Category: Corporate Compliance

The "Safer Products" Database: Reports of Harm Made Public on March 11, 2011

Posted last week at the National Law Review by Mary C. Turke of Michael Best & Friedrich LLP – updated information on the U.S. Consumer Product Safety Commission’s Publicly Available Consumer Product Safety Information Database which is set to officially launch March 11, 2011: 

The U.S. Consumer Product Safety Commission’s Publicly Available Consumer Product Safety Information Database (the “Database”) (found atwww.saferproducts.gov) will be launched officially on March 11, 2011. Mandated by the Consumer Product Safety Improvement Act of 2008 (the “Act”), the Database includes a new mechanism for consumers to report harm, or merely a risk of harm, involving consumer products (excluding food and drugs). The Database makes qualified reports of harm available to the public, in an online, searchable format. Prior to publication of any report, the Commission will allow manufacturers to comment and/or challenge reports containing materially inaccurate or confidential information. In certain cases, manufacturers’ comments may be published as well. Previously, reports of harm and responsive comments were not available to the public unless published in a Commission report or obtained through a Freedom of Information Act request.

The Database is currently in “soft-launch” i.e., the Commission and stakeholders are testing the new reporting and response system with the knowledge that until March 11, 2011, nothing will be made publicly available in the Database. Indeed, consumer reports are being accepted through the website and any report meeting minimum requirements for publication are transmitted to registered manufacturers, importers and private labelers. These companies are able to provide comments online and challenge reports as containing inaccurate or confidential information.

This practice time is valuable, particularly because the faster a company is able to respond to a negative consumer report, the better. Companies should use the soft-launch to establish protocols for dealing with reports of harm involving their products, including designating persons within the company to be notified of reports via email and identifying the single account holder who is allowed to submit comments. The Act does not require that reports be based on first-hand knowledge or that they be made within a certain time following the alleged harm. Thus, companies should carefully review all reports in which they are named and consider monitoring reports in the Database by industry — where no manufacturer is named. Perhaps most importantly, companies should develop procedures for responding to reports that contain materially inaccurate or confidential information. The Act requires that any request to remove information from a report be “timely” and accompanied by a certification to defend the Commission if the removal is later challenged. Thus, companies must be prepared to act quickly and accurately in responding to reports of harm. Practice and preparation during soft-launch will help in that endeavor.

To succeed in an increasingly competitive business environment, manufacturing companies need to seize every available advantage. Whether negotiating a contract, moving an idea through the patent process or dealing with customers, getting your manufactured products to market requires expertly-coordinated efforts. Any delay can have a significant impact on your business. 

© MICHAEL BEST & FRIEDRICH LLP

Legal Risks Facing New Media Publishers

A new post from the National Law Review’s featured guest bloggers Neil M. Rosenbaum and Seth A. Stern of Funkhouser Vegosen Liebman & Dunn Ltd details some of the legal pits falls of social media platforms.  Read On:

The rise of online media means that many businesses are doubling as publishers, with all the attendant benefits and risks.  Every day, courts and lawmakers face the challenge of applying legal principles conceived in the era of periodic publications featuring bylines and mastheads to the unlimited, instantaneous, and often anonymous content communicated via the Internet.

Below are brief synopses of some of the issues facing online publishers that courts have discussed in recent months.

Anonymous Defamation

Federal law generally precludes defamation liability for websites based on third-party content.  This, however, does not mean that third-party content cannot land a webmaster in court.  Plaintiffs often issue subpoenas to websites for identifying information regarding anonymous commenters.  While companies may be reluctant to spend their money protecting someone else’s First Amendment right to speak anonymously, website operators — particularly those that have promised to protect users’ privacy — may face liability for turning over identifying information.

Businesses that have themselves been anonymously defamed and seek to identify the defamer must jump through a number of procedural hurdles designed to protect the commenter’s constitutional right to speak anonymously.  Some courts have suggested that these hurdles may be easier to clear when the anonymous defamer acted for commercial purposes.

Jurisdiction

Internet postings can be accessed anywhere and courts have suggested that Internet posters can therefore be sued anywhere.  A federal appellate court sitting in Chicago recently rejected the Arizona domain registrar GoDaddy’s argument that, absent specific intent to direct its Internet activities toward Illinois, Illinois courts should not hear a cybersquatting suit against it.

Additionally, at least three recent appellate courts have held that online defamers can be sued in states other than the one from which the content was published.  This means that companies with online presences must be prepared to defend themselves in jurisdictions that may apply varying legal standards.  Savvy plaintiffs are sure to choose the jurisdiction most favorable to them.

Privacy and Confidentiality

Many social media users assume that by setting posts to “private” they control their audience.  This is not always the case.  A New York court recently held that “private” Facebook and MySpace posts are discoverable during litigation and that there is “no legitimate reasonable expectation of privacy” in such posts.  Additionally, the United States Supreme Court decided this year that an officer’s privacy rights were not violated when the police department searched his text messages while auditing the department’s texting plan.  But some courts have found privacy violations where employers used false pretenses to access employees’ “private” content.

In another recent case a federal court decided that a company’s client list could not be protected as a trade secret because the same information could easily be found on sites such as LinkedIn.

Intellectual Property

While website operators can limit their copyright liability for third-party content by following statutory procedures, websites’ own content is fair game.  Online publishers, particularly bloggers, often quote and expand on content created by others.  While some perceive this as an opportunity to reach new audiences, others denounce the practice as free-riding.  Some media outlets have sold their copyrights to companies that have filed hundreds of suits against alleged online infringers.  Others have threatened to sue bloggers formisappropriation of “hot news.”

Courts have suggested that those who misuse an entity or individual’s name to bring attention to online gripes, for instance by impersonating their target, may be liable under trademark statutes, particularly when acting with a profit motive.  California has banned “e-personation” outright.

Harassment

A federal court dismissed an employee’s suit alleging that her employer subjected her to a “hostile work environment” by failing to act after coworkers posted inappropriate comments regarding her race on a personal Facebook page.  The court left open the question of whether a company can be liable for improper comments on a company-monitored social media site.

Excerpted from FVLD’s blog, http://www.postorperish.com, which regularly discusses these and other issues facing online publishers.

© Copyright 1999-2010, Funkhouser Vegosen Liebman & Dunn Ltd. All rights reserved.

The Ten Commandments of Drafting a Social Networking Policy

The National Law Review’s featured Guest Bloggers this week are from Steptoe & Johnson PLLC. Vanessa L. Goddard provides some concrete do’s and don’ts for drafting a company Social Media policy.  Read on:

You’ve probably heard this “fact”: if Facebook was a country, it would be the fourth largest country in the world! Web 2.0 has infiltrated every aspect of our lives, including the workplace. As a result, most lawsuits in which employers become mired are fraught with electronic data issues. To guard against a wide range of legal claims, as well as reap the benefits of a global marketplace, many employers are instituting social networking policies. But, as with any policy, a social networking policy must be carefully drafted to meet your business needs. With that, I introduce to you the 10 Commandments of drafting a social networking policy:

NUMBER ONE: Thou shalt NOT use a sample policy pulled willy-nilly from the Internet.

While your search results will pull up dozens of fine looking policies, you won’t know who wrote them, the legal jurisdiction from which they hale, or the business interests the policy seeks to promote. Many times, a bad policy is worse than no policy at all.

NUMBER TWO: Thou SHALT work in harmony to craft a policy appropriate for your business.

If you decide that a social networking policy is appropriate for your business (and it may not be), the combined cooperation of your IT department, human resources, legal, and company decision-makers is necessary to formulate an effective policy.

NUMBER THREE: Thou SHALT know the risks and guard against them.

Employee use of social networking media can have wide-ranging legal ramifications for employers. Possible claims include: harassment, discrimination, defamation, invasion of privacy, and a variety of statutory violations.

NUMBER FOUR: Thou SHALT proclaim that the eye of the employer sees all.

Notify employees that they have no expectation of privacy in their use of company technology, that their activities should be work related only, and that their communications may be accessed at any time.

NUMBER FIVE: Thou shalt NOT take the name of the employer in vain.

The policy should require disclaimers be used indicating that the opinions stated therein are those of the employee and not the employer.

NUMBER SIX: Thou SHALT respect thy co-workers, customers, competitors, and employer.

Require employees to act respectfully in their social networking/blogging activities. Provide guidance on what is and what is not appropriate behavior.

NUMBER SEVEN: Thou shalt NOT steal or do other really bad things with your employer’s computer.

The policy should prohibit disclosure of confidential information, the use of legally-protected/copyrighted information, and the dissemination of personal information of co-workers.

NUMBER EIGHT: Thou SHALT know the consequences of thy actions.

Inform your employees that their social networking activities on the job are subject to all company policies and explain the consequences of violating your social networking policy.

NUMBER NINE: Thou SHALT spread the word throughout the masses.

Distribute the policy. Have your employees sign off on their receipt and understanding of the policy. Provide training on the policy.

NUMBER TEN: Thou shalt NOT commit random acts of destruction.

You MUST ensure that your litigation hold policy incorporates procedures and methodologies to capture and preserve social networking data in the event of litigation.

© 2010 Steptoe & Johnson PLLC All Rights Reserved

About the Author:

Vanessa Goddard’s primary focus is in the area of labor and employment law. She has been involved in representing clients in various employment cases, including sexual harassment, deliberate intent, age, race, and disability discrimination, wrongful discharge, and various other employment-related torts. She is admitted to various state and federal courts as well as the Third Circuit Court of Appeals and Fourth Circuit Court of Appeals.  304-598-8158 /www.steptoe-johnson.com

Almost Ten Years After the Enron Meltdown: More Costs, More Prosecution, More Compliance?

I recently heard Sherron Watkins speak as part of a panel at Inside Counsel’s recent Super Conference in Chicago.  Ms. Watkins is former Enron Vice President who is widely credited with exposing the accounting and other irregularities, which lead to Enron’s demise and ushered in a new era of compliance awareness. Ms. Watkins provided some chilling insights and timely reminders about how a company can take great lengths to appear to be highly compliant and ethical but in reality can be a very different creature.      

At the time of the Enron meltdown, Enron was the seventh biggest company in America and the world’s biggest energy trader. Enron also had a Code of Corporate Compliance which would be technically compliant today with many of the Code of Conduct requirements mandated under Sarbanes Oxley (SOX) enacted because of the Enron meltdown. Enron’s Board of Directors famously waived various provisions of their well crafted Code of Conduct twice. These waivers of the Code of Conduct allowed the company’s CFO to run competing companies and companies which traded directly with Enron, and many other questionable business practices.     

Back in 2001, Watkins began investigating Enron’s relationship with LJM (a special purpose entity designed to take high-risk poor-performing assets off Enron’s balance sheet). Watkins became increasingly alarmed as it became apparent that the LJM relationship didn’t stand up to accounting scrutiny. Watkins sent Kenneth Lay, then Chairman of Enron’s Board of Directors, a detailed memo in August 2001 explaining her concerns.  Watkins outlined how the structuring of the LJM deals didn’t seem to have a true third-party relationship and warned Lay that the aggressive accounting would come back and haunt the company. After drafting the memo, Watkins met with Lay to convey her fears face to face.     

Enron Founder Kenneth Lay & Former Enron CEO Jeffrey Skilling

Enron went down quickly. By December of 2001 Enron filed bankruptcy, which at the time was the biggest bankruptcy case in US history. Thousands of workers lost their jobs and thousands of investors lost billions of dollars. Soon after Enron’s bankruptcy, Watkins role publicly came to light. In January 2002, a Congressional committee published her memo to Ken Lay and Watkins and many others testified before Congress about Enron’s corporate culture, internal controls and accounting practices.     

Kenneth Lay Mugshot

In response to Enron, WorldCom and other financial scandals, Congress enacted SOX. Section 404 of SOX requires that company management document, test and adequately support the effectiveness of its internal controls. It also states that such documentation, testing and support be audited and reported on by external auditors.  Certifying officers, the  CEO and CFO, face penalties of $1million for false certification and/or up to 10 years imprisonment for “knowing” violations, and $5 million and/or up to 20 years imprisonment for “willing” violations. In theory, a new era of “transparency” was born.    

Jeffrey Skilling Mugshot

 But Enron famously had a “no harm, no foul” culture and to the outside world, a state of the art Code of Conduct. Whether it was simply looking the other way or actual ignorance, most Enron employees prior to 2001 were unaffected by the executive pillaging going on across all levels of the business and the executives heartily benefited from it. Watkins believes the true bite from SOX comes from the Act’s enforcement penalties. Back in 2003, Watkins famously stated: “Monetary fines don’t do it. If you’ve made a hundred million dollars and you’re fined $25m, you’re still filthy rich. To go to jail scares these guys to death. Standing in a cafeteria line for food, communal showers? It will change them forever.
       

Significantly Increased Corporate Compliance Spending:

It’s difficult to quantify directors and officers fear but one measurable result of Enron, World Com and SOX has been significantly increased compliance costs. Such costs have been well documented – some estimates placing them at well over $6 billion annually. Two accounting professors at the University of Illinois estimated that companies spent 120 million hours in 2004  alone complying with SOX. They also suggested that outside auditors spent another 12 million hours. That equates to 132 million hours – or, to put it another way, 66,000 people working for one year on nothing else.    

Experts all agree the costs have been steep, but how steep? According to one study that has attracted a lot of attention, SOX contributed significantly to wiping US$1.4 trillion off the value of the stock market. This startling amount comes from a study by Ivy Xiying Zhang, Assistant Professor of Accounting at the University of Minnesota.   

In spite of  the current recession, roughly three out of four companies either kept compliance spending even in 2009 or actually increased it.  For 2010 compliance spending is expected to be about the same as 2009 or even slightly higher.  This data was revealed in a survey published in January conducted by the Society of Corporate Compliance and Ethics (SCCE) and the Health Care Compliance Association (HCCA).   http://www.corporatecompliance.org   

Roy Snell, Chief Executive Officer of SCCE,  recently stated: “According to our survey results 33%  of companies surveyed expect a budget increase in 2010, and 18% expect their staffing to increase.” “This shows that the business community has come to realize that the price of cutting back on compliance far exceeds any potential rewards.”    

Increased Regulatory Enforcement of Financial Crime:

While it is difficult to tell if the increased spending on compliance is having any measurable effect on actual compliance, the government has certainly turned corporate and financial crimes as the new target of the “war on crime.”  One area of heightened government enforcement is the FCPA (Foreign Corrupt Practices Act) which prohibits bribery of foreign government officials. Some statistics illustrate:    

  • In 2000 federal prosecutors brought no FCPA criminal cases.
  • In 2004 there were 3.
  • In 2009 there were 34 criminal FCPA actions with many more in the pipeline – the justice department currently has approximately 150 open investigations.
  • On January 19, 2010, 22 individuals were arrested under portions of the FCPA.   This is the largest single investigation and prosecution against individuals in the 32-plus year history of the FCPA.

In 2009, the federal government significantly beefed up the False Claims Act (FCA) under FERA (Federal Employment and Recovery Act). The FCA applies to the Troubled Asset Relief Program (TARP) to prosecute persons who make false statements to obtain TARP funds.   TARP also created a Specialized Inspector General (SIGTARP) who will collaborate with the FBI and federal prosecutors.  Many states also have their own false claims acts which will should also come into play as TARP money flows to states.     

State Attorney Generals and Federal officials are starting to work together as never before, too.     

  • Operation Short Change:   A joint effort of the FTC and 18 state attorney generals targeting business scams taking advantage of the economic downturn.
  • Operation Loan Lies:  A joint effort of the FTC and 18 state attorney generals targeting mortgage modification scams.
  • Operation Stolen Hope:  A joint effort of 26 federal and state agencies to crackdown on mortgage foreclosure rescue and loan modification scams.

Take Away:  While Enron had a stellar Code of Conduct on paper – it was waived by the Board and the potential  profits at the time seemed to seriously outweigh any civil and criminal penalties in force at the time.  Almost ten years later, companies are spending vast resources on compliance, even in the wake of the current recession.  Wall Street’s recent problems which prompted TARP seems to have motivated both federal and state governments to step in with heightened enforcement of financial crimes.  Whether heightened government enforcement coupled with increased corporate awareness is enough to deter the temptation of potential profits still remains to be seen.

What Corporate America Can Learn from America’s Greatest Spy. Corporate Data Security Quick Reminders.

Since the 1990’s the information explosion has drastically increased the ability to share information and also the ability to steal information.  Former FBI undercover operative Eric O’Neill is widely credited with bringing down America’s most notorious spy, Robert Phillip Hanssen.  At Inside Counsel’s Super Conference, Eric gave the first day’s Keynote address where he outlined how Corporation’s can learn some lessons from the Hanssen case.

As an undercover surveillance specialist, O’Neill was trained to watch, profile and follow people. In 2001, O’Neill was approached by his superiors to investigate special agent Robert Hanssen. O’Neill was assigned as a direct report of Hanssen’s and on his first day of work, Hanssen introduced O’Neill to “Hanssen’s Law.” “Hanssen’s law” was that the spy is always where he has access to the information that he knows he can use to do the most damage and get the most money.

In the corporate setting , O’Neill outlined a few obvious and not so obvious ways that industrial spies obtain proprietary corporate information:

Corporate Dumpster Diving: Picking up information that is cast off (i.e. trash at home or work.)  Most larger organizations have thorough data destruction policies and employ data destruction vendors. But things can go very wrong if procedures are not faithfully followed or if vendors are not fully vetted and monitored.  There needs to be corporate awareness that data security is everyone’s  daily concern.

Security industry analyst Steve Hunt, who heads up Hunt Business Intelligence, believes too many people think  that data security is just an IT issue. “There are so many physical security aspects to data protection it ought to never be considered merely an IT security issue,” Hunt said in an article written for CSO On-Line.   With all the focus on protecting electronic data, many organizations forget about paper data and the physical protection of electronic data.                                                                                                                                                                                                    

Hunt recently did a corporate dumpster dive in a major U.S. City and found all sorts of things that would be in violation of most companies’ data destruction policies.  The dive turned up cancelled checks with the bank account owner’s social security number written on top. The bank account numbers, balances for the political fundraising account of “a certain prominent politician in the area.” Hunt also found the personal financial statement of a very wealthy individual, including the person’s name, home address, real estate owned and values of the properties, several of the individual’s bank account numbers, social security number and date of birth. Hunt’s experiment even yielded a whole laptop with a tag on the back that says “Property of [another financial institution]”.  Steve’s adventure took all of three minutes and he astutely advises companies to do their own dumpster diving tests to monitor how their company’s data destruction policies are actually functioning. 

Corporate Charity:  Information that is ‘castoff’ can include old computers donated to charity.  O’Neill detailed situations where companies purchased all the old computers of their competitor from a charity who supposedly cleaned off all pertinent information and the purchaser ended up obtaining valuable business information from their competitor’s donated computers.  If making a charitable donation of your used electronic equipment, is what your organization chooses to do, it may make sense to do the data cleaning in house prior to physically surrendering your old equipment, so you can control the data cleaning process.

Corporate Posers / Impostors:  Corporate spies often attempt to gain access by relying on people’s willingness to help out, the awkwardness of questioning strangers, and the excitement of receiving free stuff. Corporate spies know these human tendencies and use them to their full advantage. According to O’Neill, a hacker could be posing as ‘Joe from IT’ sending you an email or phone call requesting your password.  If you’re busy or distracted, this just may work.

“Hi, I’m the rep from Cisco and I’m here to see Nancy.”  Chris Nickerson, founder of Lares, a Colorado-based security consultancy, recently pulled off a successful social engineering exercise for a client by wearing a $4 Cisco shirt that he got at a thrift store (Read: Anatomy of a Hack).

Criminals will often take weeks or months getting to know a place before even coming in the door, according to O’Neill. Posing as a client or service technician is one of many possibilities. Knowing the right thing to say, who to ask for, and having confidence are often all it takes for an unauthorized person to gain access to a facility, according to Nickerson.  

Other old stand-bys according to O’Neill are: “Can you hold the door for me? I don’t have my key/access card on me.”. An another version would be “Can you hold the door for me?” while carrying a box of “paper for a printer” using both hands.  How many people at your organization would turn away a HVAC person on an emergency call after normal business hours?  Would the air conditioner  / heater actually be serviced? Or would bugs be planted,  phones be tapped,  pictures be taken? Would computer drives be duplicated, papers photocopied, or data altered? 

Another ruse is Flash Drives distributed at conferences or left in strategic locations. Flash drives left unattended in a parking lot, public bathroom or elevator of a targeted company may be a part of a sophisticated social engineering attack. These drives may be seeded with a trojan horse set to automatically run as soon as the drive is inserted and quietly steal your personal or company information in the background.  This happened in an actual attack against the U.S. Pentagon!

Take Away:   Closely check the background and reputation of any data destruction vendors.  Verify  that the data is actually destroyed in a non-usable format, and monitor closely that your corporate record destruction procedures are being faithfully followed.  Remember the simple and obvious ways that corporate spies can try to gain your trust and gain access to vital information.   Be wary of free give away computer devices or cast off computer items that can be inserted into your computer.

Eric M. O’Neill is the founding partner of the Georgetown Group, where he specializes in counterintelligence and counterterrorism operations, security risk assessments, investigations into economic espionage, internal investigations, and background investigations. Eric served as an undercover operative for the F.B.I., where he conducted national security field operations against terrorists and foreign intelligence agents.  His role in the investigation and capture of Robert Phillip Hanssen, the most notorious spy in United States history, became the subject of Universal Studio’s , movie Breach , released to critical acclaim in 2007.