Doug Cornelius

Reasons Why the SEC Wants to Regulate Political Contributions

sec-seal

The SEC has proposed a New Rule on Political Contributions by Certain Investment Advisers to prevent advisers from participating in pay to play practices affecting the management of public pension plans. They had proposed a similar rule in 1999. Many of the comments to that rule said that pay to play was not a problem in the management of public funds.

Now, the SEC thinks that pay to play is a significant problem in the management of public funds by investment advisers. In recent years, the SEC and criminal authorities have brought a number of actions charging investment advisers with participating in pay to play schemes. Here are some of the incidents they cite in the proposed pay to play rule. http://www.sec.gov/rules/proposed/2009/ia-2910.pdf

Alabama

The SEC brought a case against the mayor of Birmingham and other defendants, alleging that while the mayor served as president of the County Commission of Jefferson County, he accepted undisclosed cash and benefits through a lobbyist as a conduit from the chairman of a Montgomery, Alabama-based broker-dealer, in return for awarding municipal bond business and swap transactions to the broker-dealer. See SEC v. Larry P. Langford et al., Litigation Release No. 20545 (Apr. 30, 2008).

California

Los Angeles Times story about the alleged pay to play activities relating to a former member of the Los Angeles Fire and Police Pensions Board. Former pension board member’s private finance, public role intersected, by David Zahniser (May 9, 2009)

Connecticut

Paul J. Silvester, the former Treasurer of the State of Connecticut, agreed to invest $200 million of state pension funds in return for the investment adviser providing consulting contracts valued at approximately $1 million each to two of his friends.SEC v. Paul J. Silvester et al., Litigation Release No. 16759 (Oct. 10, 2000); Litigation Release No. 20027 (Mar. 2, 2007); Litigation Release No. 19583 (Mar. 1, 2006); Litigation Release No. 18461 (Nov. 17, 2003); Litigation Release No. 16834 (Dec. 19, 2000);
Sanctions against William A. DiBella, the former Majority Leader of the Connecticut State Senate, and his consulting firm, North Cove Ventures, L.L.C. for their roles in aiding and abetting then Treasurer of the State of Connecticut, Paul J. Silvester in a fraudulent investment scheme.SEC v. William A. DiBella et al., Litigation Release No. 20498 (Mar. 14, 2008). See also
A judgment against Ben F. Andrews, Jr. in connection with a fraudulent scheme involving the investment of Connecticut state pension fund money. U.S.. v. Ben F. Andrews, Litigation Release No. 19566 (Feb. 15, 2006);
In November 1998, the then-Connecticut Treasurer invested $75 million of the Connecticut state pension fund with Thayer IV. In connection with this investment, Thayer, through Malek, agreed to hire a consultant at the Treasurer’s request. This consultant, who was paid nearly $375,000 by TC Management IV, had no previous involvement with the proposed investment and ultimately performed no meaningful work on the deal. In the Matter of Thayer Capital Partners, TC Equity Partners IV, L.L.C., TC Management Partners IV, L.L.C., and Frederick V. Malek, Investment Advisers Act Release No. 2276 (Aug. 12, 2004);
The principal of an investment adviser provided $2 million in consulting contracts to associates of the Connecticut State Treasurer to secure the decision to invest $200 million in state pension funds in his funds. In the Matter of Frederick W. McCarthy, Investment Advisers Act Release No. 2218 (Mar. 5, 2004);
An aide to the Connecticut State Treasurer received a $1 million consulting contract from an investment adviser with whom the Treasurer had invested $200 million in Connecticut state pension funds. In the Matter of Lisa A. Thiesfield, Investment Advisers Act Release No. 2186 (Oct. 29, 2003).
The indictment of the former mayor of Bridgeport, Connecticut, in connection with his conviction for, among other things, requiring payment from an investment adviser in return for city business. U.S. v. Joseph P. Ganim, 2007 U.S. App. LEXIS 29367 (2d Cir. 2007)

Florida

A partner at Lazard Freres & Co. was found liable for conspiracy and wire fraud for fraudulently paying $40,000 through an intermediary to Fulton County’s independent financial adviser to secure an assurance that Lazard would be selected for the Fulton County underwriting contract. United States v. Poirier, 321 F.3d 1024 (11th Cir.), cert. denied sub nom., deVegter v. United States, 540 U.S. 874 (2003)

Georgia

A broker-dealer, two of its officers and a city official were involved in a scheme to defraud the City of Atlanta in connection with the purchase and sale of certain securities while providing substantial, undisclosed monetary benefits to the city’s investment officer who was authorized to select a broker-dealer for the transactions. See In the Matter of Pryor, McClendon, Counts & Co., Inc. et al., Securities Act Release No. 7673 (Apr. 29, 1999); Securities Act Release No. 8062 (Feb. 6, 2002); Exchange Act Release No. 48095 (June 26, 2003); Securities Act Release No. 8245 (June 26, 2003); Securities Act Release No. 8246 (June 26, 2003).

Illinois

The indictment of William Cellini for corruption, including using the Teachers’ Retirement System to invest with and hire firms that made contributions to Rod Blagojevich. State’s Ultimate Insider Indicted, by Jeff Coen, Ray Long and John ChaseChicago Tribune (Oct. 31, 2008).
An enforcement action against the former treasurer of the City of Chicago, to whom two registered representatives were alleged to have made secret cash payments to obtain a share of the city’s lucrative securities investments. See SEC v. Miriam Santos et al., Litigation Release No. 17839 (Nov. 14, 2002); Litigation Release No. 19269 (June 14, 2005) The SEC also brought enforcement actions against the registered representatives allegedly involved in the scheme. See SEC v. Miriam Santos, Peter J. Burns, and Michael F. Hollendoner, Litigation Release Nos. 19270 and 19271 (June 14, 2005).

New Mexico

An investment adviser was barred from association with any broker, dealer or investment adviser for paying kickbacks to the Treasurer of the State of New Mexico. In the Matter of Kent D. Nelson, Investment Advisers Act Release No. 2765 (Aug. 1, 2008); I
Conviction of the former treasurer of New Mexico for requiring that a friend be hired by an investment manager in return for accepting a proposal from the manager for government business.
Conviction for attempted extortion of the former treasurer of New Mexico’s successor for requiring that a friend be hired by an investment manager at a high salary in return for the former treasurer’s willingness to accept a proposal from the manager for government businessU.S. v. Vigil, 523 F. 3d 1258 (10th Cir. 2008)

New York

The deputy comptroller and a “placement agent” engaged in corruption and securities fraud for selling access to management of public funds in return for kickbacks and other payments for personal and political gain. SEC v. Henry Morris, et al, Litigation Release No. 21036 (May 12, 2009).

North Carolina

Alleged pay to play activities involving North Carolina’s state treasurer. Moore Defends Pension System, by Rick Rothacker & David Ingram for the Charlotte Observer (Feb. 25, 2007) (discussing )

Ohio

Reginald Fields, Four More Convicted in Pension Case: Ex-Board Members Took Gifts from Firm, CLEVELAND PLAIN DEALER (Sept. 20, 2006) (addressing pay to play activities of members of the Ohio Teachers Retirement System).

Pennsylvania

The intrusion of soft dollars into pension fund consulting. Pensions, Politics and Consultants Make for Unsavory Bedfellows, by Len Boselovic for Pittsburgh Post-Gazette (Aug. 13, 2006)
Alleged pay to play activities relating to the Allegheny County Retirement Board, Fund Managers ‘Pay to Play’ by Jeffrey Cohan for Pittsburgh Post-Gazette (Feb. 22, 2001)
A 2002 audit by then-new controller of Luzerne County, Pennsylvania alleged pay to play activities among various parties involved with county pension funds. Political Money Said to Sway Pension Investments, by Mary Williams Walsh for the N.Y. Times (Feb. 10, 2004).

That is a big list of bad behavior is short period of time.

Maybe the SEC has a point.

Although I am not sure if the proposed SEC rule will stop it.

Hollywood and the FCPA

With the guilty verdict in the case of handbag magnate Frederic Bourke and while waiting for the verdict in the Jefferson corruption case, we can turn to Hollywood for the next FCPA trial. The U.S. Attorney’s office charged a Hollywood producer with paying bribes to a foreign official.

Gerald and Patricia Green are accused of paying a Thai official $1.8 million between 2002 and 2006 in order to obtain $14 million worth of contracts. Prosecutors claim the couple paid off Juthamas Siriwan, the former governor of the Tourism Authority of Thailand, which puts on Bangkok’s international film festival. Gerald Green was the producer of Werner Herzog’s Resuce Dawn along with a dozen other movies.

Richard Cassin of the FCPA Blog is providing coverage, including an insight to trial strategy:

Prosecutors plan to introduce into evidence a Thai anti-bribery statute that applies to public officials (here). That law — even if it’s rarely enforced — probably blocks the Greens from raising the local-law affirmative defense. The FCPA allows otherwise prohibited payments if the “payment, gift, offer, or promise of anything of value that was made, was lawful under the written laws and regulations of the foreign official’s” country. 15 U.S.C. §§ 78dd-1(c)(1), 78dd-2(c)(1) and 78dd-3(c)(1). The defense is rarely available because most countries, like Thailand, have anti-corruption laws.

The trial starts today in California. Patricia Green is represented by Marilyn Bednarski of Pasadena’s Kaye, McLane & Bednarski. Gerald Green is represented by Jerome Mooney of L.A.’s Weston, Garrou, Walters & Mooney.

References:

Hollywood FCPA Trial Set to open from the FCPA Blog
Only-in-Hollywood FCPA Trial Set to Start Tuesday by Ross Todd for The AmLaw Litigation Daily.
Indictment of Green – Hosted on JD Supra
Government’s Trial Memorandum – Hosted on JD Supra

New SEC Rule on Political Contributions by Certain Investment Advisers

sec-seal

The SEC has just published the text of the proposed rule on political contributions by investment advisers. SEC voted unanimously to propose this rule at its July 22nd Open Meeting.

http://www.sec.gov/rules/proposed/2009/ia-2910.pdf

The proposed rule is intended to curtail “pay to play” practices by investment advisers that seek to manage money for state and local governments.

The new proposed rule has four primary aspects:

1. Restricting Political Contributions

An investment adviser who makes a political contribution to an elected official in a position to influence the selection of the adviser would be barred for two years from providing advisory services for compensation, either directly or through a fund.

The contribution prohibition would also apply to certain executives and employees of the investment adviser.

Additionally, the range of restricted officials would include political incumbents and candidates for a position that can influence the selection of an adviser.

There is a de minimis exception that permits contributions of up to $250 per election per candidate if the contributor is entitled to vote for the candidate.

2. Banning Solicitation of Contributions

The proposed rule also would prohibit an adviser from coordinating, or asking another person or political action committee to:

Make a contribution to an elected official (or candidate) who can influence the selection of the adviser.
Make a payment to a political party of the state or locality where the adviser is seeking to provide advisory services to the government.

3. Restricting Indirect Contributions and Solicitations

There would be prohibition on engaging in pay to play conduct indirectly, if that conduct would violate the rule if the adviser did it directly. That would include directing or funding contributions through third parties such as spouses, lawyers or companies affiliated with the adviser.

4. Banning Third-Party Solicitors

There is prohibition on paying a third party, such as a placement agent, to solicit a government client on behalf of the investment adviser.

Compliance, Van Halen and Brown M&M’s

You may have heard the story about Van Halen’s banning of brown M&M’s from its dressing room. I chalked it up to the pampered life of rock stars. (Especially, when compared to the more mundane life of a chief compliance officer.)

I just listened to the latest episode of This American Life which revealed that the provision was not about pampering. It was about compliance. Host Ira Glass talked with John Flansburgh (from the band They Might Be Giants) and he explained why the M&M clause was actually an ingenious business strategy. They recounted an except from David Lee Roth’s autobiography, Crazy from the Heat:

Van Halen was the first band to take huge productions into tertiary, third-level markets. We’d pull up with nine eighteen-wheeler trucks, full of gear, where the standard was three trucks, max. And there were many, many technical errors — whether it was the girders couldn’t support the weight, or the flooring would sink in, or the doors weren’t big enough to move the gear through.The contract rider read like a version of the Chinese Yellow Pages because there was so much equipment, and so many human beings to make it function. So just as a little test, in the technical aspect of the rider, it would say “Article 148: There will be fifteen amperage voltage sockets at twenty-foot spaces, evenly, providing nineteen amperes . . .” This kind of thing. And article number 126, in the middle of nowhere, was: “There will be no brown M&M’s in the backstage area, upon pain of forfeiture of the show, with full compensation.”

So, when I would walk backstage, if I saw a brown M&M in that bowl . . . well, line-check the entire production. Guaranteed you’re going to arrive at a technical error. They didn’t read the contract. Guaranteed you’d run into a problem. Sometimes it would threaten to just destroy the whole show. Something like, literally, life-threatening.

Van Halen used the candy as a warning flag for an indication that something may be wrong. I see some lessons to be learned.

Update:

Diamond Dave talking about Brown M&Ms.

Brown M&Ms from Van Halen on Vimeo.

(via NPR Music’s The Record: The Truth About Van Halen And Those Brown M&Ms by Jacob Ganz

References:

This American Lie Episode 386: Fine Print
Van Halen’s Legendary M&M’s Rider from the Smoking Gun

Top Ten Mistakes Lawyers Make with Social Media

Lawyers and law firms are rapidly adopting social media to market themselves and connect with peers. These are new tools. We are all trying to figure out how to use them. Just to make it more difficult, the tools themselves are rapidly evolving as we are learning how to use them.

Some lawyers are doing a great job using them. Some are doing a terrible job.

I thought I would share my thoughts on the mistakes I see.

10. Blocking access. Social media provides a rich source of information about clients, potential clients, opposing counsel, witnesses and other parties. It easy to get around the block with a mobile device or home access. Blocking is just an annoyance. It’s not an effective policy.

9. Failing to have a social media policy. People in your law firm are using social media. They may only using if for personal purposes. But if they identify your firm as their employer, what they do has an effect on the image of your firm.

8. Ignoring Facebook as a recruiting tool. “You do better fishin’ where the fish are.” Many summer associates are creating groups on their own. Your firm would be better off if they administered the group.

7. Not giving authorship to blog posts. The attorneys writing the story should get credit for the story. This gives an attorney an extra incentive to contribute and showcases their skills.

6. Not linking. A blog is much more useful to its readers and its authors if it links to other relevant information. There is no reason not to link to primary source material like statutes and regulations online. Link to other news sources, websites and blogs. Yes people will leave leave your site through those links. But they are more likely to come back if your site is the better source of information.

5. Failing to understand ethical limitations. The bar regulators have barely dealt with web 1.0, never mind the additional issues around web 2.0. Keep in mind that most social media activities can be considered advertising.

4. Abandoning without notice. Nothing lasts forever. If you started a blog and are not posting any more. Put a post saying you’ve stopped or are on hiatus. (This is what I did for my old KM Space blog.)

3. Failing to leverage LinkedIn. You should have a profile in LinkedIn that has at least as much information as the bio on your firm’s site. You should also be leveraging LinkedIn to stay up to date with the movement of your clients and former client contacts. LinkedIn is a great source of information for CRM systems.

2. Posting information about clients. As with any advertising, make sure you get written consent from clients before posting any information about your work with them.

1. Not using social media. The biggest mistake most lawyers are making with social media is not using these tools. They are here to stay. Get used to it.

What mistakes to you see being made?

Image is from Hugh MacLeod of Gapingvoid – “cartoons drawn on the back of business cards”: you’re a social media specialist?

National Data Privacy Law Proposed

burglar — Image by Johnny Grim (CC BY-NC-ND 2.0)

With a multitude of states trying to protect their citizens when it comes to breaches of personal data security, it is becoming increasingly difficult to manage compliance with this patchwork of laws. The Data Accountability and Trust Act (H.R. 2221) proposed in Congress proposed to preempt state laws and make regulation of data security a matter of federal regulation.

If passed in its current form, the procedure and time frame for notifications in the event of data breach would be standardized instead of the differing requirements from state to state. It would also required the Federal Trade Commission to regulate the security practices around personal data.

The most controversial part seems to be the provisions around information brokers (companies that gather personal information about people that are not their customers to sell to third parties.) It would require these brokers to establish reasonable procedures to verify the accuracy of the personal information it collects. They would also have to provide consumers with access to that information.

Although it is still working its way through the system, it has already been forwarded by the subcommittee to the full House Energy and Commerce Committee.

References:

Webinar Materials for: Preparing for the strictest privacy law in the nation

As a follow up to Wednesday’s lunchtime webinar sponsored by Knowledge Management Associates, I wanted to post some materials for those of you that missed it and for those looking for notes and details.

The slidedeck:

KMA Insights Webinar July 2009 — Compliance with MA Privacy Law

View more presentations from Knowledge Management Associates, LLC.

Massachusetts General Laws Chapter 93H
http://www.mass.gov/legis/laws/mgl/gl-93h-toc.htm

201 CMR 17.00

Click to access 201CMR17amended.pdf

Compliance Building Posts on Mass. Data Privacy
https://www.compliancebuilding.com/tag/mass-data-privacy-law/

Free and Law Firms

I just finished reading Chris Anderson’s new book: Free: The Future of a Radical Price. Given that I am a lawyer, I kept thinking about how his concepts apply to law firms.

Let me say a few things up front.

First, this is an excellent book that will make you think about how these concepts apply to your business. For my prior employer, a large law firm I saw lots of trends in the book.

Second, I am part of an example that Chris uses to defend his hypothesis: GeekDad. Chris started GeekDad as the parenting blog for Wired magazine. The blog is led by Ken Denmead as editor who gets a nominal retainer. The rest of the contributors are unpaid volunteers writing for a magazine conglomerate that makes good money selling ads on GeekDad. I am one of those volunteer contributors. (You can see my name in the list of core contributors in right-hand column.)

Third, Chris does not take the position that everything should be free. He merely points out that more things now can be, thanks to the reduced costs of computer power, storage and networking.

Fourth, I paid for the book out of my own pocket. Free, the book is not free. Free, an ~~abridged~~ audio version is free online.

The Long Tail

Free is an extension of his previous book: The Long Tail. In that book he showed how the sale of large quantity of less popular titles can collectively sell as much as the few popular titles. You can make this work when you have cheap storage. Free takes the next step of what happens when your marginal production costs get close to zero.

There are many studies that show there is a big difference between something costing very little and something costing zero. Therefore you will attract a bigger audience if you round down. With electronic distribution, the marginal cost for adding the next customer is close to zero. So Chris says round down.

How Do You Make Money?

Chris outlines 50 different ways that you can make money even when you are giving away some of your product. Chris does not advocate giving away everything, just some of the things when the marginal cost is close to zero. One of the big distinctions is whether your product is atoms or bits. Atoms are expensive to produce and distribute. Bits are not.

He divides the idea of Free into four categories: cross-subsidies (give away the razor, sell the blade); advertising-supported services (from radio and television to websites); freemium (a small subset of users pay for a premium version of something, supporting a free version for the rest); and non-monetary markets (in which participants motivated by non-financial considerations develop things like Wikipedia and GeekDad).

Freemium is the model that Chris seems most in favor of. You give away a limited version of the product, but charge for the full version, add-ons and enhancements. SocialText just adopted that model for their wiki product: Free for 50. You can use a limited version of the product with up to fifty people at no charge. That freemium model got me using it.

Information is Expensive but Wants to be Free

Chris quotes Stewart Brand:

On the one hand information wants to be expensive, because it’s so valuable. The right information in the right place just changes your life. On the other hand, information wants to be free, because the cost of getting it out is getting lower and lower all the time. So you have these two fighting against each other.

What about law firms?

Let’s look at the most extreme examples, Orrick, Herrington and Sutcliffe‘s free business formation contracts and Wilson Sonsini’s Term Sheet Generator. There’s no cost to use the forms and no registration required to download them. Businesses can use them free. Other lawyers can use the forms as if they were their own and use them to serve their own clients. But the free product may help capture business. There are big segments of the legal market that can’t afford to hire these firms. Now, a business using these may be more likely to use the firm because some of the work has already been done. The firms could charge far less to review a completed form than if the firm were to begin the incorporation from scratch. It may offer them a competitive advantage if opposing counsel presents them with one of their own forms.

But those examples are new and few.

There is an incredibly common freemium model adopted by almost every law firm: Client Alerts.

When you had to mail these alerts there was a dollar cost associated with that distribution. To better phrase that, there was a stamp cost associated with distribution. Now distribution are costs are minimal. The costs are the same whether you email it to 500 people or 50,000 people. The same is true with viewing it on the law firm’s website.

I think it is quaint that some law firms still use the “client alert” label. I get more alerts from firms that do not represent me, than I do from the firms that do represent me.

Lawyers and their firms are giving away this valuable legal insight in the hopes that you will hire them to represent you in a matter related to the information in their publication. They use the publications to showcase their expertise, but in the process give away some of their substantive knowledge.

The book is worth reading. You should start thinking about how free may affect your business.

References:

Malcolm Gladwell’s review of Free in The New Yorker: Priced to Sell
Anderson’s respone to Gladwell: “Dear Malcolm, Why So Threatened?
GeekDad – Wired’s parenting blog
Nice but Tricky from The Economist
Free and the Future of Publishing by William Landay
Mark Cuban: When you success with Free, you are going to die by Free
Seth Godin: Malcom is Wrong

Avery Dennison Settles SEC Case for China FCPA Violation

avery-dennison

Avery Dennison has settled two related Securities and Exchange Commission cases over alleged Foreign Corrupt Practices Act violations. In an administrative action, the SEC imposed a cease-and-desist order against the consumer product company and ordered it to pay $318,470 in disgorgement and interest. In a civil case, Avery agreed to pay a $200,000 penalty. Avery settled both proceedings without admitting or denying the claims.

The SEC had charged that the Reflectives Division of Avery (China) Co. Ltd. paid kickbacks, sightseeing trips, and gifts to Chinese government officials.

In January 2004, an Avery China sales manager went to a meeting with government officials and bought each a pair of shoes with a combined value of $500.
In May 2004, the subsidiary hired a former government official as a sales manager because his wife was still employed at the government institute and was in charge of two projects the company wanted to pursue.
In August 2004, Avery China obtained two contracts to install new graphics on police cars through the Institute. The sales manager agreed that the total sales price of the contracts would be inflated so the additional charges could be paid back to the Institute as a “consulting fee.” Total sales under these contracts were about $677,000, with profits of about $363,000. The kickback payments, which would have been about $41,000, were discovered by another division and halted prior to payment.
In December 2002, an Avery salesman hosted a sightseeing trip for five government officials. Two reimbursement requests were used to conceal the expenses for the trip.
In August 2004, Avery China paid a kickback to another government owned enterprise to secure a sales contract. Total sales under the contract were about $106,000, with profits of about $61,000. The $2,415 kickback was not paid after it was discovered by company officials.
In 2005, Avery China secured a sale to a state-owned end user by agreeing to pay a Chinese official a kickback of nearly $25,000 through a distributor. Avery China realized $273,213 in profit from this transaction, which it inaccurately booked as a sale to the distributor rather than to the end user.
In late 2005, during a sales conference hosted by Avery China at a famous tourist destination, a sales manager paid for sightseeing trips for at least four government officials at a cost of $15,000
After Avery acquired a company, employees of the acquired company continued their pre-acquisition practice of making illegal petty cash payments to customs or other officials in several foreign countries. Those in illegal payments were approximately $51,000.

A spokesperson for Avery told the FCPA Blog, “What’s important to us is the fact, noted in the SEC’s administrative order, that we discovered the questionable actions. We investigated them and took disciplinary action, and reported them to the Securities Exchange Commission and Department of Justice (DOJ). As the SEC’s administrative order notes, in some cases we prevented them. We believe ethical conduct is critical to our reputation and our success, and we back that up with a rigorous training and reporting process to help employees make the right decisions. Our training includes training on the FCPA.”

References:

Avery Dennison Settles China-Related Violations from The FCPA Blog
THE FCPA: A Continuous Series of Payments and Promises from SEC Actions
Avery Dennison Settles FCPA Charges with SEC from the Securities Law Prof Blog
SEC Litigation Release on Avery Dennison
SEC order of Proceedings against Avery Dennison (.pdf)
Avery Dennison case a window on the pitfalls U.S. firms face in China by Don Lee for the Los Angeles Times

2009 Data Breach Investigations Report

285 Million records were compromised in 2008. The Verizon Business RISK Team conducted a study of first hand evidence collected during data breach investigations of 90 confirmed breaches as part of their caseload. This 2008 caseload of more than 285 million records, exceeded the combined total from 2004 to 2007.

2009 Data Breach Investigations Report .

Investigators concluded that 87 percent of breaches could have been avoided through the implementation of simple or intermediate controls. All of these were the standard practices in the industry. In only 13 percent of cases were costly controls (in terms of effort and expense) recommended as the most efficient and effective means of avoiding the breach. Most of these were standard security controls, even though they are costly.

They conclude with these recommendations:

Align process with policy: Many organizations set security policies and procedures yet fail to implement them consistently. Controls focused on accountability and ensuring that policies are carried out can be extremely effective in mitigating the risk of a data breach.

Achieve essential, and then worry about excellent: We find that many organizations achieve very high levels of security in numerous areas but neglect others. Criminals will almost always prefer the easier route. Identifying a set of essential controls and ensuring their implementation across the organization without exception, and then moving on to more
advanced controls where needed is a superior strategy against real-world attacks.

Secure business partner connections: Basic partner-facing security measures as well as security assessments, contractual agreements, and improved management of shared assets are all viewed as beneficial in managing partner-related risk.

Create a data retention plan: Clearly, knowing what information is present within the organization, its purpose within the business model, where it flows, and where it resides is foundational to its protection. Where not necessitated by valid business needs, a strong effort should be made to minimize the retention and replication of data.

Control data with transaction zones: Based on data discovery and classification processes, organizations should separate different areas of risk into transaction zones. These zones allow for more comprehensive control implementations to include but not be limited to stronger access control, logging, monitoring, and alerting.

Monitor event logs: All too often, evidence of events leading to breaches was available to the victim but this information was neither noticed nor acted upon. Processes that provide sensible, efficient, and effective monitoring and response are critical to protecting data.

Create an Incident Response Plan: If and when a breach is suspected to have occurred, the victim organization must be ready to respond. An effective Incident Response Plan helps minimize the scale of a breach and ensures that evidence is collected in the proper manner.

Increase awareness: Delivered effectively, training that educates employees about the risks of data compromise, their role in prevention, and how to respond in the event of an incident can be an important line of defense and discovery.

Engage in mock incident testing: In order to operate efficiently, organizations should undergo routine IR training that covers response strategies, threat identification, threat classification, process definition, proper evidence handling, and mock scenarios.

Join me at 12:30 (July 29, Boston Time) for a free webinar on Preparing for the Strictest Privacy Law in the Nation: MA Privacy Law 201 CMR 17 hosted by Knowledge Management Associates.