CNiL Information on Whistleblower Systems

To follow-up on French Data Protection Authority Blocks SOX Whistleblower Programs and Whistleblowers in France, here is CNiL‘s FAQ on whistleblowing systems and guideline document for whistleblower systems.

CNiL defined a set of rules to be followed for whistleblower systems to be compatible with French data protection laws: Unique Authorisation dated December 8, 2005 (in French, without an English translation).

According to the FAQ on whistleblowing systems a whistleblower system must be limited to

serious risks to the company in the fields of accounting, financial audit, fight against bribery or banking areas can be collected and filed by the organisation in charge of handling the reports.

Examples :

  • Accounting and account auditing disorders,
  • False entries,
  • Tax evasion,
  • Fictitious personnel employment,
  • Bribery of public agents …

Specific examples in the banking area:

  • Terrorism funding,
  • Money laundering…

The whistleblower system may also be used to gather reports on facts

that affect the vital interests of the company or it its employee’s physical or mental integrity
Examples:

  • Threat to the safety of another employee,
  • Moral harassment,
  • Sexual harassment,
  • Discrimination,
  • Insider trading,
  • Conflict of interests,
  • Serious environmental breaches or threats to public health,
  • Disclosure of a manufacturing secret,
  • Serious risks to the company’s information system security …

CNiL also takes to position that the whistleblowing system must not be compulsory, but merely encouraged. CNiL takes the position that the systems should not be designed to encourage anonymity. Confidentiality is fine but anonymity is not.  CNiL provides this example language for the scope of a whistleblower system:

The system is open to employees who wish to inform the organisation about facts susceptible to breach applicable rules in the financial, account auditing and corruption prevention areas. This system is an alternative way of reporting genuine concerns which would not be adequately dealt with by other existing reporting channels such as line management or personnel representatives. If the vital interest of the company is threatened in other areas or if the physical or mental integrity of employee(s) is at stake, reports on such serious facts may be redirected to appropriate individuals within the company. No other type of reports can be made using this system.

French Data Protection Authority Blocks SOX Whistleblower Programs

As a follow-up to the Whistleblowers in France, John B. Reynolds, III and Amy E. Worlton of Wiley Rein LLP offer more insight to the programs and decisions.

CNIL found that employees’ ability to lodge anonymous complaints would increase the likelihood of malicious false reports. CNIL also found that the two companies’ plans would not provide implicated individuals with sufficient access to the records generated by the anonymous tips. Thus, these individuals would not have a sufficient opportunity to challenge accusations. Finally, CNIL held that neither of the companies’ proposals was the least restrictive means of ensuring a responsible corporate culture: employee education or improved auditing standards could achieve the same results without creating and processing personal data about company executives.

See newsletter from Wiley Rein LLP: French Data Protection Authority Blocks SOX Whistleblower Programs.

Whistleblowers in France

French privacy law limits the ability to use anonymous hotlines.

In France, the French Data Protection Authority (La Commission Nationale de l’Informatique et des Libertés (CNIL)), an administrative agency, oversees processes involving the collection or compilation of personal data. In 2005 they decided that two reporting procedures were in violation of French privacy law. McDonald’s Corp. and CEAC, a division of Exide Technologies, sought CNIL’s approval of their whistleblower hotline procedures. In June 2005, CNIL announced that these proposed reporting procedures would violate French law and it refused to authorize the use of such procedures. CNIL expressed concerned that anonymous reporting would lead to malicious false reports of misconduct. They determined that the risk of malicious reporting was disproportionate to the benefit of the hotlines.

There is an obligation to file procedures with the CNIL before they are implemented if files or records will be maintained in France.

See Law Flash from Morgan Lewis: Whistleblower Procedures Inconsistent with French, German Law?

Nevada Law on Privacy of Personal Information

A Nevada law requiring encryption of customer personal information went into effect on October 1, 2008. See Nev. Rev. Stat. § 597.970. The legislation is short but potentially wide-ranging in scope.

NRS 597.970 Restrictions on transfer of personal information through electronic transmission. [Effective October 1, 2008.]

1.  A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.

2.  As used in this section:

(a) “Encryption” has the meaning ascribed to it in NRS 205.4742.

(b) “Personal information” has the meaning ascribed to it in NRS 603A.040.

(Added to NRS by 2005, 2506, effective October 1, 2008)

What Is Personal Information?

Nevada law defines “personal information” to mean:

natural person’s first name or first initial and last name in combination with the person’s: social security number; driver’s license number or identification card number; and/or account, credit or debit card number in combination with any security code, access code, or password that would permit access to the person’s financial account.

Nev. Rev. Stat. § 603A.040. Natural person is not limited to Nevada residents.

What is Encryption?

Encryption means

the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to:

(Added to NRS by 1999, 2704)

1.  Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;

2.  Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or

3.  Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.

Nev. Rev. Stat. § 205.4742 (2007).

Additional Guidance on the Massachusetts Privacy Regulations

The Massachusetts Office of Consumer Affairs and Business Regulation has provided guidance regarding its new regulations requiring all entities that own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts to develop, implement and maintain a comprehensive written information security program and make specific computer information security requirements. I mentioned the regulations, which have a January 1, 2009 compliance date, previously: New Massachusetts Privacy Laws, Privacy and Security Alert: Massachusetts Has New Data Security Regulations, Massachusetts Regulations to Mandate Comprehensive Information Security Requirements.

The newly issued guidance consists of the following:

Certification Mark for EU Safe Harbor Framework

The Commerce Department’s International Trade Administration (ITA) has developed a certification mark for the U.S.-European Union Safe Harbor Framework. The mark may be used by companies on their websites to signify that they have self-certified compliance with the provisions of the Safe Harbor Framework. To display the certification mark, you must follow the Safe Harbor Certification Mark Instructions developed by ITA. Only those organizations that have self-certified and are listed on ITA’s official Safe Harbor Program list will be allowed to use the mark in an appropriate manner.

More than 1,500 U.S. companies participate in the Safe Harbor.

If you are considering joining the safe harbor, take the following steps:

  • Read the Safe Harbor Overview, including the Benefits of Joining.
  • Read the Safe Harbor Documents.
  • Review the Safe Harbor Workbook.
  • Review the Helpful Hints Before Self-Certification.

If you decide to join the safe harbor, you should:

  • Bring your organization’s policies and practices into compliance with the Safe Harbor’s Requirements;
  • Verify that your organization has done so; and
  • If you wish to assure your organization of safe harbor benefits, review the Information Required for Certification
  • complete and submit the Certification Form.

After your information has been reviewed for completeness, it will be posted to the Safe Harbor List.

FTC Will Grant Six-Month Delay of Enforcement of ‘Red Flags’ Rule

The FTC announced that they will suspend enforcement of the new “Red Flags Rule” until May 1, 2009, to give creditors and financial institutions additional time in which to develop and implement written identity theft prevention programs. The Identity Theft Rules are found at 16 C.F.R. Part 681.2.

The FTC published a FTC Business Alert in June 2008 entitled New ‘Red Flag’ Requirements for Financial Institutions and Creditors Will Help Fight Identity Theft. The Red Flags Rules apply to “financial institutions” and “creditors” with “covered accounts.”

A financial institution has the same meaning as in 15 U.S.C. 1681a(t) which is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a consumer. Most of these institutions are regulated by the Federal bank regulatory agencies and the NCUA. Financial institutions under the FTC’s jurisdiction include state-chartered credit unions and certain other entities that hold consumer transaction accounts.

A transaction account is a deposit or other account from which the owner makes payments or transfers. Transaction accounts include checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.

A creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. Creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Where non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors. Most creditors, except for those regulated by the Federal bank regulatory agencies and the NCUA, come under the jurisdiction of the FTC.

A covered account is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft – for example, small business or sole proprietorship accounts.

The Red Flag Rules would require the establishment of an Identity Theft Prevention Program. 16 C.F.R. Part 681.2 lays out these requirements and elements:

(1) Program requirement. Each financial institution or creditor that offers or maintains one or more covered accounts must develop and implement a written Identity Theft Prevention Program (Program) that is designed to detect, prevent, and mitigate identity theft in connection with the opening of a covered account or any existing covered account. The Program must be appropriate to the size and complexity of the financial institution or creditor and the nature and scope of its activities.

(2) Elements of the Program. The Program must include reasonable policies and procedures to:

(i) Identify relevant Red Flags for the covered accounts that the financial institution or creditor offers or maintains, and incorporate those Red Flags into its Program;

(ii) Detect Red Flags that have been incorporated into the Program of the financial institution or creditor;

(iii) Respond appropriately to any Red Flags that are detected pursuant to paragraph (d)(2)(ii) of this section to prevent and mitigate identity theft; and

(iv) Ensure the Program (including the Red Flags determined to be relevant) is updated periodically, to reflect changes in risks to customers and to the safety and soundness of the financial institution or creditor from identity theft.

New Massachusetts Regulations to Mandate Comprehensive Information Security Requirements

goodwinprocter_logo

Goodwin Procter LLP published a summary of the New Massachusetts Regulations to Mandate Comprehensive Information Security Requirements.

The regulations have broad coverage, applying to all entities that own, license, store or maintain personal information about residents of the Commonwealth of Massachusetts, regardless of whether or not the entity has operations in the Commonwealth. Federally regulated financial and other entities are not exempt from the Massachusetts regulations, raising the question of whether entities that are in compliance with Gramm-Leach-Bliley, HIPAA and/or SEC information security requirements will be considered to meet the new Massachusetts requirements. Significantly, “personal information” has a somewhat limited scope, and is defined as a resident’s first and last name or first initial and last name in combination with a Social Security number, driver’s license number or financial account number. The regulations impose two principal requirements: (i) the duty to develop, implement and maintain a very comprehensive written information security program that meets very specific requirements; and (ii) the obligation to meet specific computer information security requirements.

Privacy and Security Alert: Massachusetts Has New Data Security Regulations

Cynthia Larose, Elissa Flynn-Poppey and Julia M. Siripurapu of Mintz Levin Put together an alert with a a summary of the new Massachusetts Data Security Regulations: Privacy and Security Alert: Massachusetts New Data Security Regulations Effective January 1, 2009.

The alert has a summary of some of the changes to the changes to the regulations since comments were made in january 2008.

Protecting Individual Privacy in the Struggle Against Terrorists

The National Research Council has published a new report finding that all U.S. agencies with counterterrorism programs that collect personal data should be required to evaluate the programs’ effectiveness, lawfulness, and impacts on privacy.

In its press release, they summarize that “Collecting and examining data to try to identify terrorists inevitably involves privacy violations, since even well-managed programs necessarily result in some “false positives” where innocent people are flagged as possible threats, and their personal information is examined.  A mix of policy and technical safeguards could minimize these intrusions, the report says.  Indeed, reducing the number of false positives also improves programs’ effectiveness by focusing attention and resources on genuine threats.”

The report, Protecting Individual Privacy in the Struggle Against Terrorists: A Framework for Program Assessment, is available from The National Acadamies Press in paperback or free online.

“All U.S. agencies with counterterrorism programs that collect or “mine” personal data — such as phone records or Web sites visited — should be required to evaluate the programs’ effectiveness, lawfulness, and impacts on privacy. A framework is offered that agencies can use to evaluate such information-based programs, both classified and unclassified. The book urges Congress to re-examine existing privacy law to assess how privacy can be protected in current and future programs and recommends that any individuals harmed by violations of privacy be given a meaningful form of redress. Two specific technologies are examined: data mining and behavioral surveillance. Regarding data mining, the book concludes that although these methods have been useful in the private sector for spotting consumer fraud, they are less helpful for counterterrorism because so little is known about what patterns indicate terrorist activity. Regarding behavioral surveillance in a counterterrorist context, the book concludes that although research and development on certain aspects of this topic are warranted, there is no scientific consensus on whether these techniques are ready for operational use at all in counterterrorism.”

Read this FREE online!
Full Book | PDF Summary