Category: IT Compliance

Stop SOPA

Based on the White House statement about Stop Online Piracy Act (SOPA), the PROTECT IP Act and the Online Protection and Digital ENforcement Act (OPEN), those bills may be in serious trouble.

The Stop Online Piracy Act (SOPA), H.R. 3261, as originally proposed bill would allow the U.S. Department of Justice to take action against websites accused of enabling or facilitating copyright infringement. The court order could include barring online advertising networks and payment facilitators from doing business with the allegedly infringing website, barring search engines from linking to such sites, and requiring Internet service providers to block access to such sites. This creates a huge compliance headache for website publishers and the internet infrastructure.

Then there is the further erosion of civil liberties by allowing government intervention based on content. (Granted, the content is supposed to be illegal, but who determines it’s illegal?)

The bill would also make unauthorized streaming of copyrighted content a crime. We don’t need more criminal laws. Unfortunately, I think many members of Congress are taking positive positions on the legislation without understanding the implications.

Here are links about SOPA and the protest against it:

Compliance Building will shut down for most of the day, as will wikipedia, Boing Boing, the Cheezbuger network of sites and many other internet sites.

Quon Roundup on Employee Computer Privacy

Lots of discussion about the Quon case focused on the lack of technology expertise by the Justices on the Supreme Court. Actually, most people labeled them as Luddites. DC Dicta even claims that Chief Justice Roberts writes his opinions in long hand with pen and paper.

This issue that I am hoping to see addressed is how a stated policy on the use of a company’s hardware and network can be enforced in light of an employee’s expectations of privacy.

I doubt that issue will be addressed directly. The Quon case involves a government employee so the discussion of the issue will likely focus on the Fourth Amendment protection. These protections are largely irrelevant for private employees.

Even if the Justices avoid the Fourth Amendment issues, they may decide the case under the Stored Communications Act. That’s a rather boring and technical law. It’s also largely irrelevant to the use of a company’s hardware and network. Although it may provide some insight for the use of cloud computing and web 2.0 site.

The United States Government, through the arguments of Neal K. Katyal, Deputy Solicitor General, seemed to ask the Court to adopt a bright-line rule that a company can trump the reasonableness of any employee’s expectation of privacy by issuing a policy that employees have no privacy in communications when using the company-provided hardware or network.

The Justices seemed fairly skeptical of that kind of bright-line rule in their questions of Mr. Katyal.

The problem is that tightly crafting laws to specifically address the use of particular communication technologies will fail. In the current environment, the technological advances in communications is moving much faster than the cogs of  bureaucracy in crafting regulations. The Supreme Court (well, at least Justice Alito) recognized that the expectations of privacy with new communication are in flux.

“There isn’t a well-established understanding about what is private and what isn’t private. It’s a little different from putting garbage out in front of your house, which has happened for a long time.”

The ruling in the case is expected sometime June at the end of the Supreme Court’s term. It’s certainly something for compliance professionals to keep an eye on.

Sources:

Image of P2000 Pager.JPG is by Kevster

Workplace Computer Policy and the Attorney Client Privilege

email_icon

Back in April, I mentioned a New Jersey case that found e-mail, sent during work hours on a company computer, was not protected by the attorney-client privilege: Compliance Policies and Email (Stengart v. Loving Care [.pdf]) That case has now been overturned. It seems that a company’s policy on computer use may be more limited that I originally posted.

Factual Background:

The company provided Stengart with a laptop computer and a work email address. Prior to her resignation, plaintiff communicated with her attorneys, Budd Larner, P.C., by email about an anticipated suit against the company, and using the work-issued laptop but through her personal, web-based, password-protected Yahoo email account. After Stengart filed suit, the company extracted a forensic image of the hard drive from plaintiff’s computer. In reviewing plaintiff’s Internet browsing history, an attorney discovered numerous communications between Stengart and her attorney from the time period prior to her resignation from employment with Stengart.

I found it strange that the email from a web-based email account would be stored on the local computer. I am going to guess that it was attachments to the email that ended up stored on the computer in a temporary file and not the email itself.

