Compliance Building

Additional Guidance on the Massachusetts Privacy Regulations

The Massachusetts Office of Consumer Affairs and Business Regulation has provided guidance regarding its new regulations requiring all entities that own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts to develop, implement and maintain a comprehensive written information security program and make specific computer information security requirements. I mentioned the regulations, which have a January 1, 2009 compliance date, previously: New Massachusetts Privacy Laws, Privacy and Security Alert: Massachusetts Has New Data Security Regulations, Massachusetts Regulations to Mandate Comprehensive Information Security Requirements.

The newly issued guidance consists of the following:

Frequently Asked Questions
http://www.mass.gov/Eoca/docs/idtheft/idbreachfaqs.pdf
Small Business Guide for Formulating a Comprehensive Written Information Security Program
http://www.mass.gov/Eoca/docs/idtheft/sec_plan_smallbiz_guide.pdf
Compliance Checklist
http://www.mass.gov/Eoca/docs/idtheft/compliance_checklist.pdf

Sarbanes-Oxley Act Whistleblower Digest

The U.S. Department of Labor assembled a digest of whistleblower law under the Sarbanes-Oxley Act.

On July 30, 2002, the Sarbanes-Oxley Act of 2002, P.L. 107-204 was signed into law by President Bush. Section 806 of the Act, to be codified at 18 U.S.C. § 1514A, is a whistleblower provision that provides protection for employees of publicly traded companies who provide “information, cause information to be provided, or otherwise assist in an investigation regarding any conduct which the employee reasonably believes constitutes a violation of section 1341, 1343, 1344, or 1348, any rule or regulation of the Securities and Exchange Commission, or any provision of Federal law relating to fraud against shareholders….” Complaints under this provision are filed with the Secretary of Labor, who is to investigate and adjudicate the matter under the rules and procedures found in the statutory AIR21 whistleblower provision. The Sarbanes-Oxley whistleblower procedure is somewhat different than AIR21 and all other whistleblower cases administered by the DOL in that if the Secretary has not issued a final decision within 180 days of the filing of the complaint, and there is no showing that such delay is due to the bad faith of the claimant, the claimant may bring an action at law or equity for de novo review in the appropriate district court of the United States.

Why Use a Hotline?

Is it important to have a hotline for reporting violations?

Reporting violations is a keystone for an effective compliance program. It can maximize the eyes watching for lapses in judgment and blatant violations. It can foster the reporting of issues and concerns as they occur or before a violation occurs.

Ethics as a Business Process

Adam Turteltaub wrote Ethics as a Business Process for the fall 2005 edition of GRC 360.

Forward-looking companies are seeking to evolve business from soft art to hard science as a means to win in the marketplace, improve competitive advantage, achieve higher market valuations, ensure employee retention, foster fruitful partnerships and strengthen customer satisfaction.

. . .

There are three key areas to consider when examining the creation of business processes around ethics:

People: An organization must examine and manage the extent which ethical conduct is embedded into the fabric of business thinking and fully understand the ethical risks employees face.
Process: An organization must set forth an effective business framework that integrates all ethics and compliance-related activities within the enterprise.
Technology: An organization must leverage tools that automate the process to achieve greater efficiency and provide management with the data it needs to assess the health of the effort and respond quickly to problems.

Real Money Laundering

The October 2008 edition (.pdf) of The SAR Activity Review, Trends, Tips and Issues published by the Financial Crimes Enforcement Network, has a great story on page 29 about a marijuana smuggling and money laundering operation.

The organization was concerned that the cash smelled like marijuana. The benk tellers even noticed the smell of marijuana on the money. The organization ended up washing and ironing the cash to remove the smell.

Too late. The teller filed a Suspicious Activity Report on the marijuana money which then focused law enforcement on subsequent deposits. Law enforcement had previously been keeping an eye on individuals in the organization. Over the course of the investigation, they tracked more than 1,000 kilograms of marijuana that the organization distributed into the local market.

Dirty money lead to 30 jail sentence for the leader of the organization.

Whistleblower Policies

I ran across a few examples of whistleblower policies and whistleblower protection policies and some material on developing a whistleblower policy.

Developing a Policy

Developing a Whistleblower Policy (.pdf) by the Delaware Valley Grantmakers.

Whistleblower Policies: Lessons For Associations by Julia E. Judish of Pillsbury Winthrop Shaw Pittman LLP

National Whistleblowers Center

Whistleblower Policy Safeguards Company (.pdf) by Jennifer Gallop, Esq., of Krokidas & Bluestein, Boston

Example Policies:

University of California Whistleblower Policy and Whistleblower Protection Policy.

Dave & Buster’s Whistleblower policy

Establishing an Effective Complaint-Handling Process

Grant Thornton put together a comprehensive report: Hear that whistle blowing! Establishing an effective
complaint-handling process. (August 2006, .pdf)

They have developed the MACH process which consists of six basic steps:

Receive the complaint;
Analyze the complaint;
Investigate the complaint;
Resolve the complaint;
Report the resolution of the complaint; and
Retain the necessary documentation.

Code of Ethics and Whistleblower Programs

A corporate code of ethics is the flip side of the coin of a whistleblower policy: The code of ethics is the principal means of communicating to all staff a strong culture of legal compliance and ethical integrity, while the whistleblower policy is a way to implement such values.

The Power of How presentation by Dov Seidman

LRN published the transcript of a presentation by Dov Seidman at the Center for Business Ethics at Bentley University: The Power of How: Achieving Enduring Success Through Ethics.

Basically, in a world in which nothing stays hidden, you have to act as if you have nothing to hide. But before you can act as though you have nothing to hide, in fact, you must have nothing to hide. There is an opportunity to literally out-behave your competition. You might not be able to answer a phone faster. You might not be able to create an anti-tampering device and market your bottled water on the basis of that device, because all the manufacturers of bottled water have that nailed down. But you can out-behave someone.

Compliance at The Nature Conservancy

Back in 2004, The Nature Conservancy created the job of Chief Compliance Officer and formalized is compliance and governance policies.

There is an interview with Karen Berky, Chief Compliance Officer in The Nature Conservancy’s 2004 Annual Report: Conservation That Works.

Ms. Berky talks about the Conflict of Interest Policy and the Conflict of Interest Standard Operating Procedure.

The Nature Conservancy also has a Whistleblower Policy, for reporting suspected violations of law or policy.