhold refused to provide them citing the "self critical analysis" privilege. The court agreed and outlined four requirements for the privilege. These are:
1. The information must result from a critical self analysis undertaken by the party seeking protection from discovery.
2. There must be a strong public interest in preserving the free flow of information of the type involved.
3. The information must be of a type whose flow would be curtailed if discovery were allowed.
4. The information must be prepared with the expectation of confidentiality and be kept confidential in fact. Id. at 1331.
Significantly, the court was careful to focus on the fact that the records involved here were examinations of past incidents and not contemplation of a future course of action. This "vital" difference indicates the importance of choosing the proper viewpoint for compliance auditing. It would appear that if auditing is undertaken with the purpose of locating and correcting past errors in compliance, the Reichhold court would be more likely to recognize a privilege in connection with such documents. Certainly, in most cases, that is exactly the purpose of compliance auditing. It should be clearly stated in the record.
An interesting sidelight of the Reichhold case is its analysis of the relationship of federal and state evidentiary law and its conclusion of Florida law. The court held that federal law should control in the case but that Florida courts could elect on discretional grounds to not require disclosure of the information on public policy grounds. Id. at 1333. This position deserves further analysis for practitioners seeking to protect documents before state courts.
Legislative initiatives to provide immunity from prosecution and to protect audit results from discovery have prompted E.P.A. and the Department of Justice to make several attempts to compromise on the issues in seeking and using audit results in enforcement. Generally, the results have been unsatisfactory to the regulated community. The reader should review, for example, the 1986 Environmental Auditing Policy Statement, 51 Fed.Reg. 25006, July 9, 1986.
The agency published its Final Policy Statement on December 22, 1995, 60 Fed. Reg. 66706. The Policy provides potential benefits to the auditing company if certain conditions are met. These are the reduction of civil penalties and a possibility that there will be no criminal referral. Since the benefits depend upon whether nine conditions are met, let's examine those first. In our view, the conditions remain somewhat ambiguous but are improved from the original proposal. The conditions are as follows:
1. Systematic Discovery - The violation was discovered by either an "environmental audit" or some other "objective, documented, systematic procedure or practice".
2. Voluntary Discovery - The violation can't be discovered as a result of a legal mandate, for example, permit driven monitoring or inspections required by a consent order.
3. Prompt Disclosure - the violation must be reported in ten days or a shorter time if required by law.
4. Discovery and Disclosure Independent of Government or Third Party Plaintiff - Discovery and reporting can't be a result of a third party action or complaint or a report by a "whistleblower" employee nor can it driven by "imminent discovery of the violation by a regulatory agency".
5. Correction and Remediation - the violation must either be corrected in sixty days or the agency must be notified during that time period that it cannot be corrected in which case the agency could require a consent decree or other agreement to rectify the situation.
6. Prevent Recurrence - the entity must agree in writing to take steps to prevent a recurrence.
7. No Repeat Violations - the "specific violation" must not have occurred within the past three years at the same facility, nor be part of a pattern of violations by the parent organization for the past five years, including state and local violations.
8. Other Violations Excluded - the violation can't be one which (i) resulted in serious
actual harm, or may have presented an imminent and substantial
endangerment to, human health or the environment, or (ii)
violates the specific terms of any judicial or administrative
order, or consent agreement.
9. Cooperation - the entity must fully cooperate and provide all requested documents and other access.
Overall, this Policy at its core requires the audited entity to provide all the information it is seeking to protect before it will be informed whether the benefits of the Policy apply. Once waived by disclosure, the common law privileges are gone.
Depending on the government's determination of whether a business meets the conditions presented above, regulated entities will be eligible for the following reductions in civil penalties:
1. EPA will not seek the gravity-based component of the penalty for violations by regulated entities that meet all nine conditions.
2. EPA will reduce gravity-based penalties by 75% where eight of the conditions were met, excepting only the requirement for "Systematic Discovery" .
3. EPA will not recommend to prosecutors that criminal charges be brought against a business where all nine conditions are met and the violation does not involve: a "prevalent" corporate management philosophy or practice that concealed or condoned environmental violations; or "high-level" corporate officials' or managers' conscious involvement in or willful blindness to the violation.
Regardless of whether the entity is referred to criminal prosecution, the agency reserves the right to prosecute individual managers and employees according to existing policies.
EPA will also not request an audit "to initiate a civil or criminal investigation" or "routinely" request audit reports during inspections. However: " If the Agency has independent reason to believe that a violation has occurred, however, EPA may seek any information relevant to identifying violations or determining liability or extent of harm."
Taken as a whole, the Policy does not provide clear assurances that environmental managers can take to upper management, nor is it as helpful as it could be to environmental lawyers who must explain the risks of auditing programs. Florida DEP adopted a very similar policy on April 1, 1996.
EPA has provided several documents reporting upon the implementation of the Audit Policy and responding to questions concerning its use. These include the "Audit Policy Interpretive Guidance" dated January, 1997 Office of Regulatory Enforcement, EPA, Washington D.C., available on the EPA Web site at http://es.epa.gov/oeca/apolguid.html. If you wish, we can provide these materials to you. Please contact us at the address provided or email frank@hgn.com.
The lack of any real mechanism for reliably protecting audit information has led to numerous attempts to address the issue via legislation. Many state legislatures have passed bills recently aimed in that direction and have adopted laws that provide some protection to audit information. Texas, Idaho and Oregon are among the many states which have adopted such legislation.
