Enterprise 2.0, Policies and Compliance

Mike Gotta asked me to join him on a panel about the policy and compliance issues at the Enterprise 2.0 Conference in Boston. This was my fifth Enterprise 2.0 conference: 2007, 2008, 2009, 2009 San Francisco.

That the audience was interested in compliance and regulatory issues is an indication of the industry maturing.

“Policy formation, governance and risk management programs are a critical requirement as organizations assess implications to the enterprise (e.g., identity assurance, data loss, compliance, e-Discovery, security), arising from internal and external use of social networking and social media. This panel of social media and Enterprise 2.0 practitioners will discuss real-life approaches that address management concerns.”

The panel consisted of:

  • Mike Gotta, Principal Analyst, Gartner
  • Bruce Galinsky, IT Director, Global Insurance Company
  • Abha Kumar, Principal, Information Technology, Vanguard
  • Doug Cornelius, Chief Compliance Officer, Beacon Capital Partners LLC
  • Alice Wang, Director, Gartner Inc.

I took the opportunity in my introduction to set the stage for the view of most compliance and in house lawyers:

“I’m the “NO” guy in your organization and most likely the person to bring your enterprise 2.0 or web 2.0 project to a grinding halt. People in my position do not want to hear about being social. I don’t care what you had for lunch or what your kids did last night. I don’t want to endanger the multi-million dollar value of this company so that you can play with Facebook inside the office. “Now get out of my office before I sic my flying monkeys on you.”

We were unsure when planning the session whether the audience would be interested in issues related to external or internal policies. Overwhelmingly, the audience voted for a focus on internal.

One of the initial questions was whether you even need a policy. We were largely in agreement that you may not need a new separate policy. However, I pointed out, your compliance/legal department is going to want one.

Largely, the risks with enterprise 2.0 are not new risks. The big difference is that the bad stuff is now findable. Most of evangelists proclaim the benefit of finding the good stuff you need to do your job better and to encourage innovation. The downside is exposing the bad stuff and opening the enterprise up to liability.

We eventually got to the point in the discussion about if you let personal issue community to form internally. Should you allow an employee to set up a wiki or discussion forum on religious, race or political issues?  Generally it will take some action to create a new community on the enterprise 2.0 platform. Undoubtedly, there will be some need to control the creation of communities and therefore a need for a policy.

There was some discussion about content, control of the content and fixing mistakes. Personally, I have less concern about that. You need to encourage the team to keep the information current and correct. If someone is operating with the wrong information it is better you know about it and can fix the problem. The alternative is not knowing about the problem because it lives in an email silo, allowing the bad information to continue uncorrected.

When trying to draft a policy it is very useful to look to external policies for ideas and approaches. My social media policies database is a good place to start looking for precedents.  The public web 2.0 industry is well ahead of the slower enterprise 2.0 industry.

Some other issues:

  • FTC and the disclosure of “Material Connection”  (see FTC and Bloggers.)
  • EU Data Privacy
  • Records Management
  • Discovery and Law suits
  • First Amendment
  • Human Resources Issues
    • Labor relations
    • Recommendations
    • Overtime
    • Retiree and alumni involvement
  • Hiring Discrimination
  • Off-Duty activities
  • Company IP, logos and trademarks
  • Monitoring – if you have a policy you need to enforce it.

Each company has a different set of issues they are worried about. Each company also has a unique corporate culture. So there is no right way to drafting a policy. You really need to pick and chose finding the different elements that will work in your enterprise.

Are Facebook and MySpace Messages Subject to Discovery?

In the recent case of Crispin v. Audigier, a California judge ruled that Facebook and MySpace messages that aren’t publicly available are protected information under the Stored Communications Act, and therefore can’t be subpoenaed for use in civil litigation.

Buckley Crispin sued clothing maker Christian Audigier for copyright infringement, alleging that Audigier used his artistic material outside the scope of a license agreement. Audigier issued a subpoena to Facebook, MySpace, and two other third parties seeking communications by Crispin about Audigier.

