Month: September 2008

Compliance and Cloud Computing

Sara Peters wrote an article on Security Provoked: How Can You Prove Compliance in the Cloud?

Whether you’re in the midst of an audit or a forensic investigation, thorough logs are the key to proving compliance with security regulations. So how do you prove your organization is/was compliant when you aren’t able to maintain logs? This is the nagging question that gnaws hungrily at my weary brain every time I ponder cloud computing.

I am a big fan of cloud computing from a sharing and information architecture perspective, it may not be the right answer for critical information that is subject to regulatory control.

Yet.

The folks at Google and other cloud computing providers are not going to let compliance issues fall through the cracks for long. Cloud computing can provide similar service and less cost. Who has better understanding of security, your IT staff or the folks at Google?

 

New Link to the article: http://www.informationweek.com/security/can-you-prove-compliance-in-the-cloud/229209812

Product Samples and The Foreign Corrupt Practices Act

Richard L. Cassin of The FCPA Blog highlights Review Procedure Release No. 81-02 from December 11, 1981: A Rare (Or Medium-Rare) Opportunity. The release helps give a roadmap on how to introduce new products to potential government customers in foreign countries without violating the Foreign Corrupt Practices Act.

In Release 81-02 (December 11, 1981), the Department stated it would take no enforcement action where the requestor wished to provide samples of its products to officials of the Soviet Ministry of Foreign Trade. The Department stated that theFCPA was not implicated where (i) the samples were intended for the officials’ inspection, testing, and sampling; (ii) the samples were not intended for their personal use; and (iii) the Soviet government had been informed that the company intended to provide the samples.  (From the DOJ Website Section 1.1.5)

History of the Foreign Corrupt Practices Act

In 1977, Congress enacted the Foreign Corrupt Practices Act as part of the 1934 Securities Exchange Act .  The FCPA criminalized the bribery of foreign officials by U.S. corporations and individuals pursuing business in other countries and required that companies with publicly-traded stock meet certain standards regarding their accounting practices, books and records, and internal controls.

The FCPA consequently was amended in both 1988 and 1998.  First in 1988, Congress added two affirmative defenses and directed the executive branch to urge America’s global trading partners to pass anti-corruption laws to promote international parity with regard to business corruption.

In 1998, the FCPA was again amended to implement the Organization of Economic Cooperation and Development Convention on Combating Bribery of Foreign Public Officials in International Business Transactions.  Congress ratified the OECD Convention and enacted implementing legislation.  These new amendments broadened the reach of potential FCPA bribery violations by expanding the scope of persons covered by the Act to include some foreign nationals.  Also, the 1998 amendments extended the FCPA’s jurisdiction beyond America’s borders to allow greater enforcement efforts by U.S. prosecutors.

The Specially Designated Nationals List (SDN)

The Office of Foreign Assets Control in the Treasury Department keeps the Specially Designated Nationals List (SDN).  The Specially Designated Nationals List is a publication of OFAC which lists individuals and organizations with whom United States citizens and permanent residents are prohibited from doing business.

FCPA Investigations are on the Rise

According to the Wall Street Journal’s Law Blog, And the FCPA Party Continues:

“U.S. government had open investigations into 84 companies at the end of last year, up from three in 2002, according to Shearman & Sterling. “In the 30-plus years I have followed these matters, there were long periods of little activity and few prosecutions in the early years. Recently there has been a dramatic increase in such activity,” says Danforth Newcomb, a Shearman partner.”

New Massachusetts Privacy Laws

Governor Patrick signed Executive Order 504 an order regarding the the Security and Confidentiality of Personal Information on September 19, 2008. This order revokes the earlier Executive Order 412.

There are also new state regulations 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth (effective Jan. 1, 2009) implementing M.G.L. c. 93H.

The Executive Order applies to state agencies. It goes further to require all contractors with the state to comply with the requirements. Even further it requires those contractors to require the contractors to require their subcontractors to also comply with the requirements.

The regulations apply to every person that “owns, licenses, stores or maintains personal information about a resident of the Commonwealth.” The regulations require:

“a comprehensive, written information security program applicable to any records containing such personal information.  Such comprehensive information security program shall be reasonably consistent with industry standards, and shall contain administrative, technical, and physical safeguards to ensure the security and confidentiality of such records.”

The regulations also require a designation of “one or more employees to maintain the comprehensive information security program.” Sounds like another task for the Chief Compliance Officer.

Thanks to Lee Gesmer of the Mass Law Blog for pointing this out: New Massachusetts Rules on Identity Theft.

A Money Services Business Guide to Money Laundering Prevention

The Financial Crimes Enforcement Network published the Money Services Business Guide to Money Laundering Prevention (pdf).

The manual starts with the definition of a “Money Service Business.”

Your business may be an MSB (Money Services Business) if…
The business offers one or more of the following services:
■ money orders
■ traveler’s checks
■ check cashing
■ currency dealing or exchange
■ stored value
-AND

The business:
■ Conducts more than $1,000 in money services business activity with the same person (in one
type of activity) on the same day.
-OR

The business:
■ Provides money transfer services in any amount.

Lay-Person’s Guide to the Foreign Corrupt Practices Act

fcpa-resource-download

The United States Department of Justice has put together a Lay Person’s Guide to FCPA on the the Department’s site on the Foreign Corrupt Practices Act.

The 1988 Trade Act directed the Attorney General to provide guidance concerning the Department of Justice’s enforcement policy with respect to the Foreign Corrupt Practices Act of 1977 (“FCPA”), 15 U.S.C. §§ 78dd-1, et seq., to potential exporters and small businesses that are unable to obtain specialized counsel on issues related to the FCPA. The guidance is limited to responses to requests under the Department of Justice’s Foreign Corrupt Practices Act Opinion Procedure (described below at p. 10) and to general explanations of compliance responsibilities and potential liabilities under the FCPA. This brochure constitutes the Department of Justice’s general explanation of the FCPA.

Sources:

UPDATE: The Layperson’s Guide to the FCPA has been replaced by  A Resource Guide to the US Foreign Corrupt Practices Act (.pdf)

Kay v. United States

Kay v. United States (Docket: 07-1281) is on the docket of the Supreme Court’s opening conference on September 29, 2008 for the Court’s October 2008 term. The petition for certiorari and all cert-stage briefs are available at scotusblog.com.

David Kay and Douglas Murphy were sentenced in 2005 to 37 and 63 months in prison respectively for violating the FCPA. They bribed Haitian officials in order to reduce their company’s taxes.

Richard L. Cassin over at The FCPA Blog has an excellent background article on the case