Other states have refused to pass such bills or have left them pending for the next legislative session. A number of auditing privilege bills have failed in the Florida legislature in the 1995 thorugh 1998 sessions.
EPA had demonstrated its hostility to such legislation by threatening delegation in states where audit privileges exist. For a good summary of EPA's recent views on the topic, see the agency's December 6, 1997 discourse in the Federal Register in connection with delegation of Clean Air Act programs to Idaho. Note, for example, the following excerpts from 61 Fed. Reg. 64622, published December 6, 1996:
"Section 502(b)(5)(E) of the Clean Air Act lays out the minimum enforcement authorities which Congress required a State to have in order to secure Federal approval to implement and enforce a title V operating permits program. That section requires, as a condition of Federal approval, that a State have adequate authority to issue permits and assure compliance; to terminate or revoke such permits for cause; and to enforce permits, permit fee requirements, and the requirement to obtain a permit, including authority to recover civil penalties of at least $ 10,000 per day for each violation and to provide appropriate criminal penalties.... Although neither title V nor part 70 expressly prohibits State audit privilege and/or immunity laws.... the Idaho Audit Act interferes with the requirements for civil and criminal penalty authority set forth in title V and the part 70 implementing regulations so as to preclude full approval of Idaho's operating permits program. For example.....the immunity provisions of the Idaho Audit Act alter and in fact eliminate the State's authority to recover any civil or criminal penalties under the circumstances identified in the Idaho Audit Act.... The immunity provision of the Idaho Audit Act bars prosecution of intentional and knowing violations that would otherwise be a basis for criminal liability unless the source has previously and repeatedly violated the same requirements within the past three years. Moreover, the provisions of the Idaho Audit Act preventing the compelled disclosure of environmental audit reports prevents the State from obtaining potentially important information on whether a violation was knowing or whether a violation has been corrected. If the State, by virtue of such laws, surrenders its ability to thoroughly investigate potential violations or its discretion to take appropriate enforcement action in the face of violations, then the State's fundamental enforcement authority is compromised. EPA believes that this is the case with the Idaho Audit Act."
There have been a number of attempts in Congress to achieve similar results on a federal level.
The most recent is H.R. 2869, Excluding Employer Audits from Discovery. H.R. 2869 would amend the Occupational Safety and Health Act of 1970 to exempt safety and health assessments, audits and reviews conducted by or for an employer from enforcement action under such Act.
The proposed bill amendment adds language to 29 USC 657(b) that reads:
"Records, reports, or other information prepared in connection with safety and health assessments, audits, or reviews conducted by or for the employer, except to the extent such assessments are prescribed under section 6(b)(7), shall not be required to be disclosed in any inspection, investigation, or enforcement proceeding pursuant to this Act."
The bill was cleared for full committee action by the House Subcommittee on Workforce Protections on May 14, 1998.
OSHA has criticized the bill, stating that it would complicate OSHA enforcement and force the agency to reach conclusions about workplace hazards without critical information. According to OSHA, disclosure of self audit documents generally benefits employers because penalty reductions are available where employers acted in good faith to try to correct deficiencies identified in the audit.
Protecting confidential business information is somewhat less problematic than the other topics we have discussed. First and foremost this issue must be addressed with employees and consultants involved in the audit process. Reasonable written confidentiality and non-disclosure agreements should be in place in each case before sensitive information is released. Further, there should be limits on the dissemination of information and requirements to return important documents upon completion of the work.
Should there be reports required to authorities, the company should be careful to investigate legal mechanisms to protect corporate secrets under state, federal and local statutes and ordinances. In some cases if the information is submitted without assertion of the protection offered by these statutes, the opportunity to protect such records from disclosure under public records laws may be lost.
The mechanisms available to protect audited information are not extremely useful. In order to make use of the Attorney Client and Work Product Doctrine, the company should take care to set the stage carefully by formally seeking legal advice, involving lawyers in a meaningful way, carefully relating each inquiry to the legal advice and otherwise following the dictates of cases like Southern Bell closely. If the audit is undertaken as a response of management to past conditions with a stated intent to improve performance, this could be helpful in obtaining the protection of the emerging "self critical privilege" as applied to environmental investigations.
Although the EPA Interim Policy is not a reliable assurance for management, it may be prudent to place the agency on notice of the type of audit being considered and to seek the agency's concurrence that the plan meets as many of the conditions set forth in the policy as can be addressed prior to the audit. It may well be that the agency can be persuaded to rule on the suitability of the audit.
Practically speaking, where audits are to be conducted, the safest route is to assume that all materials will eventually be reviewed by the agencies and private litigants. All drafts and superfluous information should be destroyed as quickly as possible. Short, action-oriented reports focused on fixing problems encountered rather than overemphasizing the "violations" encountered will be best. Above all, if auditing is undertaken, take care not to strangle the process out of fear of litigation and enforcement. Nothing will be corrected if audit information is tied up in "protection" to the point that those with a need to know and the ability to correct problems are never fully on notice of the problems.
Frank L. Hearne
Bank of America Plaza Suite 3140
101 East Kennedy Boulevard
Tampa, Florida 33602-5151
Tel. (813) 909-7400
Fax (813) 909 8592
E-mail us at frank@hgn.com