Crispin’s lawyers argued that such communications fell under the Stored Communications Act, which prevents providers of communication services from divulging private communications to certain entities and individuals. A magistrate judge rejected the argument and found that Facebook and MySpace were not Electronic Communications Services and therefore not subject to the protections of the Stored Communications Act. Because the magistrate judge thought the websites’ messaging services are used solely for public display, he found that they did not meet this definition.

Judge Morrow of the US District Court for the Central District of California disagreed and laid out some thoughts about the use of the sites and how they relate to civil litigation. (Law enforcement can always use a warrant to get the information, assuming it is related to a crime.)

The Judge noted that the Stored Communications Act distinguishes between a remote computing service and an electronic communications service.

“electronic communication service” means any service which provides to users thereof the ability to send or receive wire or electronic communications (18 U.S.C. § 2510(15)) With certain enumerated exceptions, the Stored Communications Act prohibits an electronic communication service provider from “knowingly divulg[ing] to any person or entity the contents of a communication while in electronic storage by that service.” (18 U.S.C. §§ 2702(a)(1), (b))

“remote computing service” means the provision to the public of computer storage or processing services by means of an electronic communications system (18 U.S.C. § 2711(2)) The Stored Communications Act prohibits an remote computing service provider from “knowingly divulg[ing] to any person or entity the contents of any communication which is carried or maintained on that service.” (18 U.S.C. §§ 2702(a)(2)).

In the end, the decision about whether a particular message is subject to disclosure is dependent on security settings. Different messages in Facebook and MySpace (and other web 2.0 sites) will be subject to different standards.

The judge found that webmail and private messages are inherently private and quashed the subpoena for those messages. With respect to the subpoenas seeking Facebook wall postings and MySpace comments, the decision will be dependent on the person’s privacy settings and the extent of access allowed. If the general public had access to plaintiff’s Facebook wall and MySpace comments then presumably they are subject to discovery in civil litigation.

The Stored Communications Act was passed as part of the Electronic Communications Privacy Act in 1986. This was obviously well before the development of the current internet applications and technology. Courts, including the one in this Crispin case, have found that the application of this nearly 25-year-old statute presents challenges in application to the current use of the internet.

As Facebook changes the privacy settings in its platform, those changes will affect the discoverability of messages in civil litigation.

Sources:

School Official Disciplined for Misuse of LexisNexis

The Massachusetts State Ethics Commission fined Mark Rivera, the former Lawrence School Department Urban Affairs Liaison and Special Assistant to the School Superintendent, for misuse of his access rights to LexisNexis.

The Lawrence School Department purchased access to the LexisNexis database so Rivera could obtain contact information for parents no longer living in the district, and contact parents and students regarding attendance issues. However, Rivera misused his School Department access to conduct “hundreds of searches of non-public information on individuals, including state and local elected officials, professional athletes and Hollywood celebrities….”

Massachusetts General Law chapter 268a §23(b)(2) prohibits a public official from using their official position to “to secure for himself or others unwarranted privileges or exemptions which are of substantial value and which are not properly available to similarly situated individuals.”

Rivera used his official position to gain access to the database for private purposes.

Running database checks on Lawrence police Chief John Romero, David Ortiz, Johnny Damon, Michael Chiklis and Hugh Laurie cost Rivera $5,000.

This is not the only trouble for Rivera. He was also indicted on seven counts of larceny and was forced to resign in April. His boss, suspended Lawrence Superintendent Wilfredo Laboy, was recently indicted for fraud, embezzlement and possession of alcohol on school premises.

The Lawrence Public Schools system is among the poorest districts in Massachusetts. Almost 83 percent of its student body is classified as economically disadvantage.

Sources:

Why Is It Called a “Wells Notice”?

sec-seal

In 1972, SEC Chairman William J. Casey appointed a committee to review and evaluate the Commission’s enforcement policies and practices. Chairman Casey appointed John A. Wells, a lawyer at Royall, Koegel & Wells in New York, to the committee. He also added and former SEC Chairmen Manny Cohen and Ralph Demmler.  Chairman Casey asked Jack Wells to be the Chairman of the Committee specifically because he was not a securities lawyer,

Thus began what is now knows as the Wells Committee.

