Identity theft is a major concern for employers who are routinely entrusted with private information of employees and customers, especially in the electronic age, where improper use of such data can have widespread ramifications. According to the Federal Trade Commission (FTC), each year as many as 9 million Americans have their identities stolen. Is your company prepared to address a data breach?
Federal law and many state laws require employers to safeguard private information. For instance, the Fair Credit Reporting Act requires companies to take appropriate measures to dispose of sensitive information derived from consumer reports. If a company becomes aware of a data breach, the FTC also instructs it to immediately report the breach to the local police department, the local office of the FBI, or the U.S. Secret Service, and then to provide notice to individuals whose information was compromised to allow those individuals to take steps to mitigate the misuse of their personal information. Many state laws also require that notice be provided upon discovery of a breach.
New Jersey has enacted the Identity Theft Prevention Act (ITPA), which requires any business that lawfully collects and maintains computerized records to disclose to the New Jersey State Police and to any New Jersey customer (broadly defined to include an individual who provides personal information to a business, including employees) when that customer’s personal information was or may have been accessed by an unauthorized person. In the case of a large scale breach, businesses are also required to report to consumer reporting agencies. In addition, the ITPA regulates the use of social security numbers as identifiers, prohibits the display and usage of social security numbers on printed materials except where required by law, and requires the destruction of records containing personal information when no longer needed.
Similarly, the New York State Information Security Breach and Notification Act requires companies who own or license computerized data to provide prompt notification following the discovery of a breach to any New York resident whose private information was, or may have been, acquired without authorization. The New York State Social Security Number Protection Law regulates the handling of social security numbers and requires covered persons and entities to provide safeguards “necessary or appropriate” to preclude unauthorized access to social security account numbers and to protect the confidentiality of such numbers.
Employers must be prepared to continuously protect information. Best practices dictate that employers prepare guidelines for safeguarding private information.
This Alert has been prepared by Sills Cummis & Gross P.C. for informational purposes only and does not constitute advertising or solicitation and should not be used or taken as legal advice. Those seeking legal advice should contact a member of the Firm or legal counsel licensed in their state. Transmission of this information is not intended to create, and receipt does not constitute, an attorney-client relationship. Confidential information should not be sent to Sills Cummis & Gross without first communicating directly with a member of the Firm about establishing an attorney-client relationship.
Anti-money laundering officers, professionals, and in-house counsel should attend this conference to better understand the changing environment of the financial industry, learn how companies are adapting to these changes, and to identify new measures in which criminals are laundering money through the United States financial system. With technological advancements and the introduction of money laundering into new financial entities, it is important that anti-money laundering professionals and in-house counsel who oversee anti-money laundering compliance to stay abreast of current AML issues and best practices for preventing money laundering and suspicious activities from occurring in their organizations.
The Anti-Money Laundering conference is a highly intensive, content-driven event that includes case studies, presentations, and panel discussions over two full days. This conference targets industry leaders in AML, and Financial Compliance roles in order to provide an intimate atmosphere for both delegates and speakers.
key conference topics include:
Explore the Office of Foreign Assets Control Sanctions Program and updates to the Iranian Sanctions
Evaluate the increasing correlation between fraud and money laundering
Discuss potential risks that emerging technological products pose to the financial industry
Investigate the increase in money laundering through the US from Narcotics Trade and Human Trafficking
Registration, Location & Details…..
May 9-11 Doubletree Metropolitan, New York City, NY, USA
The 21st edition of the SOX Compliance & Evolution to GRC Conference will afford SOX practitioners a unique opportunity to review the required blend of compliance and risk-based strategies and methodologies neccessary to meet federal mandates while developing greater efficiency across their GRC footprint.
Attendees will have the opportunity to:
–Formulate methodologies to gain greater efficiency through the deployment of a risk-based approach
–Ascertain the impact a cross application of controls will have for SOX and greater GRC efforts
–Review innovative approaches for the successful launch and maintenance of control self-assessment initiatives
–Identify the latest strategies being utilized to ensure that SOX is a continuous process rather than an annual compliance exercise
–Realize the necessity of a cross-functional structured training and continuing education curriculum to ensure consistent performance of SOX controls and integrated GRC efforts
–Discover proven approaches for the integration of SOX compliance into GRC
–Analyze strategies to engage external auditors in the front end to establish common goals and reduce external expenditures
Key Conference Topics Help You Learn How To:
Formulate methodologies to gain greater efficiency through the deployment of a risk-based approach
Ascertain the impact a cross application of controls will have for SOX and greater GRC efforts
Review innovative approaches for the successful launch and maintenance of control self-assessment initiatives
Identify the latest strategies being utilized to ensure that SOX is a continuous process rather than an annual compliance exercise
Realize the neccessity of a cross-functional structured training and continuing education cirriculum to ensure consistent performance of SOX controls and integrated GRC efforts.
Registration, Location & Details…..
May 3-4 in Boston, MA
For On-Line Registration and for more complete information Please Click Here:
IQPC’s 11th eDiscovery Summit features hands on sessions and practical instruction to bring back to your eDiscovery teams. You will engage with IT and legal focus groups to candidly discuss anticipated push back issues, observe how different roles within your company approach imminent litigation and put bridging the gap strategies into practice.
It is no secret that you want to reduce the cost of eDiscovery, yet how do you know if you are paying a reasonable price for ESI processing and review? Do not miss this unique opportunity to learn about outside the box pricing structures and benchmark with your peers to gain a realistic picture of fair pricing for electronic information management.
Why attend the 11th eDiscovery Summit?
United States District Court Judges share their experiences with companies committing costly electronic discovery mistakes
Bridge the gap between IT and legal through a practical exercise with IT and legal focus groups
Learn practical steps to create a solid cross-functional eDiscovery team fostering communication and effective workflow between departments
Gain valuable metrics to assess the repeatability and defensibility of your eDiscovery procedures
Maximize the benefits of social networking and cloud computing without compromising security and increasing risk
It may surprise you, as it did me, to learn that today is Data Privacy Day, an “international celebration of the dignity of the individual expressed through personal information.” But Data Privacy Day also highlights the need for individuals to protect their data and how they can go about doing so.
There are many organizations out there that aim to help individuals protect their personal information and help businesses comply with data protection laws and regulations. The Online Trust Alliance is one such organization, whose mission is to create an online trust community, promoting business practices and technologies to enhance consumer trust globally. They recently released their “2011 Data Breach Incident Readiness Guide” to help businesses in breach prevention and incident management.
According to their newest guide, the true test for organizations and businesses should be the ability to answer key questions such as:
Do you know what sensitive information is maintained by your company, where it is stored and how it is kept secure?
Do you have an incident response team in place ready to respond 24/7?
Are management teams aware of security, privacy and regulatory requirements related specifically to your business?
Have you completed a privacy and security audit of all data collection activities, including cloud services, mobile devices and outsourced services?
Are you prepared to communicate to customers, partners and stockholders in the event of a breach or data loss incident?
With the White House, members of Congress, Commerce Department and the FTC calling for greater privacy controls and breach notifications, self-regulation by businesses is becoming more and more important.
Google, one of the supporters of Data Privacy Day and the initiatives of The Privacy Projects is hosting a public discussion on privacy later this afternoon with representatives from the Electronic Frontier Foundation, the FTC and the National Institute of Standards and Technology scheduled to attend. If you can’t stop by Google’s DC office for this event, don’t worry — it will be captured on video and posted to YouTube soon after.
Risk Management Magazine and Risk Management Monitor. Copyright 2011 Risk and Insurance Management Society, Inc. All rights reserved.
Two recent lawsuits allege that internet service providers violated users’ privacy by sharing “referrer data” containing potentially identifying information.
A former technologist with the Federal Trade Commission filed a privacy complaint(link via WSJ) against Google with his ex-employer. The complaint alleges that Google does not allow users to easily prevent transmission of information that allows website operators to determine the search terms used to access their sites. It claims that this constitutes a deceptive business practice by Google because “if consumers knew that their search queries are being widely shared with third parties, they would be less likely to use Google.”
According to the complaint, Google search URLs contain the user’s search terms, and when users click on a search result the webmaster of that site can see the terms used to access it. The complaint alleges that this conflicts with Google’sPrivacy Policy and cites to Google’s court admissions that search queries may reveal “personally identifying information” and that consumers trust Google to keep their information private.
Google has allegedly tested products that deleted search terms from the referrer data visible to webmasters but discontinued them after receiving complaints and posted reassurances that search terms would remain visible. Apparently Google now offers an SSL encrypted search engine at https://www.google.com which protects search terms from being intercepted, but the complaint notes that this is not the default setting and it is not linked from the regular Google site. It also notes that Google provides search term protection to Gmail users searching their inboxes.
The merits of the complaint may hinge on whether search terms should be considered “personal information.” The complaint notes that the New York Times was able to indentify supposedly anonymous AOL searchers in 2006 when AOL leaked a dataset of search queries.
The second suit alleges that, from February through May, Facebook transmitted referrer information to advertisers about users who clicked on their ads. It alleges violations of the federal Electronic Communications Privacy Act and Stored Communications Act as well as California computer privacy and unfair competition laws and common law claims of breach of contract and unjust enrichment.
The suit claims that “Facebook has caused users’ browsers to send Referrer Header transmissions that report the user ID or username of the user who clicked an ad, as well as the page the user was viewing just prior to clicking the ad . . . For example, if one Facebook user viewed another user’s profile, the resulting Referrer Headers would report both the username or user ID of the person whose profile was viewed, and the username or user ID of the person viewing that profile.”
As in the Google complaint discussed above, the plaintiffs allege that Facebooks actions violate its privacy policy (which allegedly states “we never share your personal information with our advertisers”) and other representations to users as well as state and federal privacy laws. The amended complaint may be stronger than the suit against Google because referring Facebook pages, unlike Google searches, are often highly personalized and contain the Facebook user’s name. Facebook allegedly stopped embedding referrer data in May after media accounts exposed the practice.
Although some tech executives have been quick to sound the death knell for online privacy, consumers – even those who are products of the Internet generation – continue to disagree. A recent poll shows that 85 percent of teens believe social media sites should obtain their permission before using their information for marketing purposes.
Excerpted from FVLD’s blog, http://www.postorperish.com, which regularly discusses these and other issues facing online publishers.
You’ve probably heard this “fact”: if Facebook was a country, it would be the fourth largest country in the world! Web 2.0 has infiltrated every aspect of our lives, including the workplace. As a result, most lawsuits in which employers become mired are fraught with electronic data issues. To guard against a wide range of legal claims, as well as reap the benefits of a global marketplace, many employers are instituting social networking policies. But, as with any policy, a social networking policy must be carefully drafted to meet your business needs. With that, I introduce to you the 10 Commandments of drafting a social networking policy:
NUMBER ONE: Thou shalt NOT use a sample policy pulled willy-nilly from the Internet.
While your search results will pull up dozens of fine looking policies, you won’t know who wrote them, the legal jurisdiction from which they hale, or the business interests the policy seeks to promote. Many times, a bad policy is worse than no policy at all.
NUMBER TWO: Thou SHALT work in harmony to craft a policy appropriate for your business.
If you decide that a social networking policy is appropriate for your business (and it may not be), the combined cooperation of your IT department, human resources, legal, and company decision-makers is necessary to formulate an effective policy.
NUMBER THREE: Thou SHALT know the risks and guard against them.
Employee use of social networking media can have wide-ranging legal ramifications for employers. Possible claims include: harassment, discrimination, defamation, invasion of privacy, and a variety of statutory violations.
NUMBER FOUR: Thou SHALT proclaim that the eye of the employer sees all.
Notify employees that they have no expectation of privacy in their use of company technology, that their activities should be work related only, and that their communications may be accessed at any time.
NUMBER FIVE: Thou shalt NOT take the name of the employer in vain.
The policy should require disclaimers be used indicating that the opinions stated therein are those of the employee and not the employer.
NUMBER SIX: Thou SHALT respect thy co-workers, customers, competitors, and employer.
Require employees to act respectfully in their social networking/blogging activities. Provide guidance on what is and what is not appropriate behavior.
NUMBER SEVEN: Thou shalt NOT steal or do other really bad things with your employer’s computer.
The policy should prohibit disclosure of confidential information, the use of legally-protected/copyrighted information, and the dissemination of personal information of co-workers.
NUMBER EIGHT: Thou SHALT know the consequences of thy actions.
Inform your employees that their social networking activities on the job are subject to all company policies and explain the consequences of violating your social networking policy.
NUMBER NINE: Thou SHALT spread the word throughout the masses.
Distribute the policy. Have your employees sign off on their receipt and understanding of the policy. Provide training on the policy.
NUMBER TEN: Thou shalt NOT commit random acts of destruction.
You MUST ensure that your litigation hold policy incorporates procedures and methodologies to capture and preserve social networking data in the event of litigation.
Vanessa Goddard’s primary focus is in the area of labor and employment law. She has been involved in representing clients in various employment cases, including sexual harassment, deliberate intent, age, race, and disability discrimination, wrongful discharge, and various other employment-related torts. She is admitted to various state and federal courts as well as the Third Circuit Court of Appeals and Fourth Circuit Court of Appeals. 304-598-8158 /www.steptoe-johnson.com
A helpful article for all Word Press Users out there from the National Law Review’s Business of Law weekly guest bloggers – Duo Consulting. Scott Frazer of Duo goes over a Spam issue that impacted Duo’s Blog and provides a detailed solution on how they fixed the problem!
Our blog was recently affected by a rather clever little hack, and when I went searching for ways to remove it, I couldn’t find much. Here’s a brief writeup of what happened and how I fixed it.
Our Director of Internet Marketing Strategy, Sonny Cohen, spends some of his time searching Google and other search engines for keywords relative to our business. He began noticing that some of those results, while they would return pointers to our blog, were laced with keywords and links to various male enhancement drugs. When I searched our blog for these references, I couldn’t find anything.
Here’s what I was seeing when I would search our blog for the phrase “test”:
But here’s what Google was seeing when it did the same search:
You may notice that the URL in that is to a local file. There are two ways you can see what your site looks like to Google. One is to change the User Agent on your browser to match that of the Googlebot. The other is to use the Webmaster Tool’s “Fetch As Googlebot” lab utility. I used the latter, and saved the resulting report as an HTML file and then opened that file in Chrome.
So why is Google seeing different results than anyone else who visits my site and runs that query? Something different must be happening when Google visits. I started running through the execution path of WordPress. The first file that is accessed is index.php. All this file does is turn on a theming variable and load wp-blog-header.php. So I moved on to that file. It looked like this:
temp.php? Never heard of it, let’s see what’s inside:
eval (gzinflate(base64_decode(
‘vVhtc9pGEP6emfwHRfUUmGLg9IbkhNrUJrZnEsfFOGmKXc1ZOoMmQqInYYea/Pfu’
.’nnjRG6aZzNRj0Em7++yzu3erOw5/fXM4HU9fvnj5Ym8cRnFnz77q9T/2+sPK2WBw’
…snip for length…
.’6reTZEAXdDrl4QNzE/3F3Wy+iKjPxFe0gH7G+ML1IiecBfHiY+LyWLhsVmDlrQ7g’
.’cvonDPkW65UOKh6zCWuM44kvFr6Ialmvw1/fHP4L’
)));
Now that looks evil. Obfuscated code can’t be good. I decided to see what it does by replacing the “eval” with “print” and then I ran “php test.php” from that directory. The results are very long, but you can see them here.
Basically, the program tries to determine if we are a real person or a search engine bot by looking at things like our IP address and our user agent. If it determines we are human, it goes ahead and returns the standard header. If we’re a bot, it serves the content in “theme.html” which is identical to the second screenshot above.
So to clean things up, I removed the reference to temp.php from wp-blog-header.php, deleted the file temp.php and deleted the file theme.html.
Scott supervises Duo’s network facilities, monitoring hardware and software, analyzing problems and ensuring that the network is fully operational. He works closely with clients to identify, interpret and evaluate their system requirements. He also provides the front-line defense of the Duo network by planning, coordinating and implementing network security measures. An avid Mac user, Scott is nonetheless happy to keep Duo’s servers running on Windows Server 2003 and Ubuntu Linux.
Scott has been working in network administration with Internet companies for over ten years. He has experience designing and maintaining networks and server farms for high-traffic sites in both the hosting and e-commerce arenas. As the senior system administrator for MusicToday, an online ticketing, merchandise and fan club portal, he was responsible for the stability and security of large-volume e-commerce sites, including websites for the Rolling Stones, the Grateful Dead and the Dave Mathews Band. www.duoconsulting.com / 312-529-3006
The National Law Review’s featured Business of Law Guest Blogger Meredith L. Williams of Baker Donelson Bearman Caldwell & Berkowitz, PC outlines some very real concerns for lawyers and law firms related to social media and state bar assocation guidelines. Ms. Williams also offers some very concrete Do’s and Don’t on how to address these concerns. Read on….
Today, social media encompasses a broad sweep of online activity, all of which is trackable and traceable. These networks include not only the blogs you write and those to which you comment, but also social networks. Each day brings new online tools and new advances introduce new opportunities to build your virtual footprint.
As a law firm, social media can help drive business initiatives and support professional development efforts. In basic business terms social media can be considered the least expensive form of large scale advertising. However, social media is not exclusively used for business by law firm employees. When it comes to expressing opinions about anything having to do with the law, firm employees are in a position that requires limitations and have certain limitations. Statements in public forums may inadvertently create an attorney-client relationship, and they may also violate the rules prohibiting law firm advertising. The wrong communication can be construed as exposing firm or client secrets; invasion of privacy and defamation; trademark violations; and may even lead to wrongful termination claims. Therefore, a law firm must attempt to provide reasonable guidelines for online behavior by members of the firm.
The following are five (5) ethical areas that all law firms should address when drafting internal social media policies. These can also be utilized by law departments when dealing with lawyer and non-lawyer employees. All of these rules are simply an extension of model rules of professional conduct & state rules of ethics. The over arching principles should remain the same as new social media sites and technologies emerge.
Advertising (Model Rule of Professional Conduct 7.2)
Marketing and advertising are key functions for any business survival. However, lawyers, especially in law firms, are held to a higher standard when advertising through electronic means. Model Rule of Professional Conduct 7.2[1] states a lawyer or law firm may advertise through written, recorded or electronic means. This includes all social media sites.
Quick Reference
Do
Have any personal or professional social media site as desired.
Use appropriate disclaimers as needed.
Do NOT
Use the organization’s name or email address on a personal site unless using the appropriate disclaimers.
Use the organization’s assets to update personal sites.
Example: A law firm creates a site on Facebook, MySpace, LinkedIn, Twitter, etc. using the firm name. Is this advertising?
Example: An employee of a law firm uses the firm name or firm email address on their personal Facebook site. Is this advertising?
State ethics boards consider the true crux of the advertising issue to be not who creates the site or the intent of the site but rather whether or not the site can be considered to be used for professional use. If being used for professional use, social media presence and communication can be considered to fall within the advertising rules.
Below are a few guidelines to include in firm policies to teach your employees (lawyers and non-lawyers) how not to create a professional site unless intended.
Employees should not associate the firm name or firm email address with the site unless it is intended for professional use. This includes stating they are an employee of the law firm.
Do not use firm assets to update personal sites. This includes any law firm owned laptop or computer, I-Phone or blackberry, firm IP address and email address. Using the firm email address implies the employee is acting on the firm’s behalf.
Create an advertising disclaimer to help employees specifically state their use is personal or professional.
This subject is difficult to approach with employees. Many will argue it is the same as verbally telling someone they work at a specific law firm. However, state boards have compared the online activity to a law firm website vs. verbal communication. The best approach is helping employees understand how not to blur the lines of professional/ personal sites for their own protection. As an employer, you want employees to continue using social media sites to broaden and help promote the firm brand. However, you only want them to do it in the most ethical way.
Attorney-Client Relationship (Model Rule of Professional Conduct 1 Series)
The attorney-client relationship is one of the oldest legal ethical standards. It creates a certain set of duties the lawyer owes the client. The model rules of professional conduct set forth a series of guidelines that help regulate the creation and existence of this important relationship. In the electronic world, especially when utilizing social media, the important issue is whether any electronic communication creates an attorney-client relationship inadvertently.
Quick Reference
Do
Post non-legal comments, blogs, etc. on any personal or professional site.
Use appropriate disclaimers as needed.
Do NOT
Post legal advice.
“Friend” anyone on a professional site unless previously corresponded or known.
“Friend” a Judge on a professional site.
Example: A lawyer of firm ABC is blogging on a social media site regarding new tax laws. A non-client comments to the blog inquiring about his specific tax situation. The lawyer in turn comments again discussing how the new tax laws apply to the non-client. Has an attorney-client relationship been created?
Law firms presently use disclaimers for emails and firm websites to verify no implied relationship is created. But how do we instruct employees to this standard when social media sites are interactive by nature? Below are a few key policy guidelines to help employees navigate this difficult area.
Employees should never post legal advice. This does not mean employees cannot comment or post to social media sites. It only relates to publishing or posting that could be construed as legal advice or opinion. If the subject matter is related to a legal or ethical situation, attorneys and staff may only discuss the legal standards but not apply those standards to any particular fact situation.
Firms should provide a disclaimer for employees to utilize when posting or commenting on professional social networking sites.
When using social networks with firm e-mail and professional identification, employees should not “friend” anyone they do not know and/or with whom they have not previously corresponded.
Some states have even gone so far as to also state that lawyers and judges cannot be “friends” on any professional social media sites. State ethics rules should be consulted prior to drafting any policy.
Client Confidentiality (Model Rule of Professional Conduct 1.6)
Client confidentiality and business privacy are two of the largest concerns of employers when dealing with social media communication. Generally, a lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent. In addition, privacy of the organization, the business processes, the firm brand and the IP of the firm are key for business continuity.
Quick Reference
Do
Discuss job generically
Avoid uncontrolled forums.
Be respectful of other’s and the company’s privacy.
Get approval when responding to negative requests.
Do NOT
Discuss job specifics.
Use the client’s name.
Disclose specifics related to the business.
Disclose confidential information.
Upload law firm contacts onto a social media site.
Example: A lawyer begins discussing a case he is handling on his personal Facebook blog. Although not referencing the client name, details of the case are discussed. Has the client confidentiality been broken?
Example: A law firm employee tweets about a firm staff meeting discussing salary and new hires. Has the privacy of business been destroyed?
Law firms must address confidentiality and privacy standards in social media policies. In addition, consequences for breaking these standards should also be detailed. Below are a few policy considerations to navigate this area.
Employees should never use a client’s name unless written permission has been received.
Employees should never disclose confidential or private business information. Sharing this type of information, even unintentionally, can result in legal action against the employee, the firm, and/or the client.
Outside the workplace, rights to privacy and free speech protect online activity conducted on personal social networks used with personal email addresses. However, what is published on personal online sites should never be attributed to the firm and should not appear to be endorsed by or originated from the firm.
Employees should avoid forums where there is little control over what is known to be confidential information. In the world of social networking, there is often a breach of confidentiality when someone emails an attorney or posts a comment congratulating him/her on representation of a specific client or on a specific case.
Respect the privacy of other employees and of the opinions of others. Before sharing a comment, post, picture, or video about a client or other employee through any type of social media or network, his/her consent is not only a courtesy, it is a requirement.
Get Marketing/ PR departments involved when responding to certain inaccurate, accusatory or negative comments about the firm or any firm clients.
Expertise (Model Rule of Professional Conduct 7.4)
Quick Reference
Do
Allow recommendations.
Review and monitor all recommendations carefully.
Edit or hide recommendations as needed to remove any verbiage that states you are “better”, “the best”, “expert”, “specialized” or “certified”.
Do NOT
Be false or misleading in online credentials.
Use the words “better” or “the best” in credentials or when recommending others.
Use the verbiage “expert”, “specialist” or “certified” to describe experience unless certified by an organization that is accredited by the ABA or the state bar.
Many lawyers are considered experts or specialists by their peers in select areas of law. However, using the expert designation can only be done with appropriate approval. Model Rule of Professional Conduct 7.4 generally states that a lawyer may communicate the fact that the lawyer does or does not practice in particular fields of law. In addition, a lawyer may promote the engagement in specific areas of practice. However, a lawyer shall NOT state or imply that a lawyer is an expert or a certified specialist unless the lawyer has been certified by an organization that is accredited by the ABA or the state bar.
This model rule affects the use of credentials and recommendations on social media sites. What are the key areas to include in law firm policies?
Employees should never be false and misleading in online credentials. All employees should maintain complete accuracy in all online bios and ensure no embellishment.
Recommendations should be used carefully. Employees should review all recommendations created for them for any embellishment (i.e. use of the words better or best) expertise, certification or specialization listing. Edit or hide recommendations as needed.
Employees should not include the words “expert”, “certified”, or “specialized” in their credentials unless authorized to do so.
Expertise and specialization is heavily regulated at the state level. Some states have gone further in their restricted verbiage. State rules of ethics should be reviewed prior to any policy drafting.
General Communications (Model Rule of Professional Conduct 7 Series)
The final social media ethics concern revolves around general law firm and lawyer communication. In personal and especially professional communication, all communications must be truthful and accurate.
Quick Reference
Do
Credit appropriately
Fact check
Spell & grammar check
Correct errors promptly
Be transparent
Follow firm policies
Obey the law
Do NOT
Personally attack, become involved in an online fights or hostile communication.
Solicit or use commercial speech. The content must be informative only. Nothing should propose a commercial transaction
Law firms and law departments should consider the following general policy guidelines when drafting social media policies.
Identify all copyrighted or borrowed material with citations and links. When publishing any material online that includes another’s direct or paraphrased quotes, thoughts, ideas, photos, or videos, always give credit to the original material or author, where applicable.
Ensure material is accurate, truthful, and without factual error prior to posting.
Spell and grammar check everything.
Correct any mistakes promptly.
When participating social media sites in a professional manner, disclose identity and any firm affiliation. Never use a false name, alias, or be anonymous. Many courts have looked poorly on law firms and lawyers using alias names while on social media sites.
Follow all firm policies and procedures regarding online communications. Be respectful and do not make statements that are defamatory; racially, sexually, or otherwise insensitive or offensive; or otherwise improper or likely to conflict with the interests of the firm, its employees, clients, affiliates and others, including competitors.
Follow the site’s terms and conditions of use.
Do not post any information or conduct any online activity that may violate applicable local, state or federal laws or regulations.
Avoid personal attacks, online fights, and hostile communications.
Employees should never solicit or use commercial speech. Employees should not use a site as a way to directly solicit business for the firm. While a blog itself is not subject to the limitation on commercial speech, the content of a blog can be. The content must be informative only, and nothing in the content should propose a commercial transaction or be for the purpose of directly gaining a commercial transaction.
Conclusion
As discussed in this article, there are many ethical considerations when law firms and their employees decided to use social media sites. Similar to email emerging as the main form of business communication ten (10) years ago, social media is now the communication wave of the future. This new format is how the next generation of leaders presently lives and communicates day to day. The legal community must embrace the new technology and the opportunity to educate employees.
[1] Model Rules of Professional Conduct are professional standards that serve as models of the regulatory law governing the legal profession. However, each state board of professional responsibility has additional or supplemental states rules of ethics. State rules should be considered prior to policy drafting.
Meredith L. Williams is Baker Donelson’s Director of Knowledge Management. Although trained as a lawyer, she is not actively engaged in the practice of law. Instead, she oversees BakerNet, the Firm’s industry-leading intranet, and coordinates strategic growth on behalf of the Firm in knowledge management, competitive intelligence and technology. Ms. Williams is widely recognized as a leading authority in knowledge management issues for the legal field, and is a frequent presenter and author on knowledge management and competitive intelligence.
Ms. Williams is a member of the Association of Women Attorneys and the American, Tennessee and Memphis Bar Associations. In addition, Ms. Williams is Conference Vice President for the International Legal Technology Association 2010-2011. She is a recipient of the Dean’s Distinguished Service Award from the University Of Memphis Cecil C. Humphreys School Of Law for her volunteer work. 901-577-2353 / www.BakerDonelson.com
I recently heard Sherron Watkins speak as part of a panel at Inside Counsel’s recent Super Conference in Chicago. Ms. Watkins is former Enron Vice President who is widely credited with exposing the accounting and other irregularities, which lead to Enron’s demise and ushered in a new era of compliance awareness. Ms. Watkins provided some chilling insights and timely reminders about how a company can take great lengths to appear to be highly compliant and ethical but in reality can be a very different creature.
At the time of the Enron meltdown, Enron was the seventh biggest company in America and the world’s biggest energy trader. Enron also had a Code of Corporate Compliance which would be technically compliant today with many of the Code of Conduct requirements mandated under Sarbanes Oxley (SOX) enacted because of the Enron meltdown. Enron’s Board of Directors famously waived various provisions of their well crafted Code of Conduct twice. These waivers of the Code of Conduct allowed the company’s CFO to run competing companies and companies which traded directly with Enron, and many other questionable business practices.
Back in 2001, Watkins began investigating Enron’s relationship with LJM (a special purpose entity designed to take high-risk poor-performing assets off Enron’s balance sheet). Watkins became increasingly alarmed as it became apparent that the LJM relationship didn’t stand up to accounting scrutiny. Watkins sent Kenneth Lay, then Chairman of Enron’s Board of Directors, a detailed memo in August 2001 explaining her concerns. Watkins outlined how the structuring of the LJM deals didn’t seem to have a true third-party relationship and warned Lay that the aggressive accounting would come back and haunt the company. After drafting the memo, Watkins met with Lay to convey her fears face to face.
Enron went down quickly. By December of 2001 Enron filed bankruptcy, which at the time was the biggest bankruptcy case in US history. Thousands of workers lost their jobs and thousands of investors lost billions of dollars. Soon after Enron’s bankruptcy, Watkins role publicly came to light. In January 2002, a Congressional committee published her memo to Ken Lay and Watkins and many others testified before Congress about Enron’s corporate culture, internal controls and accounting practices.
In response to Enron, WorldCom and other financial scandals, Congress enacted SOX. Section 404 of SOX requires that company management document, test and adequately support the effectiveness of its internal controls. It also states that such documentation, testing and support be audited and reported on by external auditors. Certifying officers, the CEO and CFO, face penalties of $1million for false certification and/or up to 10 years imprisonment for “knowing” violations, and $5 million and/or up to 20 years imprisonment for “willing” violations. In theory, a new era of “transparency” was born.
Increased Regulatory Enforcement of Financial Crime:
While it is difficult to tell if the increased spending on compliance is having any measurable effect on actual compliance, the government has certainly turned corporate and financial crimes as the new target of the “war on crime.” One area of heightened government enforcement is the FCPA (Foreign Corrupt Practices Act) which prohibits bribery of foreign government officials. Some statistics illustrate:
In 2000 federal prosecutors brought no FCPA criminal cases.
In 2004 there were 3.
In 2009 there were 34 criminal FCPA actions with many more in the pipeline – the justice department currently has approximately 150 open investigations.
In 2009, the federal government significantly beefed up the False Claims Act (FCA) under FERA (Federal Employment and Recovery Act). The FCA applies to the Troubled Asset Relief Program (TARP) to prosecute persons who make false statements to obtain TARP funds. TARP also created a Specialized Inspector General (SIGTARP) who will collaborate with the FBI and federal prosecutors. Many states also have their own false claims acts which will should also come into play as TARP money flows to states.
State Attorney Generals and Federal officials are starting to work together as never before, too.
Operation Short Change: A joint effort of the FTC and 18 state attorney generals targeting business scams taking advantage of the economic downturn.
Operation Loan Lies: A joint effort of the FTC and 18 state attorney generals targeting mortgage modification scams.
Operation Stolen Hope: A joint effort of 26 federal and state agencies to crackdown on mortgage foreclosure rescue and loan modification scams.
Take Away: While Enron had a stellar Code of Conduct on paper – it was waived by the Board and the potential profits at the time seemed to seriously outweigh any civil and criminal penalties in force at the time. Almost ten years later, companies are spending vast resources on compliance, even in the wake of the current recession. Wall Street’s recent problems which prompted TARP seems to have motivated both federal and state governments to step in with heightened enforcement of financial crimes. Whether heightened government enforcement coupled with increased corporate awareness is enough to deter the temptation of potential profits still remains to be seen.