Doug Cornelius

New SEC Rule on Political Contributions by Certain Investment Advisers

sec-seal

The SEC has just published the text of the proposed rule on political contributions by investment advisers. SEC voted unanimously to propose this rule at its July 22nd Open Meeting.

http://www.sec.gov/rules/proposed/2009/ia-2910.pdf

The proposed rule is intended to curtail “pay to play” practices by investment advisers that seek to manage money for state and local governments.

The new proposed rule has four primary aspects:

1. Restricting Political Contributions

An investment adviser who makes a political contribution to an elected official in a position to influence the selection of the adviser would be barred for two years from providing advisory services for compensation, either directly or through a fund.

The contribution prohibition would also apply to certain executives and employees of the investment adviser.

Additionally, the range of restricted officials would include political incumbents and candidates for a position that can influence the selection of an adviser.

There is a de minimis exception that permits contributions of up to $250 per election per candidate if the contributor is entitled to vote for the candidate.

2. Banning Solicitation of Contributions

The proposed rule also would prohibit an adviser from coordinating, or asking another person or political action committee to:

Make a contribution to an elected official (or candidate) who can influence the selection of the adviser.
Make a payment to a political party of the state or locality where the adviser is seeking to provide advisory services to the government.

3. Restricting Indirect Contributions and Solicitations

There would be prohibition on engaging in pay to play conduct indirectly, if that conduct would violate the rule if the adviser did it directly. That would include directing or funding contributions through third parties such as spouses, lawyers or companies affiliated with the adviser.

4. Banning Third-Party Solicitors

There is prohibition on paying a third party, such as a placement agent, to solicit a government client on behalf of the investment adviser.

Compliance, Van Halen and Brown M&M’s

You may have heard the story about Van Halen’s banning of brown M&M’s from its dressing room. I chalked it up to the pampered life of rock stars. (Especially, when compared to the more mundane life of a chief compliance officer.)

I just listened to the latest episode of This American Life which revealed that the provision was not about pampering. It was about compliance. Host Ira Glass talked with John Flansburgh (from the band They Might Be Giants) and he explained why the M&M clause was actually an ingenious business strategy. They recounted an except from David Lee Roth’s autobiography, Crazy from the Heat:

Van Halen was the first band to take huge productions into tertiary, third-level markets. We’d pull up with nine eighteen-wheeler trucks, full of gear, where the standard was three trucks, max. And there were many, many technical errors — whether it was the girders couldn’t support the weight, or the flooring would sink in, or the doors weren’t big enough to move the gear through.The contract rider read like a version of the Chinese Yellow Pages because there was so much equipment, and so many human beings to make it function. So just as a little test, in the technical aspect of the rider, it would say “Article 148: There will be fifteen amperage voltage sockets at twenty-foot spaces, evenly, providing nineteen amperes . . .” This kind of thing. And article number 126, in the middle of nowhere, was: “There will be no brown M&M’s in the backstage area, upon pain of forfeiture of the show, with full compensation.”

So, when I would walk backstage, if I saw a brown M&M in that bowl . . . well, line-check the entire production. Guaranteed you’re going to arrive at a technical error. They didn’t read the contract. Guaranteed you’d run into a problem. Sometimes it would threaten to just destroy the whole show. Something like, literally, life-threatening.

Van Halen used the candy as a warning flag for an indication that something may be wrong. I see some lessons to be learned.

Update:

Diamond Dave talking about Brown M&Ms.

Brown M&Ms from Van Halen on Vimeo.

(via NPR Music’s The Record: The Truth About Van Halen And Those Brown M&Ms by Jacob Ganz

References:

This American Lie Episode 386: Fine Print
Van Halen’s Legendary M&M’s Rider from the Smoking Gun

Top Ten Mistakes Lawyers Make with Social Media

Lawyers and law firms are rapidly adopting social media to market themselves and connect with peers. These are new tools. We are all trying to figure out how to use them. Just to make it more difficult, the tools themselves are rapidly evolving as we are learning how to use them.

Some lawyers are doing a great job using them. Some are doing a terrible job.

I thought I would share my thoughts on the mistakes I see.

10. Blocking access. Social media provides a rich source of information about clients, potential clients, opposing counsel, witnesses and other parties. It easy to get around the block with a mobile device or home access. Blocking is just an annoyance. It’s not an effective policy.

9. Failing to have a social media policy. People in your law firm are using social media. They may only using if for personal purposes. But if they identify your firm as their employer, what they do has an effect on the image of your firm.

8. Ignoring Facebook as a recruiting tool. “You do better fishin’ where the fish are.” Many summer associates are creating groups on their own. Your firm would be better off if they administered the group.

7. Not giving authorship to blog posts. The attorneys writing the story should get credit for the story. This gives an attorney an extra incentive to contribute and showcases their skills.

6. Not linking. A blog is much more useful to its readers and its authors if it links to other relevant information. There is no reason not to link to primary source material like statutes and regulations online. Link to other news sources, websites and blogs. Yes people will leave leave your site through those links. But they are more likely to come back if your site is the better source of information.

5. Failing to understand ethical limitations. The bar regulators have barely dealt with web 1.0, never mind the additional issues around web 2.0. Keep in mind that most social media activities can be considered advertising.

4. Abandoning without notice. Nothing lasts forever. If you started a blog and are not posting any more. Put a post saying you’ve stopped or are on hiatus. (This is what I did for my old KM Space blog.)

3. Failing to leverage LinkedIn. You should have a profile in LinkedIn that has at least as much information as the bio on your firm’s site. You should also be leveraging LinkedIn to stay up to date with the movement of your clients and former client contacts. LinkedIn is a great source of information for CRM systems.

2. Posting information about clients. As with any advertising, make sure you get written consent from clients before posting any information about your work with them.

1. Not using social media. The biggest mistake most lawyers are making with social media is not using these tools. They are here to stay. Get used to it.

What mistakes to you see being made?

Image is from Hugh MacLeod of Gapingvoid – “cartoons drawn on the back of business cards”: you’re a social media specialist?

National Data Privacy Law Proposed

burglar — Image by Johnny Grim (CC BY-NC-ND 2.0)

With a multitude of states trying to protect their citizens when it comes to breaches of personal data security, it is becoming increasingly difficult to manage compliance with this patchwork of laws. The Data Accountability and Trust Act (H.R. 2221) proposed in Congress proposed to preempt state laws and make regulation of data security a matter of federal regulation.

If passed in its current form, the procedure and time frame for notifications in the event of data breach would be standardized instead of the differing requirements from state to state. It would also required the Federal Trade Commission to regulate the security practices around personal data.

The most controversial part seems to be the provisions around information brokers (companies that gather personal information about people that are not their customers to sell to third parties.) It would require these brokers to establish reasonable procedures to verify the accuracy of the personal information it collects. They would also have to provide consumers with access to that information.

Although it is still working its way through the system, it has already been forwarded by the subcommittee to the full House Energy and Commerce Committee.

References:

Webinar Materials for: Preparing for the strictest privacy law in the nation

As a follow up to Wednesday’s lunchtime webinar sponsored by Knowledge Management Associates, I wanted to post some materials for those of you that missed it and for those looking for notes and details.

The slidedeck:

KMA Insights Webinar July 2009 — Compliance with MA Privacy Law

View more presentations from Knowledge Management Associates, LLC.

Massachusetts General Laws Chapter 93H
http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm

201 CMR 17.00

Click to access 201CMR17amended.pdf

Compliance Building Posts on Mass. Data Privacy
https://www.compliancebuilding.com/tag/mass-data-privacy-law/

Free and Law Firms

I just finished reading Chris Anderson’s new book: Free: The Future of a Radical Price. Given that I am a lawyer, I kept thinking about how his concepts apply to law firms.