The Committee started its work in January 1972, and published a report with forty-three recommendations for the Commission in June of 1972. Of the 43 recommendation in the report, recommendation 7:

“The conduct of an investigation should remain with in the control of the Commission; where circumstances permit, however, the Commission should as a general practice give a party against whom the staff proposes to recommend proceedings an opportunity to present his own version of the facts by affidavit or testimony under oath.”

They further elaborated in the report:

“We recommend that, except where the nature of the case precludes, a prospective defendant or respondent should be notified of the substance of the staff’s charges and probable recommendation in advance of the submission of the staff memorandum to the Commission and be accorded an opportunity to submit a written statement to the staff which would be forwarded to the Commission together with the staff memorandum.”

The “Wells submissions” operate as a last chance for respondents to persuade the SEC staff that an enforcement recommendation is not warranted. If that fails, the Wells submissions are submitted to the Commission, along with a staff recommendation memorandum, so the Commission will have both sides of the story when it considers a recommendation for enforcement.

Who Came up With the Idea?

Former SEC Commissioner Paul S. Atkins gives credit for the concept to former Chairman Hamer Budge:

“In 1970, just months before Chairman Budge left the SEC, the Commission issued a memo to the all division directors and office heads regarding procedures to be followed in enforcement proceedings. The memo had two significant components: (1) it required the staff to get Commission approval before engaging in settlement discussions, and (2) it required the staff to provide a summary of the defendant’s arguments in a recommendation memo sent to the Commission. The latter requirement became a subject of study by the Wells Committee….”

The Wells Committee observed that “[a]s a practical matter, only experienced practitioners who are aware of the opportunity to present their client’s side of the case have made use of [such] procedures.”

Is a Wells Notice Required?

The recommendations of the Wells Committee were met with mixed responses. The Commission apparently felt hamstrung by the mandatory-sounding nature of the phrase “except where the nature of the case precludes.” They did not formally adopt the proposal. In SEC Release No. 5310 the Commission found that it would not be “in the public interest” to adopt a formal rule and instead should give notice on a strictly informal basis. The Commission “cannot place itself in a position where, as a result of the establishment of formal procedural requirements, it would lose its ability to respond to violative activities in a timely fashion.”

What’s in a Wells Notice?

From the SEC Division of Enforcement Enforcement Manual:

  • identify the specific charges the staff is considering recommending to the Commission
  • accord the recipient of the Wells notice the opportunity to provide a voluntary statement, in writing or on videotape, arguing why the Commission should not bring an action against them or bringing any facts to the Commission’s attention in connection with its consideration of this matter
  • set reasonable limitations on the length of any submission made by the recipient (typically, written submissions should be limited to 40 pages, not including exhibits, and video submissions should not exceed 12 minutes), as well as the time period allowed for the recipients to submit a voluntary statement in response to the Wells notice
  • advise the recipient that any submission should be addressed to the appropriate Assistant Director
  • inform the recipient that any Wells submission may be used by the Commission in any action or proceeding that it brings and may be discoverable by third parties in accordance with applicable law
  • attach a copy of the Wells Release, Securities Act Release No. 5310
  • attach a copy of the SEC’s Form 1662 (“Supplemental Information for Persons Requested to Supply Information Voluntarily or Directed to Supply Information Pursuant to a Commission Subpoena”)

Sources:

Compliance Bits and Pieces for June 11

Here are some interesting stories from the past week:


SEC Union: Staff Need Not Check BlackBerrys After Hours by Bruce Carton in Compliance Week‘s Enforcement Action

In short, Khuzami and his senior colleagues can call, email and text SEC Enforcement staff all they want after hours–but can’t do much about it if staff members fail to pick up or respond until the next business hours begin. Chapter 293 President Greg Gilman stated in February that “a great many employees expressed concerns about being ‘on call’ 24/7. This is the type of quality of life issue about which we feel the Union is in the best position to make a big difference for SEC employees.” Gilman added that “it wouldn’t be fair to characterize employees as lazy,” according to Business Week.

FBI Uses Terror-Probe Tactics on Fraud by Devlin Barrett in the Wall Street Journal

Federal Bureau of Investigation officials in New York are increasingly employing tools and techniques used to hunt terrorists to take aim at a different kind of criminal: white-collar con artists and inside traders.


My iPad? A Great Bundle of Sticks by Andrew McAfee

“I feel about it the way Winston Churchill felt about democracy, which is that it’s the worst system for organizing economic activity except for all those other forms that have been tried. I believe that America’s extraordinary track record of innovation and creativity exists not despite its IP laws, but at least in part because of them. I applaud the fact that IP creators and owners have strong rights to exclude, even when these creators and owners are big, powerful corporations. And I really like the bundle of sticks contained in my iPad.”

DOJ Guidance and the FCPA by James Parkinson in the FCPA Professor

This suggests another question: what would the commentary landscape look like today if the DOJ published a new Federal Register notice soliciting “views concerning the extent to which compliance with 15 U.S.C. 78dd-1 and 78dd-2 would be enhanced and the business community assisted by further clarification of the provisions of the anti-bribery provisions through the issuance of guidelines”?

Bigger, Stronger, Faster: The PCAOB After The Supreme Court Ruling by Francine McKenna at re: The Auditors

The Supreme Court will decide on Free Enterprise Fund v. PCAOB before their session is concluded on June 28th. Whether the PCAOB is or isn’t declared unconstitutional, there are some key gaps in the original Sarbanes-Oxley legislation that should be addressed. Now is the time to give the PCAOB the tools it needs to be as effective as possible.

TRACE Releases First Summary of Global Ant-Bribery Activity from the WrageBlog

The good news is enforcement of international anti-bribery laws is increasing. The bad news is many countries have yet to leave the anti-bribery enforcement starting line. TRACE International released its first-ever summary of worldwide anti-bribery activity today, and it is evident from its data that enforcement is gaining momentum. The TRACE Global Enforcement Report (GER) 2010 summarizes 33 years of enforcement activity by nations around the world.

Getting Cleaned by Oil Spill Stock Scams

I doubt you have missed the news about the oil spill mess in the Gulf of Mexico. The scammers have clearly noticed and sense an opportunity to make a quick buck.

Some companies may issue press releases, or send unsolicited faxes or spam emails that might include:

  • Claims to have products or technologies that are effective in remediating oil spills or restoring the eco-system
  • Mention of contracts or expected contracts with BP, formerly British Petroleum, that will aid the cleanup effort
  • Claims that the company is providing technical assistance or expertise to BP or to U.S. government agencies such as the Coast Guard or the Environmental Protection Agency

One of the first identified scam enforcement actions, the SEC suspended the trading in ACT Clean Technologies.

The Commission temporarily suspended trading in the securities of ACT because of questions that have been raised about the accuracy and adequacy of publicly disseminated information concerning, among other things: (1) British Petroleum’s purported expression of interest in using a so-called oil fluidizer technology purportedly licensed to ACT’s wholly-owned subsidiary, American Petroleum Solutions, Inc., for use in cleanup operations in the Gulf of Mexico, and its purported request that field tests be conducted on the oil fluidizer technology; and (2) the purported results of field tests finding that the oil fluidizers are effective for use in clean up efforts in the Gulf of Mexico.

Many of these “investment opportunities” are classic pump-and-dump schemes. Early investors pay people to generate publicity  intended to increase demand for company stock and drive up the stock price. They use spam emails, investor bulletin boards, blogs, Twitter and any of the myriad of social networking platforms. When prices rise, the insiders or third party scammers sell their shares and let the price drop.

Other stocks involved are MOP Environmental Solutions and Green Bridge Industries.

Complaints can be filed on FINRA’s website or on the SEC’s website. You can also call the National Center for Disaster Fraud’s special oil-spill hotline if you suspect an oil spill scam: 1-866-720-5721.

The Financial Times is reporting that the assets of BP executives are being used instead of the typical dead banker emails from Nigeria.

I am the private solicitor for Mr Tony Hayward, the esteemed Chairman and Chief executive of British Petroleum. My client has various personal and family related holdings of BP stock and options. Due to his faithful long standing service to BP the total value of his holdings amounts to in excess of 100m pounds sterling. Mr Heywood is a British citizen but it has been my sorrowful duty to advise him that his personal and family wealth is at great risk of being wrongfully confiscated by US authorities acting extra-territorially under special powers authorised by the US government and with the secret consent of a supine UK political and legal establishment.

Sources:

Snake Oil 2.0

From Hugh MacLeod of Gaping Void:

“Anyone who has spent a lot of time studying blogs and Web 2.0, will be fully aware of all the blethering hyperbole that comes with it. Every business model that ever came before is DEAD, to be replaced forever by community! YAY!

Well, some dinosaur business models may be more dead than others, however… life still goes on. People still need to make a buck. People are just as governed by the seven deadly sins as they ever were. Some things never change. All is still vanity.”

Like Hugh, I am a great believer in Web 2.0 and Enterprise 2.0. I just think there is too much hype and too many people trying to sell snake oil.

It’s not about making money and marketing yourself. It’s about sharing ideas, collecting information and connecting with people.

Just about everyone with a substantive blog ends up spending some posts on blogging itself. Even the great criminal defense lawyer and blogger Scott Greenfield will publish an occasional post about blogging.

I’m spending some of that self-reflective time next week at the Enterprise 2.0 conference. My session is on Wednesday afternoon when my panel will talk about policy formation, governance and risk management programs as a critical requirement for the internal and external use of social networking and social media.

Once again the hype comes face to face with the reality of legal requirements and risk. Beware of the snake oil.

Snake Oil 2.0 is by Hugh MacLeod

Warning the Witness

At the Compliance Week 2010 conference, David Seide was nice enough to give me a copy of his new book: Warning the Witness: A Guide to Internal Investigations and the Attorney-Client Privilege. David co-wrote the book with Gary Collins, Managing Director & Director of Compliance at GE Energy Financial Services.

Since the DOJ, SEC and other agencies focusing on financial crimes, it is important to understand how an employee investigation is affected by the attorney-client privilege. This book lays out the legal background.

Internal investigations get tricky when you are using outside counsel or in-house counsel that the employee is used to getting legal advice from. They have some expectation that the lawyer is their lawyer and the information is confidential. We saw those problems with attorney-client privilege and internal investigations in some recent cases.

The tricky part is that since the lawyers work for the company, the company holds the right to waive the attorney-client privilege.  Even beyond the privilege there is a duty of confidentiality that could further limit the necessary disclosure of information during an investigation.

Collins and Seide do a great job of laying out the legal background and then turning the legal issues into recommended best practices. The book also has extensive appendixes containing the relevant model rules of professional conduct and Department of Justice memoranda.

If you want more detail on the contents, I have included the table of contents at the end of this post.

They have a great model corporate miranda that sets the stage for an employee interview. It’s key to make sure that the employee understands it, even though is not common practice to have them sign it.

The book is a great addition to your bookshelf if you are involved in employee investigations.  It’s available from the American Bar Association web store.

Table of Contents

  • Chapter I
    • Introduction
  • Chapter II
    • The Attorney-Client Privilege
    • Introduction
    • Relevant Principles Underlying the Attorney-Client Privilege
    • What Is the Privilege?
    • Elements
    • Formation of the Attorney-Client Relationship
    • Application to the Corporate Context
    • Duty of Confidentiality to Prospective Clients
    • Elements
    • Application to the Corporate Context
  • Chapter III
    • Upjohn and Its Impact on the Attorney-Client Privilege
    • The Corporate Attorney-Client Privilege Prior to Upjohn
    • The Upjohn Decision
  • Chapter IV
    • Formalizing Witness Warnings
    • Codification through the ABA Model Rules
    • ABA Rule 1.13(f)
    • ABA Rule 4.3 21
    • The Relevance of the Model Rules to Upjohn Warnings
    • Adoption of the Model Rules by Various Jurisdictions
    • Illustrative Post-Upjohn Cases
  • Chapter V
    • Current Witness Warning Practices
  • Chapter VI
    • Recommended Best Practices
    • Suggested Witness Warning
    • Recommended Procedures to Follow
    • Counsel Interviewing Constituents
    • Other Issues for Consideration Constituents Approaching Counsel
    • Supplementing Oral Warnings
    • “Do I need a lawyer?”
    • “What is my status? Is there a conflict of interest?”
    • Separate Counsel for Constituents
    • “What if I refuse to cooperate in this investigation?”
    • Third-Party Uses of Information
    • Confidentiality of Communications Between Counsel and the Constituent
    • Joint Representation of the Corporation and the Individual

Private Equity and the Custody Rule

With the impending removal of the 15 Client Rule exemption from registration with the SEC, I was scratching my head trying to figure how to make the SEC’s new custody rule work for private equity.

The SEC recently updated its guidance on custody rule compliance truing to add clarity for advisers to pooled investment vehicles.

Here is one:

Question II.3

Q: If an adviser manages client assets that are not funds or securities, does the amended custody rule require the adviser to maintain these assets with a qualified custodian?

A: No. Rule 206(4)-2 applies only to clients’ funds and securities. (Posted 2003.)

Actually that does not help. A private equity fund will hold interests in private companies. Those interests may be stock, LLC interests or partnership interests.  Just because the company is private, those interests may still be securities.

For real estate private equity, the deeds to the underlying property would fall outside the custody rule. The intermediate entities, REITs and joint ventures may not fall outside the custody rule.

§ 275.206(4)-2(b)(2) has an exemption for certain privately offered securities, if the securities are:

(A) Acquired from the issuer in a transaction or chain of transactions not involving any public offering;
(B) Uncertificated, and ownership thereof is recorded only on the books of the issuer or its transfer agent in the name of the client;
and
(C) Transferable only with prior consent of the issuer or holders of the outstanding securities of the issuer.

This exemption is available only if the fund is audited, and the audited financial statements are distributed, as described in paragraph (b)(4) of this section.

The “uncertificated” requirement can be a problem. It is common practice for lenders relying on private company interests to require they be certificated to get better priority under the UCC.

The limits on transfer are a problem because as the holder of the interests, you want the flexibility to transfer interests.

The financial statements requirement is another extra burden, although may not be a problem for many funds. This requires:

  • annual audit
  • in accordance with GAAP
  • within 120 days of the end of the fiscal year
  • independent accountant registered and subject to inspection by PCAOB

(I’m not sure how quickly the SEC can change this rule if the Supreme Court rules PCAOB unconstitutional.)

In looking towards Capitol Hill, the Senate’s would exempt private equity firms from having to comply with the custody rule since they would not have to register. The House’s would not exempt private equity firms from registration and they would be subject to the custody rule.

One interesting aspect of the bills is that fund advisers that are currently registered because they have more than 15 clients/funds may no longer have to be registered if they fall under the venture capital fund advisers exemption or private equity fund advisers exemption. (Assuming those exemptions survive in the final bill.)

Sources:

Image of Old West Bank – It’s a beautiful bank is by oddsock

Ernst & Young’s 11th Global Fraud Survey

Driving ethical growth – new markets, new challenges, the title of  Ernst & Young’s 11th Global Fraud Survey, shows fraud is up; audit and legal are stretched to deal with these challenges; compliance is patchy; and Boards need more and better information to manage the risks.

They interviewed more than 1,400 chief financial officers, and heads of legal, compliance and internal audit in 36 countries to get their views on how companies are managing the risks associated with fraud, bribery and corruption.

The survey was conducted in 2009 and 2010 on behalf of Ernst & Young’s Fraud Investigation & Dispute Services practice.

Consistent with the experience of past recessions, companies have been struggling with an upsurge in fraud and corruption. Almost one in six of our respondents have experienced a significant fraud in the past two years.

Compliance is New

Compliance is still a developing area outside of the highly regulated industries, such as life sciences and financial services.

About half of the compliance professionals surveyed have been in a compliance role for less than five years.

As a relative newcomer, the compliance function faces the extra hurdle of demonstrating its value. Of course, you need to demonstrate value if you want to get more resources. This was the greatest challenge identified by compliance professionals in their survey.

The competition for resources also reduces compliance’s ability to gather the current management information required to do its job, making it harder still to demonstrate value to the rest of the business.

Board Concerns

Seventy-six percent of respondents feel their boards are increasingly concerned about their personal liability from fraud, bribery and corruption. The survey indicates that the Board’s level of concern with fraud has risen with the overall rise in fraud and corruption risks in the current economic climate. All the survey participants think that board members are taking their own personal exposure seriously.