Company Position:

According to the decision, the company’s policy may not have been clearly distributed and applied. There was some factual disputes about whether the company had ever adopted or distributed such a policy. There was a further dispute that even if the policy was put in place as to whether it applied to executives like Stengart.

Decision:

In the end the company’s position didn’t matter and the court assumed the policy was in place. Instead, the court took a harsh position:

A policy imposed by an employer, purporting to transform all private communications into company property — merely because the company owned the computer used to make private communications or used to access such private information during work hours — furthers no legitimate business interest. See Western Dairymen Coop., 684 P.2d 647, 649 (Utah 1984). When an employee, at work, engages in personal communications via a company computer, the company’s interest — absent circumstances the same or similar to those that occurred in State v. M.A., 402 N.J. Super. 353 (App. Div. 2008); Doe v. XYC Corp., 382 N.J. Super. 122, 126 (App. Div. 2005) — is not in the content of those communications; the company’s legitimate interest is in the fact that the employee is engaging in business other than the company’s business. Certainly, an employer may monitor whether an employee is distracted from the employer’s business and may take disciplinary action if an employee engages in personal matters during work hours; that right to discipline or terminate, however, does not extend to the confiscation of the employee’s personal communications.

Those were some broad statements, but the decision was ultimately limited to the attorney-client privilege.

There is no question — absent the impact of the company’s policy — that the attorney-client privilege applies to the emails and would protect them from the view of others. In weighing the attorney-client privilege, which attaches to the emails exchanged by plaintiff and her attorney, against the company’s claimed interest in ownership of or access to those communications based on its electronic communications policy, we conclude that the latter must give way. Even when we assume an employer may trespass to some degree into an employee’s privacy when buttressed by a legitimate business interest, we find little force in such a company policy when offered as the basis for an intrusion into communications otherwise shielded by the attorney-client privilege.

It seems that New Jersey courts are now taking the position that a company cannot read an employee’s personal e-mail, even when the employer has a policy stating that the employee has no reasonable expectation of privacy. The exception to this rule would be when the company needs to know the content of the e-mail to determine whether the employee broke the law or violated company policy.

References:

Investor Relations 2.0

ebay_logo

eBay took a bold move yesterday, using Web 2.0 tools for investor relations. During its first analysts’ meeting in three years, eBay management had a live twitter stream with live coverage of the meeting and bloggers with just less than live coverage of the meeting.

The securities industry seems to be struggling with Web 2.0 tools. (In fairness, most industries are struggling to with Web 2.0 tools.) Blame uncertainty about these relatively new tools. Blame securities class action law suits. Blame the SEC for a lack of guidance. It looks like eBay was tired of excuses and decided to jump into the world of Investor Relations 2.0.

An article from Dominic Jones of the IR Web Report caught my eye: SEC Disclaimers in the Age of Twitter. Was eBay really going to use Twitter as part of its investor relations? YES.

Apparently Richard Brewer had already been live-tweeting eBay’s quarterly earnings conference calls. Management knew he been using his eBay Ink Blog to report the quarterly earnings results, but were unaware of his use of Twitter. He was called in to meet with the lawyers. But rather than shut him down, they worked out some best practices.  They came up with New Social Media Guidelines for Reporting Company Information.

“Plain and simple, eBay Inc. is a public company and, as such, must comply with SEC regulations. We feel that these guidelines will make that compliance more transparent. What follows is by no means a final set of micro-blogging/live-blogging best practices for companies but it is a step – and a very significant one at that. Something that I realize I will have to refine and evolve over time.”

That seems very sensible. The SEC’s Guidance on the use of company web sites (SEC Release 34-58288) does not give the clearest guidance but certainly opens the way for public companies to use 2.0 tools as part of their investor relations.

Richard kicked off his live Twitter coverage of the meeting with the new disclaimer crafted just for Twitter:

ebay twitter disclaimers

Which included a link to the a longer legal disclaimer. Its more than 140 characters, but still very concise.

An interesting thing about Twitter is the ability to tag the updates, allowing others to follow on that same topic. Richard used #ebayinc. This allowed you to follow not just Richard’s updates, but all of the reactions to Richard’s updates.

Richard also compiled the twitter updates into a traditional blog post: eBay Inc. Portfolio Roadmap Preview by John Donahue. (Did I just call a blog post traditional?)

With all of that live information and feedback, eBay’s regular investor relations page looks very cold and lifeless. It does not seem to have as much information. Perhaps it is even less relevant?

In the end, Web 2.0 tools are just communication tools. They are not that different than traditional read-only web pages or email. They do allow for easier, faster and more robust communications. You can see the difference in the comparison between the traditional eBay Investor Relations website and the eBay Ink 2.0 website.

How is your company using web 2.0 tools for investor relations?

See:

Blogging and Social Networking Policies

Here are some policies that I like for dealing with blogging and social networking sites:

Enforce Your Email and Web Acceptable Usage Policies

MessageLabs (now part of Symantec) published a whitepaper Not Just Words: Enforce Your Email And Web Acceptable Usage Policies.  The Whitepaper was written by Nancy Flynn, Executive Director of the ePolicy Institute.

  • Email & Web Rule #1:
    Comply with Legal and Regulatory Rules
  • Email & Web Rule #2:
    Enforce Acceptable Usage Policy with Training and Technology
  • Email & Web Rule #3:
    Control Written Content to Control Risk
  • Email & Web Rule #4:
    Protect Resources, Preserve Productivity and Prevent Lawsuits
  • Email & Web Rule #5:
    Personal Use Heightens Risk
  • Email & Web Rule #6:
    Exercise Your Legal Right to Monitor
  • Email & Web Rule #7:
    No Reasonable Expectation of Privacy
  • Email & Web Rule #8:
    Lock Out Malicious Intruders
  • Email & Web Rule #9:
    Annual Review of Acceptable Usage Policies

How To Keep The Corporate Website In Compliance With Securities Laws

Timothy Hearn of Dorsey and Whitney, penned SEC Provides Guidance On Use Of Company Web Sites in Cyberspace Lawyer Vol. 13, No. 9, Pgs. 8-12. Bowne’s Digest of Compliance professionals abstracted some of the highlights: Tips On How To Keep The Corporate Website In Compliance With Securities Laws.

The SEC has issued an interpretive release (SEC Rel. No. 34-58288) on how to manage a corporate website in compliance with the federal securities laws.

Software License Compliance

Mike Sisco of Cutter Consortium wrote a case study on what to do about a softwre license problem in the context of an M&A transaction: Compliance Problems? Address All Issues Quickly.

If you encounter software license compliance problems in an M&A transaction, there are two ways to resolve the problem:

  1. Point out the problem to the acquisition target and have the company resolve the issue before the merger is transacted.
  2. Build an action item to resolve the issue into your IT due diligence plan and budget. In other words, take care of the problem soon after the merger transaction is completed.

IT for GRC: Improving Information Quality

Carole Switzer, President of OCEG and Lee Dittmar, principal of Deloitte Consulting LLP presented this webinar.

There is an imperative to improve governance, risk management and compliance processes to better manage risk, address increasing regulatory requirements, increased executive accountability and the fragmentation of information. It is about getting the right information, to the right person, at the right time. (Isn’t that knowledge management too? )

What is the information problem?

  • Managers need to know, anticipate and respond quickly and correctly
  • Stakeholders expect reliable and transparent reporting
  • Time and resources are spent searching for data
  • Data overload
  • DINK – Data Is Not Knowledge

It is not about “check the box” compliance it is about improving your business.

Lee thinks governance, risk and compliance should be viewed comprehensively and leverage common systems. Integrated systems can help overcome silos. The key is a single source of the truth.

The goal is to get GRC embedded in the core processes. To be “in the flow” instead of “above the flow.”

Lee is seeing organizations adopting the business concepts of integrated GRC (even if they do not call it GRC).