Let me say a few things up front.

First, this is an excellent book that will make you think about how these concepts apply to your business. For my prior employer, a large law firm I saw lots of trends in the book.

Second, I am part of an example that Chris uses to defend his hypothesis: GeekDad. Chris started GeekDad as the parenting blog for Wired magazine. The blog is led by Ken Denmead as editor who gets a nominal retainer. The rest of the contributors are unpaid volunteers writing for a magazine conglomerate that makes good money selling ads on GeekDad. I am one of those volunteer contributors. (You can see my name in the list of core contributors in right-hand column.)

Third, Chris does not take the position that everything should be free. He merely points out that more things now can be, thanks to the reduced costs of computer power, storage and networking.

Fourth, I paid for the book out of my own pocket. Free, the book is not free. Free, an ~~abridged~~ audio version is free online.

The Long Tail

Free is an extension of his previous book: The Long Tail. In that book he showed how the sale of large quantity of less popular titles can collectively sell as much as the few popular titles. You can make this work when you have cheap storage. Free takes the next step of what happens when your marginal production costs get close to zero.

There are many studies that show there is a big difference between something costing very little and something costing zero. Therefore you will attract a bigger audience if you round down. With electronic distribution, the marginal cost for adding the next customer is close to zero. So Chris says round down.

How Do You Make Money?

Chris outlines 50 different ways that you can make money even when you are giving away some of your product. Chris does not advocate giving away everything, just some of the things when the marginal cost is close to zero. One of the big distinctions is whether your product is atoms or bits. Atoms are expensive to produce and distribute. Bits are not.

He divides the idea of Free into four categories: cross-subsidies (give away the razor, sell the blade); advertising-supported services (from radio and television to websites); freemium (a small subset of users pay for a premium version of something, supporting a free version for the rest); and non-monetary markets (in which participants motivated by non-financial considerations develop things like Wikipedia and GeekDad).

Freemium is the model that Chris seems most in favor of. You give away a limited version of the product, but charge for the full version, add-ons and enhancements. SocialText just adopted that model for their wiki product: Free for 50. You can use a limited version of the product with up to fifty people at no charge. That freemium model got me using it.

Information is Expensive but Wants to be Free

Chris quotes Stewart Brand:

On the one hand information wants to be expensive, because it’s so valuable. The right information in the right place just changes your life. On the other hand, information wants to be free, because the cost of getting it out is getting lower and lower all the time. So you have these two fighting against each other.

What about law firms?

Let’s look at the most extreme examples, Orrick, Herrington and Sutcliffe‘s free business formation contracts and Wilson Sonsini’s Term Sheet Generator. There’s no cost to use the forms and no registration required to download them. Businesses can use them free. Other lawyers can use the forms as if they were their own and use them to serve their own clients. But the free product may help capture business. There are big segments of the legal market that can’t afford to hire these firms. Now, a business using these may be more likely to use the firm because some of the work has already been done. The firms could charge far less to review a completed form than if the firm were to begin the incorporation from scratch. It may offer them a competitive advantage if opposing counsel presents them with one of their own forms.

But those examples are new and few.

There is an incredibly common freemium model adopted by almost every law firm: Client Alerts.

When you had to mail these alerts there was a dollar cost associated with that distribution. To better phrase that, there was a stamp cost associated with distribution. Now distribution are costs are minimal. The costs are the same whether you email it to 500 people or 50,000 people. The same is true with viewing it on the law firm’s website.

I think it is quaint that some law firms still use the “client alert” label. I get more alerts from firms that do not represent me, than I do from the firms that do represent me.

Lawyers and their firms are giving away this valuable legal insight in the hopes that you will hire them to represent you in a matter related to the information in their publication. They use the publications to showcase their expertise, but in the process give away some of their substantive knowledge.

The book is worth reading. You should start thinking about how free may affect your business.

References:

Malcolm Gladwell’s review of Free in The New Yorker: Priced to Sell
Anderson’s respone to Gladwell: “Dear Malcolm, Why So Threatened?
GeekDad – Wired’s parenting blog
Nice but Tricky from The Economist
Free and the Future of Publishing by William Landay
Mark Cuban: When you success with Free, you are going to die by Free
Seth Godin: Malcom is Wrong

Avery Dennison Settles SEC Case for China FCPA Violation

avery-dennison

Avery Dennison has settled two related Securities and Exchange Commission cases over alleged Foreign Corrupt Practices Act violations. In an administrative action, the SEC imposed a cease-and-desist order against the consumer product company and ordered it to pay $318,470 in disgorgement and interest. In a civil case, Avery agreed to pay a $200,000 penalty. Avery settled both proceedings without admitting or denying the claims.

The SEC had charged that the Reflectives Division of Avery (China) Co. Ltd. paid kickbacks, sightseeing trips, and gifts to Chinese government officials.

In January 2004, an Avery China sales manager went to a meeting with government officials and bought each a pair of shoes with a combined value of $500.
In May 2004, the subsidiary hired a former government official as a sales manager because his wife was still employed at the government institute and was in charge of two projects the company wanted to pursue.
In August 2004, Avery China obtained two contracts to install new graphics on police cars through the Institute. The sales manager agreed that the total sales price of the contracts would be inflated so the additional charges could be paid back to the Institute as a “consulting fee.” Total sales under these contracts were about $677,000, with profits of about $363,000. The kickback payments, which would have been about $41,000, were discovered by another division and halted prior to payment.
In December 2002, an Avery salesman hosted a sightseeing trip for five government officials. Two reimbursement requests were used to conceal the expenses for the trip.
In August 2004, Avery China paid a kickback to another government owned enterprise to secure a sales contract. Total sales under the contract were about $106,000, with profits of about $61,000. The $2,415 kickback was not paid after it was discovered by company officials.
In 2005, Avery China secured a sale to a state-owned end user by agreeing to pay a Chinese official a kickback of nearly $25,000 through a distributor. Avery China realized $273,213 in profit from this transaction, which it inaccurately booked as a sale to the distributor rather than to the end user.
In late 2005, during a sales conference hosted by Avery China at a famous tourist destination, a sales manager paid for sightseeing trips for at least four government officials at a cost of $15,000
After Avery acquired a company, employees of the acquired company continued their pre-acquisition practice of making illegal petty cash payments to customs or other officials in several foreign countries. Those in illegal payments were approximately $51,000.

A spokesperson for Avery told the FCPA Blog, “What’s important to us is the fact, noted in the SEC’s administrative order, that we discovered the questionable actions. We investigated them and took disciplinary action, and reported them to the Securities Exchange Commission and Department of Justice (DOJ). As the SEC’s administrative order notes, in some cases we prevented them. We believe ethical conduct is critical to our reputation and our success, and we back that up with a rigorous training and reporting process to help employees make the right decisions. Our training includes training on the FCPA.”

References:

Avery Dennison Settles China-Related Violations from The FCPA Blog
THE FCPA: A Continuous Series of Payments and Promises from SEC Actions
Avery Dennison Settles FCPA Charges with SEC from the Securities Law Prof Blog
SEC Litigation Release on Avery Dennison
SEC order of Proceedings against Avery Dennison (.pdf)
Avery Dennison case a window on the pitfalls U.S. firms face in China by Don Lee for the Los Angeles Times

2009 Data Breach Investigations Report

285 Million records were compromised in 2008. The Verizon Business RISK Team conducted a study of first hand evidence collected during data breach investigations of 90 confirmed breaches as part of their caseload. This 2008 caseload of more than 285 million records, exceeded the combined total from 2004 to 2007.

2009 Data Breach Investigations Report .

Investigators concluded that 87 percent of breaches could have been avoided through the implementation of simple or intermediate controls. All of these were the standard practices in the industry. In only 13 percent of cases were costly controls (in terms of effort and expense) recommended as the most efficient and effective means of avoiding the breach. Most of these were standard security controls, even though they are costly.

They conclude with these recommendations:

Align process with policy: Many organizations set security policies and procedures yet fail to implement them consistently. Controls focused on accountability and ensuring that policies are carried out can be extremely effective in mitigating the risk of a data breach.

Achieve essential, and then worry about excellent: We find that many organizations achieve very high levels of security in numerous areas but neglect others. Criminals will almost always prefer the easier route. Identifying a set of essential controls and ensuring their implementation across the organization without exception, and then moving on to more
advanced controls where needed is a superior strategy against real-world attacks.

Secure business partner connections: Basic partner-facing security measures as well as security assessments, contractual agreements, and improved management of shared assets are all viewed as beneficial in managing partner-related risk.

Create a data retention plan: Clearly, knowing what information is present within the organization, its purpose within the business model, where it flows, and where it resides is foundational to its protection. Where not necessitated by valid business needs, a strong effort should be made to minimize the retention and replication of data.

Control data with transaction zones: Based on data discovery and classification processes, organizations should separate different areas of risk into transaction zones. These zones allow for more comprehensive control implementations to include but not be limited to stronger access control, logging, monitoring, and alerting.

Monitor event logs: All too often, evidence of events leading to breaches was available to the victim but this information was neither noticed nor acted upon. Processes that provide sensible, efficient, and effective monitoring and response are critical to protecting data.

Create an Incident Response Plan: If and when a breach is suspected to have occurred, the victim organization must be ready to respond. An effective Incident Response Plan helps minimize the scale of a breach and ensures that evidence is collected in the proper manner.

Increase awareness: Delivered effectively, training that educates employees about the risks of data compromise, their role in prevention, and how to respond in the event of an incident can be an important line of defense and discovery.

Engage in mock incident testing: In order to operate efficiently, organizations should undergo routine IR training that covers response strategies, threat identification, threat classification, process definition, proper evidence handling, and mock scenarios.

Join me at 12:30 (July 29, Boston Time) for a free webinar on Preparing for the Strictest Privacy Law in the Nation: MA Privacy Law 201 CMR 17 hosted by Knowledge Management Associates.

Ten of the Most Embarrassing Data Breaches

data-theft

I gathered some notable data breaches in preparation for my presentation on the Massachusetts Data Privacy Law as part of my webinar on Wednesday: Preparing for the strictest privacy law in the nation: MA Privacy Law 201 CMR 17. If you wondered why there are so many state laws on data breaches, just take a look at some of these embarrassing data breaches.

Royal Navy

Imagine losing information on everyone who had applied to join the armed forces including passport numbers, medical histories, and bank details. Of course, it was not encrypted. It was just sitting in a laptop in the back of a car. That’s what happened Jan. 9, 2008, in Birmingham, U.K., when a Royal Navy Officer left the laptop in his car and it was promptly stolen.

BBC: Police probe theft of MoD laptop

UK’s Child Benefits Records

Her Majesty’s Revenue and Customs sent discs containing the entire child benefit database unregistered and unencrypted to the National Audit Office. There was no evidence that the discs fell into the wrong hands, but millions of families were told to be on alert for attempts to fraudulently use their details, which include addresses, bank account and National Insurance numbers, as well as children’s names and dates of birth.

BBC: Discs ‘worth £1.5bn’ to criminals

Veteran’s Affairs

The computer and hard drive was stolen from the home of an employee of the Department of Veterans Affairs. It contained details on no less than 26.5 million veterans. The laptop was stolen May 3rd and turned up two months later on the black market only four miles away. The purchaser bought both the laptop and the hard drive off the back of a truck.

New York Times: V.A. Laptop Is Recovered, Its Data Intact

TJX

The retailer had over 45 million customer records compromised. The current theory is that the thieves sat in the company parking lot and tapped into an unsecured wireless router.

Boston Globe: TJX faces scrutiny by FTC

Ameriprise

Lists containing the personal information of about 230,000 customers and advisers were compromised after a company laptop was stolen from an employee’s parked car. The laptop contained a list of reassigned customer accounts that were unencrypted.

New York Times: Ameriprise Says Stolen Laptop Had Data on 230,000 People

Verisign

Digital certificate issuing company VeriSign suffered a data breach when an employee’s laptop was stolen from their car last month. The laptop contained names, social security numbers, dates of birth, salary details, phone numbers and addresses of of VeriSign employees.

The Gap

A laptop containing unencrypted personal information for 800,000 people who applied for jobs with clothing retailer Gap Inc. was stolen. The laptop was stolen from the offices of a third-party vendor the Gap hired to manage applicant data.

The Register: Data for 800,000 job applicants stolen

Boston Globe

Instead of reporting on data breaches, the Boston Globe and The Worcester Telegram & Gazette suffered their own credit card breach. The credit card information for as many as 240,000 subscribers might have been inadvertently released.

The New York Times: Credit Data Breach at Two Newspapers

Hannaford Supermarkets

Unauthorized software that was secretly installed on servers in Hannaford Bros. Co.’s supermarkets enabled a massive data breach that compromised up to 4.2 million credit and debit cards.

Forbes: Malware cited in supermarket data breach

IBM

A vendor lost lost tapes containing sensitive information on IBM employees. The tapes contained sensitive information including dates of birth, Social Security numbers, and addresses. Some of the tapes were not encrypted

InfoWorld: IBM contractor loses employee data

Any others that you think should be on this list? Join the webinar and let us know.

Image is by d70focus: Credit Card Theft http://www.flickr.com/photos/23905174@N00/ / CC BY 2.0

Sticking Your Head in the Sand and the FCPA

dooney and Bourke

Prosecutors told the jury during Frederic Bourke’s trial that instead of doing adequate due diligence for his investment, he’d “stuck his head in the sand.” A jury convicted him conspiring to violate the Foreign Corrupt Practices Act and making false statements to federal investigators.

How did the head of a prominent handbag company end up in this position? What did Bourke do?

He invested in a deal in a country where he knew or should have known that bribes would be paid. He didn’t pay any bribes himself. He didn’t benefit from the bribes. He lost his money in the investment.

Bourke invested in Czech-born Viktor Kozeny’s unsuccessful attempt in 1998 to gain control of Azerbaijan’s state oil company. Kozeny himself had a shady background and was known as the Prague Pirate. Kozeny’s plan was to bribe senior government officials in Azerbaijan with several hundred million dollars in shares of stock, cash, and other gifts to ensure that those officials would privatize the State Oil Company of the Azerbaijan Republic (SOCAR) in a rigged auction that their investment consortium could win. Prosecutors offered evidence that Bourke “consciously avoided” learning about the bribes by not asking questions about them. Jurors were allowed to convict if they found Bourke knew or took steps to avoid learning of the payments.

The jury looked at the shady deal, the shady partner and in a shady country and must have thought that bribery was obvious. Bourke just chose to ignore the warning signs.

The sentence for Bourke is up to five years in prison for the FCPA violation, and another five for lying to the FBI.

References:

Back to Bourke by Richard L. Cassin of The FCPA Blog
Knowing What You Don’t Know by Richard L. Cassin of The FCPA Blog
Use of “Conscious Avoidance” Doctrine in Frederic Bourke Conviction Expands Corporate Executives’ FCPA Exposure by F. Joseph Warin on Securities Docket
DOJ Press Release on Bourke Verdict (July 10, 2009)
Bourke Convicted of Bribery in Kozeny’s Azerbaijan Oil Deal by David Glovin for Bloomberg
Jury Charge in US v. Bourke hosted on JD Supra
Left Defenseless by Adele Nicholas for Inside Counsel