When the Company is the Victim: The Often Overlooked Aspect of Corporate Criminal Activity | Waller Lansden Dortch & Davis, LLP

On March 28, 2022, Jamie Petrone, a longtime administrator at the Yale School of Medicine (“Yale Med”), pled guilty to defrauding the school of $40 million. The size of the loss and the sophistication of the victim suggests that she succeeded in her fraud because she formulated and carried out a complex and clever scheme. In reality, however, her plan was simple in design and execution: for almost a decade, she submitted thousands of purchase orders for computers and other hardware, representing them as necessary for medical studies. When the equipment was delivered, Petrone sold it to an out-of-state company, keeping the proceeds for herself.

She used the profits of her scheme to buy multiple parcels of real estate and numerous expensive cars, to purchase extravagant international vacations and otherwise fund a lavish lifestyle. Yale Med was left with a huge loss, the vast majority of which will likely never be recovered. In response to Petrone’s plea, Yale Med offered a seemingly obvious acknowledgement: that effort was needed to “identify and correct gaps in its internal financial controls.”


Corporate criminal liability results when an individual acting on behalf of the company within the scope of his or her employment and violates the law with the intent of benefiting the company. This standard captures a wide range of conduct: from the environmental manager who dumps hazardous waste in an effort to cut costs, to the VP of sales who bribes a government official to help secure a lucrative contract, to the CFO who falsely certifies that the company’s 10-Q is accurate when it is actually laden with lies.

The imposition of corporate criminal liability can be devastating for a company. Whether the consequences take the form of monetary penalties, loss of reputation, having to pay for a court-imposed  monitor to oversee the company’s business, or even the company’s demise, the process of defending such an allegation is expensive, disruptive and difficult. Even those companies who face only criminal investigation, but are never criminally charged are left battered by the ordeal.

For those reasons, most companies understandably center their attention on avoiding criminal liability. But that focus can often cause them to overlook another critically important –  and far more frequent – hazard: the risk that the company itself will be victimized by crimes committed by insiders or others. Companies that neglect this threat not only miss the opportunity to prevent such harm from occurring, but also lose the chance to maximize recovery of the financial damage when the crimes are discovered.

This article reviews the most common forms of criminal activity committed against companies. In addition, it catalogues a company’s rights to recovery when victimized, the ways in which a company can  exercise those rights, and the obligations which result when the matter winds up in the criminal justice system (either at the company’s request or otherwise). Finally, this article covers the steps companies can take to reduce the possibility of being victimized, or at least lessen the impact  should a crime be committed.

Common Forms of Criminal Activity Against Companies

This category breaks down into two different groups: crimes committed by internal actors, i.e., individuals working at the company, and  external actors, i.e., individuals targeting the company from the outside. For both categories, the ultimate impact on the company is the same, but the manner and means of the criminal activity, as well as the steps necessary to respond to and the measures available to prevent such activity, differ depending on the circumstances.

Crimes Committed by Internal Actors

In our experience as former federal prosecutors and private practice lawyers, the most frequent and significant type of crime committed by internal actors is the embezzlement of funds. Embezzlement schemes vary in size and structure, but the core purpose is always the same: stealing the company’s money in a manner designed to avoid detection. Most often this is done by processing payment of phony invoices submitted by phony vendors but there are variations on this theme. By necessity, these schemes almost always require participation by one or more employees with the ability to set up vendors in the company’s accounts payable system. Sometimes, but not always, an individual with authority to approve payments to vendors is also involved. Not surprisingly, smaller companies that use one person to both set up vendors and process payments are particularly vulnerable to this type of crime. Other methods used by embezzlers are forging company checks or generating phony wires. Depending on the specifics of the individual scheme, this activity can also involve the forging of checks or the generation of phony wires (when the employee who approves such disbursements is not complicit).

Jamie Petrone followed this formula to some degree in carrying out her scheme against Yale Med, but added a much more brazen twist. Rather than use “phony invoices submitted by phony vendors” to extract money, she simply stole the goods provided by the payment of real invoices submitted to real vendors. In doing so, she seized upon a yawning gap in Yale Med’s internal controls: a lack of scrutiny for individual purchase orders under $10,000, regardless of the numbers of orders placed. Petrone had authority to make purchases below that level. In exercising that authority, she falsely represented on internal forms and communications that the equipment purchased was for particular Yale Med needs, including specific medical studies, in order to conceal her fraud. Petrone told the FBI she used this approach for “several years, possibly as many as 10 years.”

Smaller-scale embezzlement is far more frequent than large-scale fraud because it is more difficult to detect. Most often, this involves methods like expense reimbursement padding or use of company credit cards for the insider’s personal benefit. Other forms of embezzlement involve theft of time, which can include literal or figurative “whistle jumping” (the practice of hourly employees systematically leaving work before their shifts end, which can occur on a broad scale for companies with thousands of employees) or the manipulation of time records. For those who receive salaries rather than hourly wages, theft often takes different forms, including solicitation and receipt of kickbacks from vendors as well as stealing trade secrets or other proprietary information.

Crimes Committed by External Actors

Virtually every company has faced, if not actually been victimized by, some sort of “traditional” fraudulent scheme committed by external actors. The forms of these schemes evolve over time, but their core elements remain constant: a series of false representations designed to prompt the company to pay for goods or services that either were not or will not be provided. If they are actually delivered, the purported goods and services are of a much lower volume or quality (or both) than what was promised. These core misrepresentations are not the only form of the scheme however; companies can be harmed by less sophisticated efforts that can also have a major impact on operations and profitability, including straight theft of product (particularly on a larger scale), theft of data such as employee personal info, credit card numbers, or customer lists, or so-called “smash and grab” larceny.

Companies can also be victimized by the effects of criminal conduct carried on by others, even if the company is not directly targeted. Most often, this involves a competitor’s scheme to pay bribes to secure business, either through bid rigging or some other method. Whether those bribes are paid to government officials or simply offered to enrich purchasing agents at private companies, the effect is the same: the victim is deprived of the right to win business on a level playing field.  

Finally, no discussion of external threats would be complete without mentioning hackers and ransomware schemes. Typically committed by foreign actors operating in countries with less than genuine desires to prevent or prosecute such conduct, a ransomware attack is simply hostage taking in a slightly modified form: one of the company’s most valuable assets – its data – is held for ransom while the ability to communicate with customers is cut off. Ransomware attacks have exploded in growth (Forbes recently estimated a 105% increase overall, including a 755% increase in the healthcare industry), with no sign of abating.

The Company’s Rights When Victimized

 In any situation where a company is harmed by the actions of others, opportunities exist for the company to bring a civil action against the wrongdoer. But that approach is frequently time-consuming and distracting, not to mention expensive. Moreover, the ability to actually recover damages is often questionable at best. Companies who bring civil lawsuits against wrongdoers regularly wind up with nothing to show for it beyond large amounts of time and money spent.

Recognizing this reality, we typically counsel clients victimized by criminal activity to consider availing themselves of the rights afforded to crime victims under state and federal law, reserving the option to pursue civil litigation. These statutes allow prosecutors far greater ability to seize and eventually forfeit ill-gotten gains than a company’s alternative civil legal remedies, and provides a pathway from which a victim can recover money that was stolen.. By leveraging the legal framework and resources available, companies can simultaneously reduce their costs and increase their recovery.

Finding the best approach in a given situation means solving a calculus with several key factors: the nature of the offense, the location of the wrongdoer, and the amount of harm caused. Armed with this information, a company can make informed choices about how (and, sometimes, whether) to proceed.

Because state prosecutors are often required to focus their resources on crimes causing physical harm or threatening public safety, it can be more challenging for companies to obtain relief in that forum Because state prosecutors’ jurisdiction and resources are more limited than federal resources, it can be more challenging for victimized companies to obtain assistance from state prosecutors. But state authorities can nevertheless provide valuable assistance for those companies, particularly where the scheme is less sophisticated and the identity of the wrongdoer is more readily apparent. At the federal level, investigators and prosecutors have more tools and resources available to them to handle the bigger and more complicated cases. The primary hurdle to securing federal resources for a complex case is being able to show a significant federal interest. This typically involves demonstrating a loss at a level above the thresholds most U.S. Attorney’s Offices maintain as part of their individual policies, or by showing that a criminal scheme causes a notable impact across several jurisdictions (both foreign and domestic), such that a state prosecutor’s office would be incapable of handling the scope of the investigation due to its limited jurisdictional powers and resources.

By meeting those criteria, a crime victim enables a potentially dominant force. Under federal law, the Mandatory Victim Restitution Act (MVRA) provides that victims of federal crimes relating to property damage, monetary loss, and other certain types of crimes are eligible to receive restitution upon a defendant’s conviction and sentencing. Under MVRA, a “victim” is a person or business that was “directly and proximately harmed” as a result of the crime. In addition to direct losses, a federal judge can order restitution for a victim’s actual losses resulting from the criminal activity as well as any “other expenses” incurred during the victim’s participation in the investigation or prosecution of the offense, or the victim’s attendance at proceedings related to the offense, among other things.

 Prior to 2018, courts interpreted “other expenses” in the MVRA context to mean those expenses that would not have been incurred in the absence of the offense, that were sufficiently related  in fact or time to the offense, and that were reasonably foreseeable consequences of the crime. Some companies relied upon this interpretation to seek and receive reimbursement for internal investigations conducted to root out the nature and scope of the offenses committed. In 2018 however, the Supreme Court limited the interpretation of “other expenses” to require that they also be necessary for a company’s participation in and response to government investigations and criminal proceedings. Practically speaking, that interpretation of “other expenses” means that corporate victims can seek restitution only for those investigative expenses incurred as a result of and necessary for the company responding to a government request related to a criminal investigation –  not a civil enforcement investigation, and not a private investigation that the victim chooses on its own to conduct (even if the information is ultimately shared with the government). Similarly, any expenses that pre-date the commencement of a governmental investigation and the company’s contact with federal criminal authorities are not be eligible for restitution.

The Company’s Obligations in the Criminal Context

Once a victimized company has decided to pursue relief through the criminal justice system, it can expect to face several obligations. First and foremost, a company wishing to enlist criminal resources to aid in its recovery should understand that law enforcement will demand full cooperation in that effort. Too often, companies attempt to restrict law enforcement’s ability to probe certain areas or question certain employees when seeking the help of prosecutors and criminal investigators.. In our experience, that approach often backfires. Companies that invoke such assistance must understand that prosecutors are often wary of simply accepting a victim’s claims at face value, and require corroboration and a full investigation. Our experience informs us that it is far better for a company to reveal, as part of its cooperation with the government, evidence that may  undercut its claims. A company desirous of help in pursuing recovery needs to recognize the applicability of the old adage: in for a penny, in for a pound.

This expectation of cooperation includes the obvious forms, including responding to subpoenas for documents promptly and fully, making witnesses available, and sharing results of any internal investigations conducted. While prosecutors are not empowered to require that companies waive the attorney-client privilege, doing so can sometimes prove effective to prompt government enforcers to agree to take on a case and to move it through the process more quickly. But cooperation in its fullest form can also involve less apparent efforts. Particularly when the company’s operations are sophisticated, identifying one or more employees who can educate prosecutors and investigators about the nuances of the industry and the company’s place in it can be invaluable. Moreover, a company looking for the government to agree to take its case should never underestimate the value of providing the relevant documents and details in a form that is organized and concise. In our experience, the more muddled the initial report, the less likely it is to catch an investigator or prosecutor’s eye, regardless of the merits of the case.  

Measures to Reduce the Risk of Being Victimized

A company’s efforts to fight back against criminal activity should take two forms. First, companies must employ preventative measures to make themselves less attractive targets. Second, companies must be vigilant in their efforts to identify ongoing criminal activity.

Preventative measures take a couple of different forms. These include anti-fraud controls and policies, as well as training for employees on what type of activity is prohibited. In addition to training employees on the rules, however, companies should go further and educate their employees on what forms crimes against the company may take. In addition, employees should be taught that theft by others harms not just their employer, but also the company’s individual employees. Ideally, this will include examples to give life to some of the more generic prohibitions in policies that are often reviewed sporadically, if at all.

Teaching employees what to look for maximizes efforts to detect ongoing criminal activity. By doing so, a company effectively leverages the observational capacity of its workforce to discover crimes before they can flourish. Coupling policies and training with a fully functioning hotline is the key. Employees are estimated to account for roughly half of the tips that uncover crimes against the company. Every effort should be made to encourage such reporting. That includes not just a well-publicized and properly maintained hotline, but also accompanying rules which prominently feature two critical points: anonymous reports are allowed and retaliation for reports made in good faith are prohibited.

In addition to these measures, companies should provide education about the telltale red flags that can signal criminal activity by other employees. In Jamie Petrone’s case, it was the fact that a medical school administrator owned two Mercedes, two Cadillac Escalades, a Range Rover and a Dodge Charger, as well as multiple parcels of expensive real estate. Petrone made little effort to conceal these proceeds. While hindsight is always more clear, it is striking that her frequent social media posts featuring the ill-gotten proceeds of her fraudulent scheme did not attract attention sooner.

In addition to living beyond one’s apparent means, red flags can include financial difficulties, unusually close associations with a vendor or customer, steadfast and unexplained refusals to share duties, as well as a pattern of unscrupulous behavior.


No company is immune from criminal activity. But some relatively basic efforts to understand fully the nature of the risk faced, coupled with a few straightforward preventative measures, can dramatically reduce the likelihood that a company will be victimized. While no plan is foolproof, such efforts can help minimize the harm that results when criminal activity is carried out. Companies overly focused on the relatively improbable risk that they will face corporate criminal liability too often miss the forest for the trees when they ignore the far more frequent danger: that they will be the ones victimized.   

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button