Facebook and Airlines

British Airways and Virgin Atlantic both ran into trouble when their employees posted nasty remarks about their customers on Facebook. This raises the question about whether the companies did enough to educate their employees about the proper use of social networking.

See:

Draft SEC Filings Can Be Protected From Discovery

In a January 9, 2009 order, Magistrate Judge Morton Denlow of the US District Court for the Northern District of Illinois ruled that Aon was not required to produce an email seeking comments on draft disclosure language for Aon’s Form 10-K because it was protected by the attorney-client privilege. Magistrate’s Opinion and Order in Roth v. Aon

The ruling is part of a securities class action suit against Aon. The plaintiffs were seeking an email with with a draft portion of Aon’s 10-K. In rejecting the plaintiff’s request, Judge Denlow recognized that the process of preparing SEC filings involves legal judgments throughout, even where the disclosure in question concerns operational rather than legal matters. Judge Denlow lays out the eight prong test for attorney-client privilege:

“(1) Where legal advice of any kind is sought (2) from a professional legal adviser in his capacity as such, (3) the communications relating to that purpose, (4) made in confidence (5) by the client, (6) are at his instance permanently protected (7) from disclosure by himself or by the legal adviser, (8) except the protection be waived.”

Judge Denlow goes on to point out that the inclusion of non-lawyers as recipients of the email did not waive the attorney-client privilege so long as all other recipients were employees of Aon.

Judge Denlow also rejected the argument that because the final 10-k was a public document that drafts should not subject to the privilege.

A key take-away is that communications to be protected by the attorney-client privilege must only be exchanged among in-house or outside counsel and company employees. Including outsiders, such as the company’s auditors or other consultants, as recipients could waive the privilege. You should also label these drafts as preliminary drafts and as confidential attorney/client privilege.

Although this ruling is based on SEC filings, you should be able to apply the same analysis to private placement memorandum and other documents related to private investment fund-raising.

See also:

Risk IQ

ca_logoSumner Blount and CA have coined the term Risk IQ to address a company’s risk management environment:  Risk IQ – The Key to Effective Risk Management. The idea is deliver comprehensive, timely and accurate information to the decision makers to improve the decision-making process.

They break the Risk IQ into two parts: visibility and insight.

You need visibility into the right information at points in the business process to identify risks across the enterprise. You need easy access to it. You are all too likely to ignore or not ask for a report that is difficult to create.

You need insight into the information so it needs to be structured and presented in a way that allows the decision-maker to properly assess, quantify and manage the associated risks.

Improving your organization’s Risk IQ by establishing a common risk management framework can have significant financial benefits, in addition to controlling enterprise risks more effectively. Standard & Poor’s, for example, uses the level of risk management maturity as part of its overall corporate evaluation. So, poor risk management leads to a lower rating, which can increase the cost of borrowing, among other consequences.

The Anti-Corruption Principle in the U.S. Constitution

cornell-logoAre integrity or self-governance part of the constitutional framework of the United States? Do we need to give constitutional-like weight to the distortions to our democracy seen in campaign finance, redistricting, term limits and lobbying?

Zephyr Teachout published an article in the January 2009 edition of the Cornell Law Review: The Anti-Corruption Principle (pdf).

The Constitution carries within it an anti-corruption principle, much like the separation-of-powers principle, or federalism. It is a freestanding principle embedded in the Constitution’s structure, and should be given independent weight, like these other principles, in deciding difficult questions concerning how we govern ourselves. Corruption has been part of our constitutional dialogue since the beginning, but in the last 50 years—and particularly since Buckley v. Valeo gave corruption a relatively weak role in the constitutional scheme— the concept of corruption has been unbound from the text and history of the document itself.

The purpose of this Article is to prove this principle.

Professor Teachout argues that the Framers of the Constitution were obsessed with corruption and expunging it from the new government. She points out that Frameres thought the Senate was more prone to corruption since it was smaller than the House. That is why bills for raising revenue come from the House and not the Senate. [Article 1, Section 7]

The Framers resigned themselves to the fact that “man in his deepest natures was selfish and corrupt; that blind ambition most often overcomes even the most clear-eyed rationality; and that the lust for power was so overwhelming that no one should ever be entrusted with unqualified authority.” (citing Bernard Bailyn‘s The Ideological Origins of the American Revolution)

Professor Teachout groups political corruptioninto five clusters: criminal bribery, inequality, drowned voices, a dispirited public, and a lack of integrity.

What Is Insider Trading?

sec-sealThe SEC.gov website has a blurb on Insider Trading.  They start off with legal insider trading, when officers, directors and employees buy and sell stock in their own companies. Corporate insiders are required to report their trades.

Illegal insider trading “refers generally to buying or selling a security, in breach of a fiduciary duty or other relationship of trust and confidence, while in possession of material, nonpublic information about the security. Insider trading violations may also include “tipping” such information, securities trading by the person “tipped,” and securities trading by those who misappropriate such information.”

The SEC adopted new Rules 10b5-1 and 10b5-2 to resolve two insider trading issues where the courts have disagreed.

Under Rule 10b5-1, a person is trading on the basis of material nonpublic information if a trader is “aware” of the material nonpublic information when making the purchase or sale. The rule also sets forth several affirmative defenses or exceptions to liability. The rule permits persons to trade in certain specified circumstances where it is clear that the information they are aware of is not a factor in the decision to trade, such as pursuant to a pre-existing plan, contract, or instruction that was made in good faith.

Rule 10b5-2 focuses on the misappropriation theory of insider trading and how it applies to certain non-business relationships. This rule provides that a person receiving confidential information under circumstances specified in the rule would owe a duty of trust or confidence and thus could be liable under the misappropriation theory.

Chakrapani Insider Trading

"Blue horseshoe loves Anacot Steel"
"Blue horseshoe loves Anacot Steel"

The Securities and Exchange Commission charged Ramesh Chakrapani with insider trading. Chakrapani was an employee of the Blackstone Group.

The SEC alleges that Chakrapani tipped off a friend about the pending acquisition of the supermarket company Albertson’s Inc. before the public announcement of the deal in January 2006.

See coverage of the story:

Business Risk Intelligence

These are my notes from the OCEG webinar: Business Risk Intelligence.

  • Carole Stern Switzer, President of OCEG
  • Paul Shultz, Managing Director of Protiviti
  • Dave Anderson, Senior Director of SAP Business Objects

Paul frames the problem: Risk is often just an afterthought of strategy, resulting in strategic objectives that may be unrealistic and risk management being an appendage to performance management.

Paul breaks the solution down into components: enable, measure, plan, aim, aspire and protect to enable technology to build enterprise risk intelligence.

Dave views risk intelligence as a peice of performance. Risks can prevent you from reaching your goals. Strategy needs context to make decisions and needs to be connected to operations. Then there maybe a gap between the strategy and the execution.

Dave (and SAP’s) approach is to have an integrated approach to strategy and risk management, by addressing financial risk, compliance risks,market risks,process risks, and people risks.

Dave points out that S&P’s now requires enterprise risk management into their evaluation criteria as part of their credit rating calculations.

Carole pointed out that you want transparency so that risk is not hidden (whether intentionally or not).

it was interesting to hear the use of KRIs in connection with KPIs. (That is Key Risk Indicators and Key Performance Indicators.

The New Massachusetts Data Security Regulations

goodwinprocter_logoGoodwin Procter sponsored a webinar on the new Massachusetts date security rules

Deb pointed out that you may now need to collect the state of residence of the client to figure out if they are in Massachusetts. That may have the perverse effect of collecting additional information about the person.

Deb points out that “financial account” is not well defined. She looks back to the statute and sees that it is focused on identity theft. If the “financial account” can lead to identity theft or the loss of money from that account then it would probably be a financial account.

In evaluating compliance you can include these factors:

  • size, scope and type of business,
  • entity’s resources,
  • amount of stored data, and
  • seed for security and confidentiality of both consumer and employee information.

Deb points out that the Massachusetts regulators think the rules align with the federal data breach notification requirements. The regulators also think the rules are merely applying more detailed requirements to the broad principles under the federal rules.

The regulators are deferring to the Attorney General for enforcement. The new rules do not provide a private right of action.

The Written Information Security Program has four main groups.

Implementation

  • identify all records use to store information. The rules do not require an inventory. The regulators want you to know the answer. They suggest an information flow to see where information is gathered, where it goes and where it gets stored.
  • Identify and assess risk.
  • Evaluate and improve safeguards. This includes the security system and compliance training.
  • Limit collection and use. Personal information should only be available to those who need it and then only the information they need. Don’t gather it if you do not need it and don’t keep it if you do not need it.

Administrative

  • designate a responsible employee
  • develop security policies
  • verify the capacity of service providers to protect personal information
  • The certification must specifically address the Massachusetts rules and must state that the signatory was authorized to sign it.

Technical and Physical

  • establish a security system
  • restrict physical access
  • prevent access by former employees
  • document responsive actions in event of data breach

Maintain and Monitor

  • post-incident review
  • disciplinary measures for violations
  • regular monitoring
  • annual review (if not more often)

Jacqueline Klosek focused on the computer system requirements. She put together specific requirements:

  • encryption – of stored information on portable devices and information in transit. Portable memory sticks are a big problem.
  • secure user authentication protocols
  • reasonable monitoring of systems
  • firewall
  • malware and virus protection
  • education and training

Agnes laid out 3 things to get done by May 1, 2009:

  • Implement internal policies and practices
  • encrypt company laptops
  • amend contracts with service providers to incorporate data security requirements

By January 1, 2010:

  • obtain written certifications form service providers
  • encrypt other portable devices (non-laptops)

New FMLA Poster

Under the Family and Medical Leave Act of 1993, covered employers must post a notice approved by the Secretary of Labor explaining rights and responsibilities under FMLA.  The poster at WH Publication 1420 is sufficient.

Under 29 CFR 825.300:

(a) Every employer covered by the FMLA is required to post and keep posted on its premises, in conspicuous places where employees are employed, whether or not it has any “eligible” employees, a notice explaining the Act’s provisions and providing information concerning the procedures for filing complaints of violations of the Act with the Wage and Hour Division. The notice must be posted prominently where it can be readily seen by employees and applicants for employment. Employers may duplicate the text of the notice contained in Appendix C of this part (WH Publication 1420), or copies of the required notice may be obtained from local offices of the Wage and Hour Division. The poster and the text must be large enough to be easily read and contain fully legible text.

(b) An employer that willfully violates the posting requirement may be assessed a civil money penalty by the Wage and Hour Division not to exceed $100 for each separate offense. Furthermore, an employer that fails to post the required notice cannot take any adverse action against an employee, including denying FMLA leave, for failing to furnish the employer with advance notice of a need to take FMLA leave.

(c) Where an employer’s workforce is comprised of a significant portion of workers who are not literate in English, the employer shall be responsible for providing the notice in a language in which the employees are literate.