Author: Doug Cornelius

You can find out more about Doug on the About Doug page

Tuesday Morning Quarterback and Compliance

tuesday-morning-quarterback

What do these have in common? Gregg Easterbrook includes Tim Geithner, Charles Ponzi, Allen Stanford and Ron Blagojevich in his annual mock of mock football drafts.

For those of you have who have not read Gregg Easterbrook’s Tuesday Morning Quarterback, he is not your normal football scribe. Gregg Easterbrook is a contributing editor for The New Republic, The Atlantic Monthly and The Washington Monthly. He is also the author of The Progress Paradox: How Life Gets Better While People Feel Worse, and other books. If the name sounds familiar in legal circles, that’s because his brother is Frank Easterbrook, Chief Judge of the United States Court of Appeals for the Seventh Circuit.

Besides the content on the mock of the mock drafts and his annual prediction for the seventh round of the draft (as likely to be right as any of the mock drafts for the first round), Gregg offers his opinions on the AIG bonus scandal, linking Easter and Passover, and the series finale of “Battlestar Galactica” complaints.

SEC Enforcement Update: A Wounded Animal is a Dangerous Animal

securitiesdocket Securities Docket presented this webcast with Michael MacPhail, of Holland & Hart LLP and Patrick Hunnius of White & Case LLP. “In a sharp detour from the era of Chairman Christopher Cox, the SEC under new Chairman Mary Shapiro’s leadership has obtained big budget increases that will be used to increase the number of enforcement lawyers. It has also empowered its staff by streamlining procedures relating to the issuance of formal orders of investigation and negotiating civil penalties with corporations. The staff has responded enthusiastically to the change in regime by bringing an unprecedented number of emergency civil actions, cases involving Foreign Corrupt Practices Act violations, and cases targeting lawyers.” The materials are available on Securities Docket. These are my notes.

Michael MacPhail of Holland & Hart LLP started off by pointing out the beating the enforcement division has taken over the last year. The new administration has brought in some strong new leadership. (and its pissed off and wants some victories.) The SEC is touting its litigation victories and enforcement actions. It wants to be tough and is taking a “Get Tough” approach.

The SEC is also seeking lots of Temporary Restraining Orders. The TRO is ex parte so the company has no chance to present its case at the TRO hearing. The TRO also usually includes an asset freeze. These are “draconian” measures. Since the SEC is limiting funds, they are also limiting the defendants’ access to cash for legal fees. That makes it hard to keep lawyers in place. One example is the Stanford case where his lawyers quit and Stanford now has to defend himself.

How do you avoid a TRO? Talk with the SEC staff and let them know that you have removed the risk factors. Show proof that the bad acts have stopped. Convince the SEC that assets and funds are not moving. Try using escrow accounts and transparent accounts. You will also need to prove that you are actually taking those steps. The Wells Process has started changing from office to office and case to case on the defendants access to information about the case against them.

Patrick took over to focus on enforcement priorities that are likely here to stay and some likely new trends. He pointed out that FCPA enforcement has been on the increase. They are also look at attorneys and other professionals. These are attractive scalps. One of the likely areas of enforcement is the FCPA in the era of Sovereign Wealth Funds and the use of government bailout funds. Many Sovereign Wealth Funds can fall under the definition of foreign controlled enterprise under the FCPA.

There is no clear line of what amount of foreign ownership makes an entity an instrumentality of a foreign government. Majority ownership is probably enough. But minority interests may still be enough. Increased Sovereign Wealth Fund investment activity could transform ordinary business partners into a foreign government instrumentality. For example, 10% of Daimler is owned by a Sovereign Wealth Fund. Another example is the City Center project in Las Vegas which is joint venture of MGM and Dubai World. The owner of that project may be subject to the FCPA. There are very few compliance programs in place to deal with that scenario. You have to be cautious about the foreign government ownership of banks and financial companies. Icelandic banks are probably instrumentalities of a foreign government. Looking inward, Citibank, AIG, and Bank of America could be thought of as instrumentalities of the United States.

The SEC has raised the flag that they are going after gatekeepers, especially if it can be seen that the gatekeepers was heavily involved in the bad acts. Patrick pointed out how lawyers have got dragged into the back-dating of stock options scandal. Patrick looked at two cases. In US v. Collins, the attorney was found to have been involved in drafting loan documents to hide some of the REFCO losses. The attorney was also involved in drafting the SEC disclosure documents and did not disclose the bad things he saw or should have seen. In US v. Offill he worked with his client to get around the registration requirements in order to sell securities. He was accused of being part of a “pump and dump” schemes.

The Legal and Regulatory Implications of Internet Privacy

Pillsbury Winthrop Shaw Pittman LLP

Pillsbury Winthrop Shaw Pittman LLP and Protiviti presented a webinar on the legal implications of social networking. These are my notes.

Rocco Grillo of Protiviti started off the presentation. Social networks have become part of many people’s day-to-day work. They have not replaced email, but are still robust communication tools. The first presenter offered the example of a Fortune 500 Company that wanted to shut down access to several social networking sites and make the use of them during working hours as a terminable offense. They found out that their human resources group used Facebook extensively as part of their recruiting program.

He moved on to social networking risks, pointing out the ability of these sites to include trojans or viruses to computers. (Although he did not offer any examples of how they offer any more of threat than other websites.) Rocco emphasized the importance to create policy and work with your company to craft one that takes into account how people in your organization uses these tools. Use of the sites is not an IT decision. You need to work with a larger group of stakeholders.

He noted the ability of profile spoofing on these sites. How do you know that the person behind that profile is that person? Avoid publishing common verification information like your date of birth or mother’s maiden name. Rocco shared some other scare stories.

Rocco did move on to balancing the risks with the benefits of the tools. Shutting down social networks does not remove the risks. You need a balanced strategy. These are powerful tools, but you need to make people aware of some of the risks.

Ben Duranske took over next. He is part of Pillsbury’s virtual worlds and video games practice. He pointed out that besides Second Life, many of these virtual worlds are pitched towards kids. Sites like Webkins and Club Penguin target a younger audience than Second Life. The roadblocks for virtual worlds are bandwidth, processing power, and ease of access. Since they are proprietary, virtual worlds are walled gardens and there is no standardization. These sites allow users to create things. There are real dollars involved and real money. The Terms of Service of these sites largely concede ownership of your content to the site and allow them to disclose lots of the information. They are very willing to respond to subpoenas requested the revelation of user identities.

Ben laid out some key concerns regarding privacy in mainstream virtual worlds and games:

  • Violation of Export Restrictions
  • Loss of Trade Secret Protection
  • Inadvertent Privacy Policy Violations
  • Destruction of Confidentiality Protections

He pointed out that he does not communicate with client in virtual worlds regarding their cases.

Since many of these sites are targeted at kids, you need to make sure you comply with the requirements of Children’s Online Privacy Protection Act (COPPA).

Wayne Matus of Pillsbury moved on to cloud computing. Your information and the things you are doing are not happening on your computer or server, but are actually somewhere else. He pointed out four principal types of cloud computing:

  • Internet-based services
  • Infrastructure as a service
  • platform as a service
  • software as a service

Why should lawyers care? The Fourth Amendment. It is not clear if those protections apply to cloud computing. Every man’s house is his castle. But is your piece of the cloud part of your castle? Do you have a reasonable expectation of privacy for this information up in the cloud?

In United States v. Miller, 425 U.S. 435 (1976), the Supreme Court held a government’s demand on a bank did not affect any 4th Amendment interest of its customer. In United States v. Ziegler (2007), the United States Court of Appeals for the Ninth Circuit acknowledged that an employee has a right to privacy in his workplace computer. The court also found that an employer can consent to searches and seizures that would otherwise be illegal.

You need to comply with the Patriot Act. You have some uncertainties as to what jurisdiction applies. You may not know where you information actually exists. There are lots of complex laws that limit the flow information: HIPPA, Tax returns, Attorney-Client privilege, Electronic Communications Privacy Act, Fair Credit Reporting Act, etc. Part of the problem is that many of the contractual agreements with the cloud computing providers do not adequately address many of these issues.

Wayne offered up some things to include in the terms of service:

  • Use of data
  • Location of data
  • Encryption
  • No change of terms
  • Destruction
  • Ownership (assignment)
  • Subpoena
  • Audit rights

Hotline for Improvements

hotline-tall_red_k6_phone_box

I overheard at a recent compliance meeting about the possibility of using the whistleblower hotline to also solicit comments for improvements to the operations of your company.

Those of you with active hotlines you probably get enough false positives coming through (HR, workplace disputes, …) that you probably don’t want anything else coming in. But employees and other stakeholders may use a hotline to report any issue that makes them uncomfortable. For example, complaints regarding discrimination and sexual harassment are high-liability issues that need to be addressed. Turning away these calls because the hotline is “for Sarbanes-Oxley Complaints Only” may alienate an employee who has made the difficult decision to take action.

But if your hotline is underused, the anonymity feature could be useful as a suggestions box.

If something is bothering them in the workplace, even if it not a high-liability issues, could come through the hotline. To spin it around, profitability and cost reduction suggestions could come through the hotline.

What do you think?

Image is by oyxman and made available through Wikimedia Commons: Tall Red K6 Phone Box.jpg.

Happy Patriots’ Day!

redcoats

The Redcoats are coming! The Redcoats are coming!

Patriots’ Day is a Massachusetts state holiday commemorating the opening battles of the American Revolutionary War in Lexington and Concord in April, 1775. In the morning there is a battle reenactment on the Lexington Green of the early-morning engagement between the town’s militia and the British regulars. If you remember back to U.S. history class, that battle was the shot heard round the world.

There is also a re-enactment of the rides of Paul Revere and William Dawes from Boston out to Lexington. (You don’t know about Hawes because Longfellow didn’t write a poem about him.) That ride started out with the “one if by land, two if by sea” signal to Charlestown in case Revere and Dawes were captured.

The more modern day event is the running of the Boston Marathon, starting in Hopkinton and ending 26.2 miles later in Copley Square. This year is the 113th running of the race.

What does this have to do with compliance or business ethics? Nothing. It’s a holiday here in Massachusetts so I am out of the office.

See also:

Quick Hits

Some quick hits on stories that interest me, but did not make it to a full post:

SEC Posts XBRL Compliance Guide from The Filing Cabinet by Melissa Klein Aguilar

The staff of the Securities and Exchange Commission has posted a “small entity compliance guide” on its rules that require companies to submit financial statements tagged using eXtensible Business Reporting Language to the Commission and to post them on their corporate Websites.

Data Breach: Identity Theft Risk Insufficient to Support Claims by Hunton & Williams LLP’s Global Privacy and Information Security Law and Analysis

The mere increased risk of identity theft following a data breach is sufficient to give the data subjects standing to bring a lawsuit in federal court but, absent actual identity theft or other actual harm, claims against the data owner and its service provider for negligence and breach of contract cannot survive, a federal judge ruled this month.  Ruiz v. Gap, Inc., et al., No. 07-5739 SC (N.D. Cal. April 6, 2009).

Updating Your Gift & Entertainment Policy by Melissa Klein Aguilar for Compliance Week

In a recent survey of more than 500 compliance and ethics professionals, 46 percent said their organization hasn’t significantly updated its gift and entertainment policy in the last year. Of that group, 20 percent admitted it’s been at least three years since their policies were significantly updated. Observers say compliance executives have plenty of reasons to give those policies a fresh look, not the least being the continued enforcement crackdown on bribery.

Corresponding with Cornelius

one_financial_center_boston

Here are some of my recent comments on some other blogs or other websites that allow comments.

I am happy to have you leave comments at Compliance Building. But if not here, take a look at what other people are saying. Join me in the conversation over there.

What Would You Do?? by Heather Milligan of The Legal Watercooler

Heather comments on the $80,000 paid vacation offered by Skadden posting, if I were a Skadden associate, I would take this opportunity to explore my passions. Perhaps law is it … but maybe not. Why not take this time to figure it out while you are young and relatively unencumbered? I commented that law schools should seize the opportunity and offer some specialty programs to provide some additional specialized education to these lawyers with time on their hands.

Obama Knows Where the Wild Things Are

Over on  my personal website, I found a video of President Obama reading Where the Wild Things Are.

Personal, Private, Professional, Public by Mike McBride of The Many Faces of Mike

Chatting about my 4Ps of publishing to the internet

What I’d Do: Part 2 – First We Focus On The Client by Francine McKenna of re: The Auditors

Francine has a great discussion about the divided loyalties of auditors and the effects of the recent reductions in their workforce.

Catch the Wave: Client Data is Becoming Cloud-Bound by Gary Levine on Capitalization Matters

Gary looks at some of the ways law firm client information is moving into the cloud, including my post on extranets.

Image is by Solarapex published on Wikimedia Commons and made available through a Creative Commons license: One Financial Center (Boston)

Risk Assessment – Getting It Right

pwc

PricewaterhouseCoopers LLP sponsored this webcast: Corporate leaders have long recognized that the pace of change continues to increase in velocity, thus challenging management’s execution of the business’ strategic and tactical plans. Enterprise Risk Management (ERM) is a management tool that can be effective in identifying and assessing the risks that come with change and allow management to respond to their organization’s changing risk profile in a timely fashion. The speakers were all from PricewaterhouseCoopers LLP:

  • Joseph C. Atkinson, Principal
  • Brian Brown, Partner
  • Peter Frank, Director
  • Catherine Jourdan, Director

These are my notes.

Why focus on risk? Changes in the marketplace and the world economy has given the perception that the world is a riskier place. That may or not be true. But people are more focused on risk. It seems that poor risk management had a role in the recent economic troubles. Joe advocates that risk assessment should be integrated into business processes.

Brian took over and focused on defining risk and risk management. “Risk assessment is a systematic process for identifying and evaluating the events that could affect the achievement of an organization’s objectives, both positively or negatively.”

Risk Assessment can be mandatory or voluntary. Anti-Money-Laundering, Basel II, and Sarbanes-Oxley compliance all require formalized risk assessment and focus on such processes as monitoring of client accounts, operational risk management, and internal control over financial reporting. Often it also voluntary, driven by business needs, to assess development opportunities, talent retention, operational efficiency and performance improvement.

There are three primary frameworks for risk management: COSO‘s ERM requirements, Federal Sentencing Guidelines, and OCEG’s Red Book.

Peter took over and focused on the challenges to an effective risk assessment. Common business challenges include:

  • Risk assessment is viewed only as an episodic initiative, a required report that needs to be updated
  • An inordinate amount of effort is invested in gathering data and information, and the volume is difficult to interpret and leverage in a meaningful way for executive leadership
  • The risk assessment is viewed as a conclusion of the process, rather than a starting point.
  • Risks are identified and risk mitigation practices are emphasized without meaningful understanding of impact, causing some risks to be over-controlled and stifling innovation
  • Risk assessment is viewed as an additional function or department, not as an integrated management capability to embed in day-to-day activities
  • Accountability for risk management and performance management resides in silos
  • Multiple risks assessments are performed, using different definitions and measurements of risks, creating confusion and making confident action impossible

Catherine moved on to the six essential steps to performing a risk assessment.

  1. Identify relevant business objectives
  2. Identify events that that could affect the achievement of objectives
  3. Determine risk tolerance
  4. Assess inherent likelihood and impact of risks
  5. Evaluate the portfolio of risks and determine risk responses
  6. Assess residual likelihood and impact of risks

Joe came back to conclude that “risk assessment discipline should be embedded in the organization’s regular business processes and yield valuable information to support decision-making to help systematically link risk, reward, and performance management.”

Corporate Miranda for Internal Company Investigations

agent_reads_the_miranda_rights_As in-house counsel are often the ones starting an internal investigation, they need to be mindful of the same issues that appear when outside counsel are conducting an internal investigation. I wrote about the referral for discipline in the Ruehle case and the malpractice claim in Pendergast-Holt investigation in Attorney-Client Privilege and Internal Investigations.

It is even more important to clarify that the in-house counsel represents the organization. Employees are often used to dealing with in-house counsel as colleagues and give little regard to who they actually represent. After all, it is natural for employees regularly interacting with with in-house counsel to view them as their lawyer. Under the ABA’s model rules, Rule 1.13 (f) requires:

In dealing with an organization’s directors, officers, employees, members, shareholders or other constituents, a lawyer shall explain the identity of the client when the lawyer knows or reasonably should know that the organization’s interests are adverse to those of the constituents with whom the lawyer is dealing.

It is important to keep notes that you made the disclosure. Part of the issue in the Ruehle case and the Pendergast-Holt investigation is over what was said to the individual employees regarding representation. Treat the clarification statement as a “Corporate Miranda.”

Does the employee then have the right to remain silent? The Miranda rights under the Fifth Amendment are a limitation on the government, not a private company. The employee can remain silent, but you can terminate the employee for not cooperating. Of course it is good practice to let the employee know ahead of time what the consequences are for not cooperating.

Do they have the right to attorney? Again, the Miranda rights under the Fifth Amendment are not a limitation on a private company. There is a practical question about how you want to treat employees and whether the responses will be better if the employee talks with a lawyer before answering. It is probably better to give the employee a reasonable amount of time to get their own lawyer.

One aspect of the Miranda warning does come into play. What the employee says can be used against them.

What if they can’t afford an attorney? Back to the statement that the Miranda rights under the Fifth Amendment are not a limitation on a private company.

But corporate law does come into play for attorney costs. Under Delaware corporate law, a Delaware corporation must indemnify an officer or director who is successful on the merits or otherwise in the defense of a qualifying claim. (see §145 (c) of the Delaware General Corporation Law) In addition to the required indemnification, a Delaware corporation may indemnify individual employees for expenses incurred “if the person acted in good faith and in a manner the person reasonably believed to be in or not opposed to the best interests of the corporation, and, with respect to any criminal action or proceeding, had no reasonable cause to believe the person’s conduct was unlawful.” (see §§145 (a) & 145 (b) of the Delaware General Corporation Law) Then there are often contractual arrangement with senior management for indemnification and a D&O insurance policy that may trigger the payment of defense costs. Other types of entities and other states’ laws that may have different treatment of defense costs and indemnification.

It is important to set up guidelines and protocols for investigations. Has your organization put together its own Corporate Miranda?

See also:

Image is from Wikimedia Commons:CBP Border Patrol agent reads the Miranda rights

Dishonest Deed, Clear Conscience

logo-hbswk-home

In the world of compliance, you may sometimes wonder if that code of ethics really works. Lisa L. Shu, Francesca Gino, and Max H. Bazerman presented their research that a code of ethics really can reduce bad behavior: Dishonest Deed, Clear Conscience: Self-Preservation through Moral Disengagement and Motivated Forgetting.

Their studies provided evidence that morality and memory function as sliding scales and are not fixed dimensions of a person. They found that once people behave dishonestly, they disengage, setting off a downward spiral of future bad behavior and increasingly lenient moral codes. They also found that this slippery downward slope can be counteracted with ethical codes, that increase awareness of ethical standards.

If a situation permits dishonesty, then you should expect dishonesty. At the same time, merely reminding employees about established ethical codes, could counteract the effect of a permissible situation.

See: