CNiL Information on Whistleblower Systems

To follow-up on French Data Protection Authority Blocks SOX Whistleblower Programs and Whistleblowers in France, here is CNiL‘s FAQ on whistleblowing systems and guideline document for whistleblower systems.

CNiL defined a set of rules to be followed for whistleblower systems to be compatible with French data protection laws: Unique Authorisation dated December 8, 2005 (in French, without an English translation).

According to the FAQ on whistleblowing systems a whistleblower system must be limited to

serious risks to the company in the fields of accounting, financial audit, fight against bribery or banking areas can be collected and filed by the organisation in charge of handling the reports.

Examples :

  • Accounting and account auditing disorders,
  • False entries,
  • Tax evasion,
  • Fictitious personnel employment,
  • Bribery of public agents …

Specific examples in the banking area:

  • Terrorism funding,
  • Money laundering…

The whistleblower system may also be used to gather reports on facts

that affect the vital interests of the company or it its employee’s physical or mental integrity
Examples:

  • Threat to the safety of another employee,
  • Moral harassment,
  • Sexual harassment,
  • Discrimination,
  • Insider trading,
  • Conflict of interests,
  • Serious environmental breaches or threats to public health,
  • Disclosure of a manufacturing secret,
  • Serious risks to the company’s information system security …

CNiL also takes to position that the whistleblowing system must not be compulsory, but merely encouraged. CNiL takes the position that the systems should not be designed to encourage anonymity. Confidentiality is fine but anonymity is not.  CNiL provides this example language for the scope of a whistleblower system:

The system is open to employees who wish to inform the organisation about facts susceptible to breach applicable rules in the financial, account auditing and corruption prevention areas. This system is an alternative way of reporting genuine concerns which would not be adequately dealt with by other existing reporting channels such as line management or personnel representatives. If the vital interest of the company is threatened in other areas or if the physical or mental integrity of employee(s) is at stake, reports on such serious facts may be redirected to appropriate individuals within the company. No other type of reports can be made using this system.

French Data Protection Authority Blocks SOX Whistleblower Programs

As a follow-up to the Whistleblowers in France, John B. Reynolds, III and Amy E. Worlton of Wiley Rein LLP offer more insight to the programs and decisions.

CNIL found that employees’ ability to lodge anonymous complaints would increase the likelihood of malicious false reports. CNIL also found that the two companies’ plans would not provide implicated individuals with sufficient access to the records generated by the anonymous tips. Thus, these individuals would not have a sufficient opportunity to challenge accusations. Finally, CNIL held that neither of the companies’ proposals was the least restrictive means of ensuring a responsible corporate culture: employee education or improved auditing standards could achieve the same results without creating and processing personal data about company executives.

See newsletter from Wiley Rein LLP: French Data Protection Authority Blocks SOX Whistleblower Programs.

Whistleblowers in France

French privacy law limits the ability to use anonymous hotlines.

In France, the French Data Protection Authority (La Commission Nationale de l’Informatique et des Libertés (CNIL)), an administrative agency, oversees processes involving the collection or compilation of personal data. In 2005 they decided that two reporting procedures were in violation of French privacy law. McDonald’s Corp. and CEAC, a division of Exide Technologies, sought CNIL’s approval of their whistleblower hotline procedures. In June 2005, CNIL announced that these proposed reporting procedures would violate French law and it refused to authorize the use of such procedures. CNIL expressed concerned that anonymous reporting would lead to malicious false reports of misconduct. They determined that the risk of malicious reporting was disproportionate to the benefit of the hotlines.

There is an obligation to file procedures with the CNIL before they are implemented if files or records will be maintained in France.

See Law Flash from Morgan Lewis: Whistleblower Procedures Inconsistent with French, German Law?

A Unified Approach to GRC

A participated in a webinar by Carole Stern Switzer of OCEG and Sumner Blount of CA, Inc. on Unified Governance, Risk and Compliance.

Governance – the culture, policies, processes, laws and institutions the define the structure by which companies are directed and managed.

Risk – the effect of uncertainty on business objectives.

Compliance – The act of adhering to and demonstrating adherence to the external regulations and standards as well as corporate policies.

GRC is the coordination of these three areas to increase efficiency and produce more complete information for better decisions-making.

After all, bad information leads to bad decision-making.

The evolution to GRC came from one-off controls and testing as each new regulation came into place. The start was generally because of Sarbanes-Oxley. In the early days the internal audit and the general counsel operated separately from the operations group. The operations are run through the internal IT systems. As more compliance groups grew, they sent more and more audit and information requests to the operation groups. The goal is to unify and simplify the risk and compliance.

The siloed information makes it hard to determine the status of compliance and difficult to map controls to regulations. Sumner proposes a global repository of audits, risks, test and test results, cross referenced to unite the silos of information. A single source of truth for compliance, risk and governance.

The unified approach should result in giving you visibility into the state of operations and risks. This could allow you to remediate problems before they become critical.

The policy lifecycle starts with (1) identifying the requirements, (2) setting polices to meet requirements, (3) creating controls to enforce policies and then (4) monitoring and remediating the controls. This lifecycle should have feedback loops so that policies and controls stay up date and functional.

Sumner sees five management tools: regulatory content, risk management, policy management, controls management and project management.

For policy management you need support for the creation, review, self-assessment and update of policy documents. You need a workflow to track approvals. You need track people having attested that they have read, comply and will comply with the policy.

With regulatory content is difficult to develop the expertise, keep the information up-to date and translated into the control objectives.  It is also great to harmonize the controls across regulations. That way you are not created redundant or even conflicting controls.

For controls management you want a centralized repository of controls mapped to the associated policies, regulations, risks and resources. You also want to store test results and assignment of actions to be done.

For project management, you want to track project status, support for an audit trail and support for reporting.

The key is to reduce costs, reduce disruptions, improve risk management, use it to drive operational improvement to gain competitive advantage.

Nevada Law on Privacy of Personal Information

A Nevada law requiring encryption of customer personal information went into effect on October 1, 2008. See Nev. Rev. Stat. § 597.970. The legislation is short but potentially wide-ranging in scope.

NRS 597.970 Restrictions on transfer of personal information through electronic transmission. [Effective October 1, 2008.]

1.  A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.

2.  As used in this section:

(a) “Encryption” has the meaning ascribed to it in NRS 205.4742.

(b) “Personal information” has the meaning ascribed to it in NRS 603A.040.

(Added to NRS by 2005, 2506, effective October 1, 2008)

What Is Personal Information?

Nevada law defines “personal information” to mean:

natural person’s first name or first initial and last name in combination with the person’s: social security number; driver’s license number or identification card number; and/or account, credit or debit card number in combination with any security code, access code, or password that would permit access to the person’s financial account.

Nev. Rev. Stat. § 603A.040. Natural person is not limited to Nevada residents.

What is Encryption?

Encryption means

the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to:

(Added to NRS by 1999, 2704)

1.  Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;

2.  Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or

3.  Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.

Nev. Rev. Stat. § 205.4742 (2007).

Additional Guidance on the Massachusetts Privacy Regulations

The Massachusetts Office of Consumer Affairs and Business Regulation has provided guidance regarding its new regulations requiring all entities that own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts to develop, implement and maintain a comprehensive written information security program and make specific computer information security requirements. I mentioned the regulations, which have a January 1, 2009 compliance date, previously: New Massachusetts Privacy Laws, Privacy and Security Alert: Massachusetts Has New Data Security Regulations, Massachusetts Regulations to Mandate Comprehensive Information Security Requirements.

The newly issued guidance consists of the following:

Sarbanes-Oxley Act Whistleblower Digest

The U.S. Department of Labor assembled a digest of whistleblower law under the Sarbanes-Oxley Act.

On July 30, 2002, the Sarbanes-Oxley Act of 2002, P.L. 107-204 was signed into law by President Bush. Section 806 of the Act, to be codified at 18 U.S.C. § 1514A, is a whistleblower provision that provides protection for employees of publicly traded companies who provide “information, cause information to be provided, or otherwise assist in an investigation regarding any conduct which the employee reasonably believes constitutes a violation of section 1341, 1343, 1344, or 1348, any rule or regulation of the Securities and Exchange Commission, or any provision of Federal law relating to fraud against shareholders….” Complaints under this provision are filed with the Secretary of Labor, who is to investigate and adjudicate the matter under the rules and procedures found in the statutory AIR21 whistleblower provision. The Sarbanes-Oxley whistleblower procedure is somewhat different than AIR21 and all other whistleblower cases administered by the DOL in that if the Secretary has not issued a final decision within 180 days of the filing of the complaint, and there is no showing that such delay is due to the bad faith of the claimant, the claimant may bring an action at law or equity for de novo review in the appropriate district court of the United States.

Ethics as a Business Process

Adam Turteltaub wrote Ethics as a Business Process for the fall 2005 edition of GRC 360.

Forward-looking companies are seeking to evolve business from soft art to hard science as a means to win in the marketplace, improve competitive advantage, achieve higher market valuations, ensure employee retention, foster fruitful partnerships and strengthen customer satisfaction.

. . .

There are three key areas to consider when examining the creation of business processes around ethics:

People: An organization must examine and manage the extent which ethical conduct is embedded into the fabric of business thinking and fully understand the ethical risks employees face.
Process: An organization must set forth an effective business framework that integrates all ethics and compliance-related activities within the enterprise.
Technology: An organization must leverage tools that automate the process to achieve greater efficiency and provide management with the data it needs to assess the health of the effort and respond quickly to problems.

Real Money Laundering

The October 2008 edition (.pdf) of The SAR Activity Review, Trends, Tips and Issues published by the Financial Crimes Enforcement Network, has a great story on page 29 about a marijuana smuggling and money laundering operation.

The organization was concerned that the cash smelled like marijuana. The benk tellers even noticed the smell of marijuana on the money. The organization ended up washing and ironing the cash to remove the smell.

Too late. The teller filed a Suspicious Activity Report on the marijuana money which then focused law enforcement on subsequent deposits. Law enforcement had previously been keeping an eye on individuals in the organization.  Over the course of the investigation, they tracked more than 1,000 kilograms of marijuana that the organization distributed into the local market.

Dirty money lead to 30 jail sentence for the leader of the organization.