Author: Doug Cornelius

You can find out more about Doug on the About Doug page

Discretion and Compliance

Martin Lomasney
Martin Lomasney

Martin Lomasney created a famous saying on the importance of discretion:

“Never write if you can speak; never speak if you can nod; never nod if you can wink.”

At the time of Lomasney, it was not email but telegrams that were the principal method of electronic communication. But those telegrams just ended up on pieces of paper.

This was also the time before e-discovery. Now every email is subject to ending up in a lawyer’s hand during a law suit.

Think before you hit that send button. Maybe a phone conversation will be better. Or a nod.

Corporate Compliance Scam Comes to North Carolina

corporate compliance services

A vigilant reader in North Carolina received an “Annual Minutes Requirement Statement” from Corporate Compliance Services. We have seen a similar scam in California, Colorado, Florida, Georgia, Indiana, Illinois, Massachusetts, Montana, New York, Ohio, and Texas.

The very official document cites North Carolina General Statute §55-16-01(a) with the requirement that a corporation must keep a permanent record of all meetings of its incorporators, shareholders and board of directors, and all actions taken.

This form does not act as a record of the meetings, but is merely a list of the directors, officers, and shareholders. It does not even meet the requirement of the statute it cites.

North Carolina General Statute §55-16-01(c) requires a corporation to maintain a record of its shareholders in a form that permits preparation of a list of the names and addresses of all shareholders, in alphabetical order by class of shares showing the number and class of shares held by each.

The form provides a list of shareholders and the number of shares, but does not record the class of shares. That appears to make the form defective and would not meet the requirements of the statute.

In fairness to the Compliance Services,  the form and the company’s website both state that they not connected with any government agency.  Throw their form in the garbage and check with your attorney to make sure the proper corporate procedures and record-keeping are in place.

According to a source at the North Carolina Department of Justice, anyone who has lost money to this Raleigh, NC version of the scam is invited to contact Jennifer Pulley of the NC Attorney General’s Consumer Protection Division, tel. 919-716-6000.

See a larger image of the form.

Associational Retaliation Claims

retaliation

Most companies have some form of non-retaliation policy for employees who make a good faith report of a problem. But what if the company retaliates against someone else instead? That was the situation presented in a recent court case: Thompson v. North American Stainless. A woman and her fiancee worked at the same company. She complained and they fired him.

Factual Background:

The plaintiff, Eric Thompson, claimed he was fired in retaliation for his fiancee’s discrimination charge. Thompson met the woman, Miriam Regalado, at work. In 2002, Regalado filed a charge with the EEOC alleging that she was discriminated against because of her gender. At the time of Thompson’s termination, he and Regalado were engaged to be married, and their relationship was common knowledge at North American Stainless.

The Problem

Title VII of the Civil Rights Act says an employer may not fire, demote, harass or otherwise “retaliate” against an individual for filing a charge of discrimination. Most companies have a policy that takes the same position for reporting other violations of company policy or illegal acts.

Clearly if the company had fired Regalado, the fiancee, they would have broken the law. But is it still “retaliation” if you fire a close friend or relative? (That’s associational retaliation.)

The Result

No, at least under Title VII of the Civil Rights Act. The Court relied on the plain language of the statute limiting the class of persons authorized to sue for retaliation to those who opposed an unlawful employment practice; made a charge; or testified, assisted, or participated in any manner in an investigation, proceeding, or hearing. The statute does not authorize a retaliation claim by a plaintiff who did not himself engage in protected activity.

But . . .

The Court did note that Thompson’s fiancee, who filed the original discrimination charge, could have filed a retaliation complaint herself alleging that the termination of Thompson in response to her protected activity was an adverse employment action against her. There is no background on why she didn’t do that.

Companies should be careful of these potential associational retaliation claims when dealing with its complaint process

Resources:

What Went Wrong at Lehman?

DeMuro

Complinet interviewed David DeMuro, head of compliance at Lehman Brothers during its last days in 2008. It should come as no surprise that the warning signs were there for everyone to see but in the midst of a bubble, employees were too scared to raise their hand because there was still money to be made.

DeMuro did not blame the regulators, saying they were looking closely at the working of the investment bank. He did lay some blame on the Federal Reserve Bank: “The role of the Fed is to take away the punch bowl just as the party gets going. However, in recent times the Fed has chosen to add just a few more shots of vodka to the punch bowl to keep the party going.”

He did peg lots of blame on an over-reliance on financial risk models. There was also an “almost religious belief” in the veracity of the models.

See the webcast yourself (13 minutes): Complinet Interviews David Demuro

References:

Workplace Computer Policy and the Attorney Client Privilege

email_icon

Back in April, I mentioned a New Jersey case that found e-mail, sent during work hours on a company computer, was not protected by the attorney-client privilege: Compliance Policies and Email (Stengart v. Loving Care [.pdf]) That case has now been overturned. It seems that a company’s policy on computer use may be more limited that I originally posted.

Factual Background:

The company provided Stengart with a laptop computer and a work email address. Prior to her resignation, plaintiff communicated with her attorneys, Budd Larner, P.C., by email about an anticipated suit against the company, and using the work-issued laptop but through her personal, web-based, password-protected Yahoo email account. After Stengart filed suit, the company extracted a forensic image of the hard drive from plaintiff’s computer. In reviewing plaintiff’s Internet browsing history, an attorney discovered numerous communications between Stengart and her attorney from the time period prior to her resignation from employment with Stengart.

I found it strange that the email from a web-based email account would be stored on the local computer. I am going to guess that it was attachments to the email that ended up stored on the computer in a temporary file and not the email itself.

Company Position:

According to the decision, the company’s policy may not have been clearly distributed and applied. There was some factual disputes about whether the company had ever adopted or distributed such a policy. There was a further dispute that even if the policy was put in place as to whether it applied to executives like Stengart.

Decision:

In the end the company’s position didn’t matter and the court assumed the policy was in place. Instead, the court took a harsh position:

A policy imposed by an employer, purporting to transform all private communications into company property — merely because the company owned the computer used to make private communications or used to access such private information during work hours — furthers no legitimate business interest. See Western Dairymen Coop., 684 P.2d 647, 649 (Utah 1984). When an employee, at work, engages in personal communications via a company computer, the company’s interest — absent circumstances the same or similar to those that occurred in State v. M.A., 402 N.J. Super. 353 (App. Div. 2008); Doe v. XYC Corp., 382 N.J. Super. 122, 126 (App. Div. 2005) — is not in the content of those communications; the company’s legitimate interest is in the fact that the employee is engaging in business other than the company’s business. Certainly, an employer may monitor whether an employee is distracted from the employer’s business and may take disciplinary action if an employee engages in personal matters during work hours; that right to discipline or terminate, however, does not extend to the confiscation of the employee’s personal communications.

Those were some broad statements, but the decision was ultimately limited to the attorney-client privilege.

There is no question — absent the impact of the company’s policy — that the attorney-client privilege applies to the emails and would protect them from the view of others. In weighing the attorney-client privilege, which attaches to the emails exchanged by plaintiff and her attorney, against the company’s claimed interest in ownership of or access to those communications based on its electronic communications policy, we conclude that the latter must give way. Even when we assume an employer may trespass to some degree into an employee’s privacy when buttressed by a legitimate business interest, we find little force in such a company policy when offered as the basis for an intrusion into communications otherwise shielded by the attorney-client privilege.

It seems that New Jersey courts are now taking the position that a company cannot read an employee’s personal e-mail, even when the employer has a policy stating that the employee has no reasonable expectation of privacy. The exception to this rule would be when the company needs to know the content of the e-mail to determine whether the employee broke the law or violated company policy.

References:

To Lead, Create a Shared Vision

Harvard business review january 2009

In the January 2009 issue of the Harvard Business Review is a short Forethought piece on the importance of leaders creating vision: To Lead, Create a Shared Vision.

James M. Kouzes and Barry Z. Posner emphasize the important of leaders creating vision for their organization and develop a forward-looking capacity. But rather than leaders thinking that they themselves need to be the visionary, the authors think it is more important to get input from the people in your organization to develop the vision.

Too many leaders act as “emissaries from the future, delivering the news of how their markets and organizations will be transformed.” Instead, “constituents want visions of the future that reflect their own aspirations. They want to hear how their dreams will come true and their hopes will be fulfilled.” The best way to lead people into the future is to connect with them in the present.

What does this mean for compliance?

When putting together and maintaining your compliance program, you need to seek input from as many people as possible. It is too late to get buy-in after the policy is already drafted. Send early drafts to a wide population of the organization for review and comment. They may surprise you by pointing out weaknesses and ambiguity in the policy draft.

By sending drafts, you also emphasize the importance of the policy and its existence.  Many studies have shown that people need to be exposed to a policy several times before they can even remember that it exists. Circulating drafts can accomplish some of that information awareness.

Whistleblowing in Europe – Legal Aspects

hotline

Jonathan Armstrong of Eversheds gave this webinar. (You can watch it yourself after a free registration: Whistelblowing: Challenges in running a helpline in Europe) These are my notes:

Why have a hotline? A hotline can help the headquarters connect with offices abroad. They can help internalize issues and the flow of information. The main reason for a hotline is because of a legislative requirement. Sarbanes-Oxley is the most well known legislation.

The main legal issues implicated: privacy, data security (particularly for third party providers), labor law, HR issues, and Third Party contracts. Although the more issues covered in the helpline, then there will be more legal issues involved.

The history of hotlines really starts with SOX, then were impacted by the 2005 privacy cases in France, then the works council issue in Germany and France in 2005.

The CNIL guidelines limits the hotline to “serious” cases. They have a quick prepacked list of items that you can set up a hotline. If you are outside the parameters, then you need approval. He recommends getting local counsel for the French approach.

The EU has formed the Article 29 Committee. CNIL took the lead in drafting so it looks more like France than the US. It discourages anonymous complaints. It discourages advertising that complaints can be made anonymously. It also gives defense rights to the accused. There is a two month retention period which makes it hard to track patterns. There should be a penalty for bad faith complaints. It expects reports to be investigated within the jurisdiction of the problem. It makes it hard to centralize investigators.

Image is by oyxman and made available through Wikimedia Commons: Tall Red K6 Phone Box.jpg.

GAO Report on Sovereign Wealth Funds

gao-logo

The U.S. Government Accountability Office has released its second report on Sovereign Wealth Funds: Laws Limiting Foreign Investment Affect Certain U.S. Assets and Agencies Have Various Enforcement Processes (.pdf). This report was sent to the Committee on Banking, Housing, and Urban Affairs in the U.S. Senate.

The Report found the United States is generally open to foreign investment, except for sector-specific restrictions. The banking, agriculture, transportation, natural resources and energy, communications, and defense sectors have federal laws that apply to foreign investment specifically. These sectors have laws that contain provisions that either restrict the level of foreign investment, limit the use of a foreign-owned asset, or at least require approval or disclosure of any foreign investments.

In addition to these specific limitations, there is the broad power under the Defense Production Act of 1950 granted to the CFIUS to review a foreign acquisition, merger, or takeover of a U.S. business that is determined to threaten the national security of the United States.

Restrictions on foreign investment in real estate also exist in many states. According to a Alien Land Ownership Guide from the National Association of Realtors, 37 U.S. states had some type of law affecting foreign ownership of real estate. Most of the laws are merely a requirement that a foreign investor register as a company doing business in the state before purchasing property. Some states specifically prohibit foreign ownership of certain types of land. One common type of real property restriction was for agricultural land. Fifteen states having some law governing foreign ownership in this area.

The Report’s recommendation for Executive Action:

To enhance their oversight of sectors subject to laws restricting or requiring disclosure of foreign investments, we recommend that the Chairman of the FCC and the Secretaries of Agriculture and Transportation review the current sources of the information their agencies currently monitor to detect changes in ownership of U.S. assets— which are subject to restriction or disclosure requirements applicable to foreign investors—and assess the value of supplementing these sources with information from other government and private data sources on investment transactions.

References:

FBAR Deadline

The deadline for Foreign Bank Account Reporting is June 30. The  Report of Foreign Bank and Financial Account is IRS TD F 90-22.1 (.pdf).

Any United States person who has a financial interest in or signature authority, or other authority over any financial account in a foreign country, if the aggregate value of these accounts exceeds $10,000 at any time during the calendar year must file the report. An FBAR must be filed whether or not the foreign account generates any income.

The IRS has engaged in a large-scale initiative to seek out taxpayers with undisclosed accounts overseas. While in the past the prosecution of those failing to comply with the Foreign Bank Account Reports reporting requirements have been rare, following enactment of the Patriot Act of 2001, the IRS appears ready, willing and able to crack down on the non-compliant.

The granting, by IRS, of an extension to file Federal income tax returns does not extend the due date for filing an FBAR.   There is no extension available for filing the FBAR.

There are a few exceptions to the filing requirement.

An officer or employee of a bank which is currently examined by Federal bank supervisory agencies for soundness and safety need not report that he has signature or other authority over a foreign bank, securities or other financial account maintained by the bank, if the officer or employee has NO personal financial interest in the account.

An officer or employee of a domestic corporation whose equity securities are listed upon any United States national securities exchange or which has assets exceeding $10 million and has 500 or more shareholders of record need not file such a report concerning signature or other authority over a foreign financial account of the corporation, if he has NO personal financial interest in the account and he has been advised in writing by the chief financial officer or similar responsible officer of the corporation that the corporation has filed a current report, which includes that account.

An officer or employee of a domestic subsidiary of such a domestic corporation need not file this report concerning signature or other authority over the foreign financial account if the domestic parent meets the above requirements, he has no personal financial interest in the account, and he has been advised in writing by the responsible officer of the parent that the subsidiary has filed a current report which includes that account.

An officer or employee of a foreign subsidiary more than 50% owned by such a domestic corporation need not file this report concerning signature or other authority over the foreign financial account if the employee or officer has no personal financial interest in the account, and he has been advised in writing by the responsible officer of the parent that the parent has filed a current report which includes that account.

Accounts in U.S. military banking facilities, operated by a United States financial institution to serve U.S. Government installations abroad, are not considered as accounts in a foreign country.

The willful failure to disclose foreign accounts, or to report all of the information required on an FBAR, can result in severe civil and criminal penalties. The civil penalty amount is limited to the greater of $25,000 or the balance in the account at the time of violation, up to a maximum of $100,000 per violation. Criminal violations of the FBAR rules can result in a fine of not more than $ 250,000 or 5 years in prison or both.

Section 5314 of the Bank Secrecy Act of 1970 authorizes the Secretary of the Treasury to require residents or citizens of the United States to keep records and/or file reports concerning transactions with any foreign agency. (31 U.S.C. §5314) The provisions resulted from concern that foreign financial institutions located in jurisdictions having laws of secrecy with respect to bank activity were being extensively used to violate or evade domestic criminal tax and regulatory requirements.

References:

Cloud Computing and Compliance

kelly-matt-smallCompliance Week editor Matt Kelly and I talked  about “cloud computing” and how such IT systems can affect compliance. Listen to the conversation. (Time: 8.5 min.; file size: 7.7 Mb)

Let’s try to define cloud computing a little better. It really encompasses a broad swath of services that can be put into three main groups. Infrastructure as a service provides virtual servers and data storage that users can configure. Platform as a service that lets developers write applications using hosted software and development tools. Software as a service which provides hardware and software applications So the provider hosts both the application and the data. that range from specialized functions, such as supplier information management, to desktop applications, such as word processing and spreadsheets.

You will listen to hear about the compliance issues: