Compliance Building

Six States Now Require Social Security Number Protection Policies

Miriam Wugmeister, Nathan D. Taylor of Morrison & Foerester wrote the December Privacy and Data Security Update: Six States Now Require Social Security Number Protection Policies.

Connecticut – Ct. H.B. 5658.
Massachusetts – 201 Mass. Code Regs. §§ 17.01 – 17.04.
Michigan – Mich. Comp. Laws § 445.84.
New Mexico – N.M. Stat. §§ 57-12B-2 – 57-12B-3.
New York – N.Y. Gen. Bus. Law § 3990dd(4).
Texas – Tex. Bus. & Com. Code § 35.581 (effective through March 31, 2009); Tex. Bus. & Com. Code § 501.051 – 501.053 (effective April 1, 2009).

These state SSN protection policy requirements highlight the importance of maintaining up-to-date privacy policies that comply with the evolving requirements under applicable state laws. To get started, an organization should consider taking the following steps:

determine if you collect or maintain SSNs;

review your policies and procedures that are employee-facing to determine if you have sufficient policies to meet the obligations under the various state laws;

update your policies and procedures as needed;

train employees on the new policies and procedures; and

audit your employees to ensure that they are complying with your policies and procedures.

Data Privacy Roundtable

Deloitte hosted an executive roundtable on Massachusetts Data Protection. The room was packed full of us trying to figure what to do with these regulations.

Mark Schreiber of Edwards Angell Palmer & Dodge kicked things off with a look at the history of the regulation and the regulators view of the regulations. The regulators acknowledge that the regulations are burdensome. Tough!! they say. “Look at all of the data breaches!”

The regulations started with the MGL c. 93H addressing data breaches and Section 2(a) of MGL c. 93H providing for the promulgation of regulations. Waht came out were some of the toughest regulations in the country. There are no exemptions for industry, sector or size. If you have personal information on a Massachusetts resident you need to comply. That means every company with operations in Massachusetts and any company with information on a Massachusetts resident. These regulations go beyond the Red Flag Rules from the FTC.

Companies to address whether they are going to implement full enterprise protection or merely selective protection. If you can isolate the data on Massachusetts people you can treat that differently than other data.

The panelists also brought up the concept of “data in motion” versus “data at rest.” You need to look at how you are transmitting data as well as how it is stored.

What happens if you do not comply? There is no private right of action under the statute or regulations. But there will be law suits under these statutes. The panel foresees two types of class action suits coming out the law. One will be a negligence claim for allowing a data breach. The law creates the standard. Failure to comply with the law is negligence per se. They also see suits over the failure to properly notify the individuals affected by the data breach.

Audience poll: How many have a team assembled to implement the new regulations:

72% Yes

24% No

4% Not sure

Audience poll: How many have read the new regulations and guidance:

45% Yes

55% No

Audience poll: How many have addressed whether to do selective encryption or selective protection:

29% Yes

62% No

9% Not sure

Everyone who said yes has decided to use encryption.

The panel moved on to stress the importance of ownership of the Written Information Security Policy required by the law. You need to address the physical requirements as well as the electronic requirements. This requires a team approach, including HR, compliance, IT and building security.

You also need to focus on how to handle data security breaches. The Massachusetts statute as well as other states have a very short time frame for notification. less than half the audience had a well defined plan or even a somewhat defined plan.

On the training front, you need to decide on a discipline for failure to comply. You also need to decide who to train and the level of training.

Audience poll: How many have training programs on information security:

30% Training for all employees

13% Training for selected employees

52% None

5% Not sure

The paradigm of the Massachusetts law is that you should only collect the information you need, store it for only the time needed and make it available only to the people who need it.

In assessing the biggest challenges to complying with the law the audience found indentifying and assessing risks to be the biggest challenge. 53% of the audience has not done an audit of personal information sources. 49% of the audience does not monitor access to personal information.

Vendor management is another big issue under the law. If you share personal data with vendors, they need to be in compliance with the law. The law requires a certification of compliance, but there is no standard form of certificate. the firs step is to identify vendors and then to assess the risk profile for that vendor. 59% of the audience had not identified vendors that handle personal data.

As part of vendor management, you will need to continually monitor vendors that share personal data. You need to negotiate compliance into the vendor agreements and include oversight provisions. You need to incorporate vendor risk management as part of the governance program.

Data on Bribe Demands in China

An anonymous online survey by TRACE International found that, of those business people visiting China who were asked for more than one bribe, almost 20 percent reported that they had been solicited more than 100 times.

TRACE set up an online bribe-reporting system that allows people to file reports in different languages about bribe demands. The first report by its online system (called BRIBEline) covered data it collected in China from July 2007 to June 2008.

Eighty-five percent of the bribes were solicited by someone tied to the Chinese government. That includes
- 11 percent requested by a Communist Party official
- 11 percent by a police officer
- 11 percent by someone in the court system and
- 52 percent by officials from another government branch.
Seventy-three percent of people who reported being asked for a bribe in China said they were asked more than once.
The bribe requests ranged from less than $20 (3 percent) to more than $500,000 (6 percent), with 22 percent of them asking for more than $10,000. Some 12 percent asked for gifts, entertainment or hospitality, while 4 percent asked for more business, and 3 percent requested sex.
Fifty-four percent of the demands were to induce action to which the business was entitled, such as timely service or avoidance of some kind of trouble.

Market Reaction to Adoption of IFRS in Europe

Christopher S. Armstrong, Mary E. Barth, Alan D. Jagolinzer, and Edward J. Riedl published Market Reaction to Adoption of IFRS in Europe (.pdf)

This study examines the European stock market reaction to sixteen events associated with the
adoption of International Financial Reporting Standards (IFRS) in Europe. European IFRS
adoption represented a major milestone towards financial reporting convergence yet spurred
controversy reaching the highest levels of government. We find a more positive reaction for
firms with lower quality pre-adoption information, which is more pronounced in banks, and with
higher pre-adoption information asymmetry, consistent with investors expecting net information
quality benefits from IFRS adoption. We also find that the reaction is less positive for firms
domiciled in code law countries, consistent with investors’ concerns over enforcement of IFRS
in those countries. Finally, we find a positive reaction to IFRS adoption events for firms with
high quality pre-adoption information, consistent with investors expecting net convergence
benefits from IFRS adoption. Overall, the findings suggest that investors in European firms
perceived net benefits associated with IFRS adoption.

With IFRS coming to the US in a few years it is interesting to see the reaction to the new accounting standards.

The SEC proposes that implementation of the use of IFRS by U.S. issuers would be staggered into three phases based on the size of the reporting company. IFRS filings for large accelerated filers would begin for those filers with fiscal years ending on or after December 15, 2014, while IFRS filings for accelerated filers would be begin for those filers with fiscal years ending on or after December 15, 2015, and for non-accelerated filers and smaller reporting companies for those filers with fiscal years ending on or after December 15, 2016

Researching the Federal Securities Law

sec-seal The SEC has put together a collection of Researching the Federal Securities Laws Through the SEC Website.

This guide provides an overview of how to research the securities law through the SEC website and is provided as a service to investors and members of the public. It is neither a legal interpretation nor a statement of SEC policy. If you have questions concerning the meaning or application of a particular law or rule you should consult with an attorney who specializes in securities law. This guide does not address primary and secondary sources available in print or through other websites, other than those to which the SEC website links. The guide is organized by providing suggestions for the research of:

Statutes (the Securities Laws)

SEC Rules and Regulations

SEC Concept Releases

SEC Interpretive Releases

SEC Staff Interpretations

In general, you should conduct your research on the federal securities laws in the order prescribed above. This is because while the federal statutes and the SEC rules and regulations have the force of law, other SEC-issued documents vary in the degree to which they carry the force of law.

Managing Ethics and Compliance During a Recession

LRN hosted a webinar on Managing Ethics and Compliance During a Recession.

The panel consisted of:

Marjorie Doyle, Practice Leader, Solutions Management at LRN
David Greenberg, Executive Vice President of Knowledge at LRN
Debra Hennelly, President and Senior Adviser at Compliance & Ethics Solutions LLC
Adam Turteltaub, VP of Membership Development at The Society of Corporate Compliance and Ethics.

An ERC survey found that 60% of employees who feel pressured to do misconduct said “keeping their job” was a reason. As the economy sours, there seems more pressure to perform and to take shortcuts to achieve that performance. In times of economic stress, it is better to over-inform rather than under-inform.

How do you enlist support in your ethics and compliance program?

Make management aware that bad things happen more often when there is economic stress on the company.
First question a prosecutor will ask is: “What steps have you taken?” You do not want the answer to be: “We cut programs.”
Government is increasing pursuit of corporate wrong-doing. They just hired two new deputy chiefs.
People feel pressure to cut corners and make the numbers.

It is important to let people know the consequences of bad behavior. There are concrete remedies for badness. Also celebrate good behavior.

Highlight the non-retaliation policy. People are not going to make the call if they think they may lose their jobs. Silence is not good.

Obviously, compliance is not a profit center, so you need to be concerned when there are declining profits.

Ten Ways to Turn Your Holiday Party Into A Lawsuit

Shanti Atkins of ELT published The Top 10 Ways to Turn your Holiday Party into a Lawsuit:

Number 10: Ask staff to work evenings or weekends arranging the party, but don’t pay them for the extra time because it’s not really “work.”

Number 9: Insist on calling it a “Christmas party.”

Number 8: Invite the purchasing officer for a big government contract your company is pursuing, and make sure to buy her a lavish, expensive gift.

Number 7: Open bar all night, with holiday colored jello shots.

Number 6: Lots of mistletoe.

Number 5: Pass around a microphone, and make everyone describe how they’ve been “naughty or nice” this past year.

Number 4: On the party invitation, summon “husbands and wives” to join you for an evening of holiday cheer.

Number 3: To make sure you get a great turn out, tell employees that anyone who doesn’t show up will have their pay docked 4 hours.

Number 2: Don’t provide alternative transportation home for inebriated party goers.

And our Number 1 way to turn your holiday party into a lawsuit? Announce to everyone that “what happens at the holiday party, stays at the holiday party.”

See Shanti’s post for some of the reasons these items made the list. There is also a podcast that accompanies the blog post: Top 10 Ways to Turn your Holiday Party Into a Lawsuit podcast

General Counsel as the Chief Ethics and Compliance Officer

Over at the Society of Corporate Compliance and Ethics bulletin boards there was a great deal of discussion about whether the CECO should hold a concurrent role as general counsel or whether the positions should be split. Here are a collection of reasons:

In some industries, including healthcare, the government has specifically stated that it does not believe that the compliance officer and general counsel roles should be filled by the same person or that the compliance officer should report to the general counsel. This position occurs in “compliance program guidance” issued by the HHS Office of Inspector General. Daniel Roach
The role of compliance is to unearth issues and potential issues while they are still inchoate – not necessarily the same as the GC who is generally reactive and then not beyond the specific question presented. Emil Moschella
I think the joint role could affect the integrity of the attorney-client privilege. If the roles are separate then I think the privilege is less assailable on the grounds that the hat being worn at the time the alleged protected information was received that the individual was wearing the hat of the compliance officer and not that of the GC. Emil Moschella
Many of the processes that the Compliance Officer (CO) may wish to review, may have been previously blessed by the office of the GC so that they may not get the fresh look of the compliance office would give it. Independence of the compliance review is questioned. Emil Moschella
The compliance and ethics function is not the business of giving legal advice. It is a management function that calls for good project management skills. It calls for a focus on ethics and compliance, when often lawyers focus on just the law. Joseph Murphy

Standard & Poor’s To Begin Evaluating Enterprise Risk Analysis

On May 7, 2008, Standard and Poor’s Announced that they address enterprise risk management at part of their ratings: Standard & Poor’s To Apply Enterprise Risk Analysis To Corporate Ratings. (.pdf)

Ultimately, we will enhance transparency by providing investors and issuers our views of a management team’s ability to understand, articulate, and successfully manage risk. The benefits of the ERM enhancement will be to make the process of forming our rating opinions more forward looking, achieve finer differentiation among ratings, and facilitate construction of “what if” forecast scenarios.

S &P will look toward a company’s adoption of the COSO standards or the AS/NZS 4360 standards. But S&P will not make them a prerequisite for enterprise risk management nor sufficient evidence of sufficient risk manangement.

The Cumulative Effect of Gift Giving

The line between holiday gift giving and corruption is very gray. You need to be concerned that traditional holiday gifts are not actually holiday corruption bribes.

Not only should you look at an individual gift, you need to look to gifts to the organization as a whole. One excessive gift may seem over the top to the recipient. But what happens when the gift-giver does the same for many people in the organization. One gift of $100 may be a little much. But if 25 people get similar gifts from the same gift-giver, then you have a $2,500 gift issue.

Gifts should not result in, or even give the perception of, a conflict of interest. An example of this would be excessive gift giving from a vendor — would you direct more business to that vendor solely because of the gifts, thereby compromising your obligations? This is the conflict that results when more than nominal gifts are given

The action by the SEC against Lazard Capital Markets LLC is an example of excessive gift-giving. The charges lump together $600,000 in entertainment expenses. But that was over a 4 year period. $125,000 per year is still too much, but illustrates the cumulative effect.

You can read more about the Lazard case: