It may surprise you, as it did me, to learn that today is Data Privacy Day, an “international celebration of the dignity of the individual expressed through personal information.” But Data Privacy Day also highlights the need for individuals to protect their data and how they can go about doing so.
There are many organizations out there that aim to help individuals protect their personal information and help businesses comply with data protection laws and regulations. The Online Trust Alliance is one such organization, whose mission is to create an online trust community, promoting business practices and technologies to enhance consumer trust globally. They recently released their “2011 Data Breach Incident Readiness Guide” to help businesses in breach prevention and incident management.
According to their newest guide, the true test for organizations and businesses should be the ability to answer key questions such as:
Do you know what sensitive information is maintained by your company, where it is stored and how it is kept secure?
Do you have an incident response team in place ready to respond 24/7?
Are management teams aware of security, privacy and regulatory requirements related specifically to your business?
Have you completed a privacy and security audit of all data collection activities, including cloud services, mobile devices and outsourced services?
Are you prepared to communicate to customers, partners and stockholders in the event of a breach or data loss incident?
With the White House, members of Congress, Commerce Department and the FTC calling for greater privacy controls and breach notifications, self-regulation by businesses is becoming more and more important.
Google, one of the supporters of Data Privacy Day and the initiatives of The Privacy Projects is hosting a public discussion on privacy later this afternoon with representatives from the Electronic Frontier Foundation, the FTC and the National Institute of Standards and Technology scheduled to attend. If you can’t stop by Google’s DC office for this event, don’t worry — it will be captured on video and posted to YouTube soon after.
Risk Management Magazine and Risk Management Monitor. Copyright 2011 Risk and Insurance Management Society, Inc. All rights reserved.
Two recent lawsuits allege that internet service providers violated users’ privacy by sharing “referrer data” containing potentially identifying information.
A former technologist with the Federal Trade Commission filed a privacy complaint(link via WSJ) against Google with his ex-employer. The complaint alleges that Google does not allow users to easily prevent transmission of information that allows website operators to determine the search terms used to access their sites. It claims that this constitutes a deceptive business practice by Google because “if consumers knew that their search queries are being widely shared with third parties, they would be less likely to use Google.”
According to the complaint, Google search URLs contain the user’s search terms, and when users click on a search result the webmaster of that site can see the terms used to access it. The complaint alleges that this conflicts with Google’sPrivacy Policy and cites to Google’s court admissions that search queries may reveal “personally identifying information” and that consumers trust Google to keep their information private.
Google has allegedly tested products that deleted search terms from the referrer data visible to webmasters but discontinued them after receiving complaints and posted reassurances that search terms would remain visible. Apparently Google now offers an SSL encrypted search engine at https://www.google.com which protects search terms from being intercepted, but the complaint notes that this is not the default setting and it is not linked from the regular Google site. It also notes that Google provides search term protection to Gmail users searching their inboxes.
The merits of the complaint may hinge on whether search terms should be considered “personal information.” The complaint notes that the New York Times was able to indentify supposedly anonymous AOL searchers in 2006 when AOL leaked a dataset of search queries.
The second suit alleges that, from February through May, Facebook transmitted referrer information to advertisers about users who clicked on their ads. It alleges violations of the federal Electronic Communications Privacy Act and Stored Communications Act as well as California computer privacy and unfair competition laws and common law claims of breach of contract and unjust enrichment.
The suit claims that “Facebook has caused users’ browsers to send Referrer Header transmissions that report the user ID or username of the user who clicked an ad, as well as the page the user was viewing just prior to clicking the ad . . . For example, if one Facebook user viewed another user’s profile, the resulting Referrer Headers would report both the username or user ID of the person whose profile was viewed, and the username or user ID of the person viewing that profile.”
As in the Google complaint discussed above, the plaintiffs allege that Facebooks actions violate its privacy policy (which allegedly states “we never share your personal information with our advertisers”) and other representations to users as well as state and federal privacy laws. The amended complaint may be stronger than the suit against Google because referring Facebook pages, unlike Google searches, are often highly personalized and contain the Facebook user’s name. Facebook allegedly stopped embedding referrer data in May after media accounts exposed the practice.
Although some tech executives have been quick to sound the death knell for online privacy, consumers – even those who are products of the Internet generation – continue to disagree. A recent poll shows that 85 percent of teens believe social media sites should obtain their permission before using their information for marketing purposes.
Excerpted from FVLD’s blog, http://www.postorperish.com, which regularly discusses these and other issues facing online publishers.
You’ve probably heard this “fact”: if Facebook was a country, it would be the fourth largest country in the world! Web 2.0 has infiltrated every aspect of our lives, including the workplace. As a result, most lawsuits in which employers become mired are fraught with electronic data issues. To guard against a wide range of legal claims, as well as reap the benefits of a global marketplace, many employers are instituting social networking policies. But, as with any policy, a social networking policy must be carefully drafted to meet your business needs. With that, I introduce to you the 10 Commandments of drafting a social networking policy:
NUMBER ONE: Thou shalt NOT use a sample policy pulled willy-nilly from the Internet.
While your search results will pull up dozens of fine looking policies, you won’t know who wrote them, the legal jurisdiction from which they hale, or the business interests the policy seeks to promote. Many times, a bad policy is worse than no policy at all.
NUMBER TWO: Thou SHALT work in harmony to craft a policy appropriate for your business.
If you decide that a social networking policy is appropriate for your business (and it may not be), the combined cooperation of your IT department, human resources, legal, and company decision-makers is necessary to formulate an effective policy.
NUMBER THREE: Thou SHALT know the risks and guard against them.
Employee use of social networking media can have wide-ranging legal ramifications for employers. Possible claims include: harassment, discrimination, defamation, invasion of privacy, and a variety of statutory violations.
NUMBER FOUR: Thou SHALT proclaim that the eye of the employer sees all.
Notify employees that they have no expectation of privacy in their use of company technology, that their activities should be work related only, and that their communications may be accessed at any time.
NUMBER FIVE: Thou shalt NOT take the name of the employer in vain.
The policy should require disclaimers be used indicating that the opinions stated therein are those of the employee and not the employer.
NUMBER SIX: Thou SHALT respect thy co-workers, customers, competitors, and employer.
Require employees to act respectfully in their social networking/blogging activities. Provide guidance on what is and what is not appropriate behavior.
NUMBER SEVEN: Thou shalt NOT steal or do other really bad things with your employer’s computer.
The policy should prohibit disclosure of confidential information, the use of legally-protected/copyrighted information, and the dissemination of personal information of co-workers.
NUMBER EIGHT: Thou SHALT know the consequences of thy actions.
Inform your employees that their social networking activities on the job are subject to all company policies and explain the consequences of violating your social networking policy.
NUMBER NINE: Thou SHALT spread the word throughout the masses.
Distribute the policy. Have your employees sign off on their receipt and understanding of the policy. Provide training on the policy.
NUMBER TEN: Thou shalt NOT commit random acts of destruction.
You MUST ensure that your litigation hold policy incorporates procedures and methodologies to capture and preserve social networking data in the event of litigation.
Vanessa Goddard’s primary focus is in the area of labor and employment law. She has been involved in representing clients in various employment cases, including sexual harassment, deliberate intent, age, race, and disability discrimination, wrongful discharge, and various other employment-related torts. She is admitted to various state and federal courts as well as the Third Circuit Court of Appeals and Fourth Circuit Court of Appeals. 304-598-8158 /www.steptoe-johnson.com
A helpful article for all Word Press Users out there from the National Law Review’s Business of Law weekly guest bloggers – Duo Consulting. Scott Frazer of Duo goes over a Spam issue that impacted Duo’s Blog and provides a detailed solution on how they fixed the problem!
Our blog was recently affected by a rather clever little hack, and when I went searching for ways to remove it, I couldn’t find much. Here’s a brief writeup of what happened and how I fixed it.
Our Director of Internet Marketing Strategy, Sonny Cohen, spends some of his time searching Google and other search engines for keywords relative to our business. He began noticing that some of those results, while they would return pointers to our blog, were laced with keywords and links to various male enhancement drugs. When I searched our blog for these references, I couldn’t find anything.
Here’s what I was seeing when I would search our blog for the phrase “test”:
But here’s what Google was seeing when it did the same search:
You may notice that the URL in that is to a local file. There are two ways you can see what your site looks like to Google. One is to change the User Agent on your browser to match that of the Googlebot. The other is to use the Webmaster Tool’s “Fetch As Googlebot” lab utility. I used the latter, and saved the resulting report as an HTML file and then opened that file in Chrome.
So why is Google seeing different results than anyone else who visits my site and runs that query? Something different must be happening when Google visits. I started running through the execution path of WordPress. The first file that is accessed is index.php. All this file does is turn on a theming variable and load wp-blog-header.php. So I moved on to that file. It looked like this:
temp.php? Never heard of it, let’s see what’s inside:
eval (gzinflate(base64_decode(
‘vVhtc9pGEP6emfwHRfUUmGLg9IbkhNrUJrZnEsfFOGmKXc1ZOoMmQqInYYea/Pfu’
.’nnjRG6aZzNRj0Em7++yzu3erOw5/fXM4HU9fvnj5Ym8cRnFnz77q9T/2+sPK2WBw’
…snip for length…
.’6reTZEAXdDrl4QNzE/3F3Wy+iKjPxFe0gH7G+ML1IiecBfHiY+LyWLhsVmDlrQ7g’
.’cvonDPkW65UOKh6zCWuM44kvFr6Ialmvw1/fHP4L’
)));
Now that looks evil. Obfuscated code can’t be good. I decided to see what it does by replacing the “eval” with “print” and then I ran “php test.php” from that directory. The results are very long, but you can see them here.
Basically, the program tries to determine if we are a real person or a search engine bot by looking at things like our IP address and our user agent. If it determines we are human, it goes ahead and returns the standard header. If we’re a bot, it serves the content in “theme.html” which is identical to the second screenshot above.
So to clean things up, I removed the reference to temp.php from wp-blog-header.php, deleted the file temp.php and deleted the file theme.html.
Scott supervises Duo’s network facilities, monitoring hardware and software, analyzing problems and ensuring that the network is fully operational. He works closely with clients to identify, interpret and evaluate their system requirements. He also provides the front-line defense of the Duo network by planning, coordinating and implementing network security measures. An avid Mac user, Scott is nonetheless happy to keep Duo’s servers running on Windows Server 2003 and Ubuntu Linux.
Scott has been working in network administration with Internet companies for over ten years. He has experience designing and maintaining networks and server farms for high-traffic sites in both the hosting and e-commerce arenas. As the senior system administrator for MusicToday, an online ticketing, merchandise and fan club portal, he was responsible for the stability and security of large-volume e-commerce sites, including websites for the Rolling Stones, the Grateful Dead and the Dave Mathews Band. www.duoconsulting.com / 312-529-3006
The National Law Review’s featured Business of Law Guest Blogger Meredith L. Williams of Baker Donelson Bearman Caldwell & Berkowitz, PC outlines some very real concerns for lawyers and law firms related to social media and state bar assocation guidelines. Ms. Williams also offers some very concrete Do’s and Don’t on how to address these concerns. Read on….
Today, social media encompasses a broad sweep of online activity, all of which is trackable and traceable. These networks include not only the blogs you write and those to which you comment, but also social networks. Each day brings new online tools and new advances introduce new opportunities to build your virtual footprint.
As a law firm, social media can help drive business initiatives and support professional development efforts. In basic business terms social media can be considered the least expensive form of large scale advertising. However, social media is not exclusively used for business by law firm employees. When it comes to expressing opinions about anything having to do with the law, firm employees are in a position that requires limitations and have certain limitations. Statements in public forums may inadvertently create an attorney-client relationship, and they may also violate the rules prohibiting law firm advertising. The wrong communication can be construed as exposing firm or client secrets; invasion of privacy and defamation; trademark violations; and may even lead to wrongful termination claims. Therefore, a law firm must attempt to provide reasonable guidelines for online behavior by members of the firm.
The following are five (5) ethical areas that all law firms should address when drafting internal social media policies. These can also be utilized by law departments when dealing with lawyer and non-lawyer employees. All of these rules are simply an extension of model rules of professional conduct & state rules of ethics. The over arching principles should remain the same as new social media sites and technologies emerge.
Advertising (Model Rule of Professional Conduct 7.2)
Marketing and advertising are key functions for any business survival. However, lawyers, especially in law firms, are held to a higher standard when advertising through electronic means. Model Rule of Professional Conduct 7.2[1] states a lawyer or law firm may advertise through written, recorded or electronic means. This includes all social media sites.
Quick Reference
Do
Have any personal or professional social media site as desired.
Use appropriate disclaimers as needed.
Do NOT
Use the organization’s name or email address on a personal site unless using the appropriate disclaimers.
Use the organization’s assets to update personal sites.
Example: A law firm creates a site on Facebook, MySpace, LinkedIn, Twitter, etc. using the firm name. Is this advertising?
Example: An employee of a law firm uses the firm name or firm email address on their personal Facebook site. Is this advertising?
State ethics boards consider the true crux of the advertising issue to be not who creates the site or the intent of the site but rather whether or not the site can be considered to be used for professional use. If being used for professional use, social media presence and communication can be considered to fall within the advertising rules.
Below are a few guidelines to include in firm policies to teach your employees (lawyers and non-lawyers) how not to create a professional site unless intended.
Employees should not associate the firm name or firm email address with the site unless it is intended for professional use. This includes stating they are an employee of the law firm.
Do not use firm assets to update personal sites. This includes any law firm owned laptop or computer, I-Phone or blackberry, firm IP address and email address. Using the firm email address implies the employee is acting on the firm’s behalf.
Create an advertising disclaimer to help employees specifically state their use is personal or professional.
This subject is difficult to approach with employees. Many will argue it is the same as verbally telling someone they work at a specific law firm. However, state boards have compared the online activity to a law firm website vs. verbal communication. The best approach is helping employees understand how not to blur the lines of professional/ personal sites for their own protection. As an employer, you want employees to continue using social media sites to broaden and help promote the firm brand. However, you only want them to do it in the most ethical way.
Attorney-Client Relationship (Model Rule of Professional Conduct 1 Series)
The attorney-client relationship is one of the oldest legal ethical standards. It creates a certain set of duties the lawyer owes the client. The model rules of professional conduct set forth a series of guidelines that help regulate the creation and existence of this important relationship. In the electronic world, especially when utilizing social media, the important issue is whether any electronic communication creates an attorney-client relationship inadvertently.
Quick Reference
Do
Post non-legal comments, blogs, etc. on any personal or professional site.
Use appropriate disclaimers as needed.
Do NOT
Post legal advice.
“Friend” anyone on a professional site unless previously corresponded or known.
“Friend” a Judge on a professional site.
Example: A lawyer of firm ABC is blogging on a social media site regarding new tax laws. A non-client comments to the blog inquiring about his specific tax situation. The lawyer in turn comments again discussing how the new tax laws apply to the non-client. Has an attorney-client relationship been created?
Law firms presently use disclaimers for emails and firm websites to verify no implied relationship is created. But how do we instruct employees to this standard when social media sites are interactive by nature? Below are a few key policy guidelines to help employees navigate this difficult area.
Employees should never post legal advice. This does not mean employees cannot comment or post to social media sites. It only relates to publishing or posting that could be construed as legal advice or opinion. If the subject matter is related to a legal or ethical situation, attorneys and staff may only discuss the legal standards but not apply those standards to any particular fact situation.
Firms should provide a disclaimer for employees to utilize when posting or commenting on professional social networking sites.
When using social networks with firm e-mail and professional identification, employees should not “friend” anyone they do not know and/or with whom they have not previously corresponded.
Some states have even gone so far as to also state that lawyers and judges cannot be “friends” on any professional social media sites. State ethics rules should be consulted prior to drafting any policy.
Client Confidentiality (Model Rule of Professional Conduct 1.6)
Client confidentiality and business privacy are two of the largest concerns of employers when dealing with social media communication. Generally, a lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent. In addition, privacy of the organization, the business processes, the firm brand and the IP of the firm are key for business continuity.
Quick Reference
Do
Discuss job generically
Avoid uncontrolled forums.
Be respectful of other’s and the company’s privacy.
Get approval when responding to negative requests.
Do NOT
Discuss job specifics.
Use the client’s name.
Disclose specifics related to the business.
Disclose confidential information.
Upload law firm contacts onto a social media site.
Example: A lawyer begins discussing a case he is handling on his personal Facebook blog. Although not referencing the client name, details of the case are discussed. Has the client confidentiality been broken?
Example: A law firm employee tweets about a firm staff meeting discussing salary and new hires. Has the privacy of business been destroyed?
Law firms must address confidentiality and privacy standards in social media policies. In addition, consequences for breaking these standards should also be detailed. Below are a few policy considerations to navigate this area.
Employees should never use a client’s name unless written permission has been received.
Employees should never disclose confidential or private business information. Sharing this type of information, even unintentionally, can result in legal action against the employee, the firm, and/or the client.
Outside the workplace, rights to privacy and free speech protect online activity conducted on personal social networks used with personal email addresses. However, what is published on personal online sites should never be attributed to the firm and should not appear to be endorsed by or originated from the firm.
Employees should avoid forums where there is little control over what is known to be confidential information. In the world of social networking, there is often a breach of confidentiality when someone emails an attorney or posts a comment congratulating him/her on representation of a specific client or on a specific case.
Respect the privacy of other employees and of the opinions of others. Before sharing a comment, post, picture, or video about a client or other employee through any type of social media or network, his/her consent is not only a courtesy, it is a requirement.
Get Marketing/ PR departments involved when responding to certain inaccurate, accusatory or negative comments about the firm or any firm clients.
Expertise (Model Rule of Professional Conduct 7.4)
Quick Reference
Do
Allow recommendations.
Review and monitor all recommendations carefully.
Edit or hide recommendations as needed to remove any verbiage that states you are “better”, “the best”, “expert”, “specialized” or “certified”.
Do NOT
Be false or misleading in online credentials.
Use the words “better” or “the best” in credentials or when recommending others.
Use the verbiage “expert”, “specialist” or “certified” to describe experience unless certified by an organization that is accredited by the ABA or the state bar.
Many lawyers are considered experts or specialists by their peers in select areas of law. However, using the expert designation can only be done with appropriate approval. Model Rule of Professional Conduct 7.4 generally states that a lawyer may communicate the fact that the lawyer does or does not practice in particular fields of law. In addition, a lawyer may promote the engagement in specific areas of practice. However, a lawyer shall NOT state or imply that a lawyer is an expert or a certified specialist unless the lawyer has been certified by an organization that is accredited by the ABA or the state bar.
This model rule affects the use of credentials and recommendations on social media sites. What are the key areas to include in law firm policies?
Employees should never be false and misleading in online credentials. All employees should maintain complete accuracy in all online bios and ensure no embellishment.
Recommendations should be used carefully. Employees should review all recommendations created for them for any embellishment (i.e. use of the words better or best) expertise, certification or specialization listing. Edit or hide recommendations as needed.
Employees should not include the words “expert”, “certified”, or “specialized” in their credentials unless authorized to do so.
Expertise and specialization is heavily regulated at the state level. Some states have gone further in their restricted verbiage. State rules of ethics should be reviewed prior to any policy drafting.
General Communications (Model Rule of Professional Conduct 7 Series)
The final social media ethics concern revolves around general law firm and lawyer communication. In personal and especially professional communication, all communications must be truthful and accurate.
Quick Reference
Do
Credit appropriately
Fact check
Spell & grammar check
Correct errors promptly
Be transparent
Follow firm policies
Obey the law
Do NOT
Personally attack, become involved in an online fights or hostile communication.
Solicit or use commercial speech. The content must be informative only. Nothing should propose a commercial transaction
Law firms and law departments should consider the following general policy guidelines when drafting social media policies.
Identify all copyrighted or borrowed material with citations and links. When publishing any material online that includes another’s direct or paraphrased quotes, thoughts, ideas, photos, or videos, always give credit to the original material or author, where applicable.
Ensure material is accurate, truthful, and without factual error prior to posting.
Spell and grammar check everything.
Correct any mistakes promptly.
When participating social media sites in a professional manner, disclose identity and any firm affiliation. Never use a false name, alias, or be anonymous. Many courts have looked poorly on law firms and lawyers using alias names while on social media sites.
Follow all firm policies and procedures regarding online communications. Be respectful and do not make statements that are defamatory; racially, sexually, or otherwise insensitive or offensive; or otherwise improper or likely to conflict with the interests of the firm, its employees, clients, affiliates and others, including competitors.
Follow the site’s terms and conditions of use.
Do not post any information or conduct any online activity that may violate applicable local, state or federal laws or regulations.
Avoid personal attacks, online fights, and hostile communications.
Employees should never solicit or use commercial speech. Employees should not use a site as a way to directly solicit business for the firm. While a blog itself is not subject to the limitation on commercial speech, the content of a blog can be. The content must be informative only, and nothing in the content should propose a commercial transaction or be for the purpose of directly gaining a commercial transaction.
Conclusion
As discussed in this article, there are many ethical considerations when law firms and their employees decided to use social media sites. Similar to email emerging as the main form of business communication ten (10) years ago, social media is now the communication wave of the future. This new format is how the next generation of leaders presently lives and communicates day to day. The legal community must embrace the new technology and the opportunity to educate employees.
[1] Model Rules of Professional Conduct are professional standards that serve as models of the regulatory law governing the legal profession. However, each state board of professional responsibility has additional or supplemental states rules of ethics. State rules should be considered prior to policy drafting.
Meredith L. Williams is Baker Donelson’s Director of Knowledge Management. Although trained as a lawyer, she is not actively engaged in the practice of law. Instead, she oversees BakerNet, the Firm’s industry-leading intranet, and coordinates strategic growth on behalf of the Firm in knowledge management, competitive intelligence and technology. Ms. Williams is widely recognized as a leading authority in knowledge management issues for the legal field, and is a frequent presenter and author on knowledge management and competitive intelligence.
Ms. Williams is a member of the Association of Women Attorneys and the American, Tennessee and Memphis Bar Associations. In addition, Ms. Williams is Conference Vice President for the International Legal Technology Association 2010-2011. She is a recipient of the Dean’s Distinguished Service Award from the University Of Memphis Cecil C. Humphreys School Of Law for her volunteer work. 901-577-2353 / www.BakerDonelson.com
I recently heard Sherron Watkins speak as part of a panel at Inside Counsel’s recent Super Conference in Chicago. Ms. Watkins is former Enron Vice President who is widely credited with exposing the accounting and other irregularities, which lead to Enron’s demise and ushered in a new era of compliance awareness. Ms. Watkins provided some chilling insights and timely reminders about how a company can take great lengths to appear to be highly compliant and ethical but in reality can be a very different creature.
At the time of the Enron meltdown, Enron was the seventh biggest company in America and the world’s biggest energy trader. Enron also had a Code of Corporate Compliance which would be technically compliant today with many of the Code of Conduct requirements mandated under Sarbanes Oxley (SOX) enacted because of the Enron meltdown. Enron’s Board of Directors famously waived various provisions of their well crafted Code of Conduct twice. These waivers of the Code of Conduct allowed the company’s CFO to run competing companies and companies which traded directly with Enron, and many other questionable business practices.
Back in 2001, Watkins began investigating Enron’s relationship with LJM (a special purpose entity designed to take high-risk poor-performing assets off Enron’s balance sheet). Watkins became increasingly alarmed as it became apparent that the LJM relationship didn’t stand up to accounting scrutiny. Watkins sent Kenneth Lay, then Chairman of Enron’s Board of Directors, a detailed memo in August 2001 explaining her concerns. Watkins outlined how the structuring of the LJM deals didn’t seem to have a true third-party relationship and warned Lay that the aggressive accounting would come back and haunt the company. After drafting the memo, Watkins met with Lay to convey her fears face to face.
Enron Founder Kenneth Lay & Former Enron CEO Jeffrey Skilling
Enron went down quickly. By December of 2001 Enron filed bankruptcy, which at the time was the biggest bankruptcy case in US history. Thousands of workers lost their jobs and thousands of investors lost billions of dollars. Soon after Enron’s bankruptcy, Watkins role publicly came to light. In January 2002, a Congressional committee published her memo to Ken Lay and Watkins and many others testified before Congress about Enron’s corporate culture, internal controls and accounting practices.
Kenneth Lay Mugshot
In response to Enron, WorldCom and other financial scandals, Congress enacted SOX. Section 404 of SOX requires that company management document, test and adequately support the effectiveness of its internal controls. It also states that such documentation, testing and support be audited and reported on by external auditors. Certifying officers, the CEO and CFO, face penalties of $1million for false certification and/or up to 10 years imprisonment for “knowing” violations, and $5 million and/or up to 20 years imprisonment for “willing” violations. In theory, a new era of “transparency” was born.
Increased Regulatory Enforcement of Financial Crime:
While it is difficult to tell if the increased spending on compliance is having any measurable effect on actual compliance, the government has certainly turned corporate and financial crimes as the new target of the “war on crime.” One area of heightened government enforcement is the FCPA (Foreign Corrupt Practices Act) which prohibits bribery of foreign government officials. Some statistics illustrate:
In 2000 federal prosecutors brought no FCPA criminal cases.
In 2004 there were 3.
In 2009 there were 34 criminal FCPA actions with many more in the pipeline – the justice department currently has approximately 150 open investigations.
In 2009, the federal government significantly beefed up the False Claims Act (FCA) under FERA (Federal Employment and Recovery Act). The FCA applies to the Troubled Asset Relief Program (TARP) to prosecute persons who make false statements to obtain TARP funds. TARP also created a Specialized Inspector General (SIGTARP) who will collaborate with the FBI and federal prosecutors. Many states also have their own false claims acts which will should also come into play as TARP money flows to states.
State Attorney Generals and Federal officials are starting to work together as never before, too.
Operation Short Change: A joint effort of the FTC and 18 state attorney generals targeting business scams taking advantage of the economic downturn.
Operation Loan Lies: A joint effort of the FTC and 18 state attorney generals targeting mortgage modification scams.
Operation Stolen Hope: A joint effort of 26 federal and state agencies to crackdown on mortgage foreclosure rescue and loan modification scams.
Take Away: While Enron had a stellar Code of Conduct on paper – it was waived by the Board and the potential profits at the time seemed to seriously outweigh any civil and criminal penalties in force at the time. Almost ten years later, companies are spending vast resources on compliance, even in the wake of the current recession. Wall Street’s recent problems which prompted TARP seems to have motivated both federal and state governments to step in with heightened enforcement of financial crimes. Whether heightened government enforcement coupled with increased corporate awareness is enough to deter the temptation of potential profits still remains to be seen.
Since the 1990’s the information explosion has drastically increased the ability to share information and also the ability to steal information. Former FBI undercover operative Eric O’Neill is widely credited with bringing down America’s most notorious spy, Robert Phillip Hanssen. At Inside Counsel’s Super Conference, Eric gave the first day’s Keynote address where he outlined how Corporation’s can learn some lessons from the Hanssen case.
As an undercover surveillance specialist, O’Neill was trained to watch, profile and follow people. In 2001, O’Neill was approached by his superiors to investigate special agent Robert Hanssen. O’Neill was assigned as a direct report of Hanssen’s and on his first day of work, Hanssen introduced O’Neill to “Hanssen’s Law.” “Hanssen’s law” was that the spy is always where he has access to the information that he knows he can use to do the most damage and get the most money.
In the corporate setting , O’Neill outlined a few obvious and not so obvious ways that industrial spies obtain proprietary corporate information:
Corporate Dumpster Diving: Picking up information that is cast off (i.e. trash at home or work.) Most larger organizations have thorough data destruction policies and employ data destruction vendors. But things can go very wrong if procedures are not faithfully followed or if vendors are not fully vetted and monitored. There needs to be corporate awareness that data security is everyone’s daily concern.
Security industry analyst Steve Hunt, who heads up Hunt Business Intelligence, believes too many people think that data security is just an IT issue. “There are so many physical security aspects to data protection it ought to never be considered merely an IT security issue,” Hunt said in an article written for CSO On-Line. With all the focus on protecting electronic data, many organizations forget about paper data and the physical protection of electronic data.
Hunt recently did a corporate dumpster dive in a major U.S. City and found all sorts of things that would be in violation of most companies’ data destruction policies. The dive turned up cancelled checks with the bank account owner’s social security number written on top. The bank account numbers, balances for the political fundraising account of “a certain prominent politician in the area.” Hunt also found the personal financial statement of a very wealthy individual, including the person’s name, home address, real estate owned and values of the properties, several of the individual’s bank account numbers, social security number and date of birth. Hunt’s experiment even yielded a whole laptop with a tag on the back that says “Property of [another financial institution]”. Steve’s adventure took all of three minutes and he astutely advises companies to do their own dumpster diving tests to monitor how their company’s data destruction policies are actually functioning.
Corporate Charity: Information that is ‘castoff’ can include old computers donated to charity. O’Neill detailed situations where companies purchased all the old computers of their competitor from a charity who supposedly cleaned off all pertinent information and the purchaser ended up obtaining valuable business information from their competitor’s donated computers. If making a charitable donation of your used electronic equipment, is what your organization chooses to do, it may make sense to do the data cleaning in house prior to physically surrendering your old equipment, so you can control the data cleaning process.
Corporate Posers / Impostors: Corporate spies often attempt to gain access by relying on people’s willingness to help out, the awkwardness of questioning strangers, and the excitement of receiving free stuff. Corporate spies know these human tendencies and use them to their full advantage. According to O’Neill, a hacker could be posing as ‘Joe from IT’ sending you an email or phone call requesting your password. If you’re busy or distracted, this just may work.
Criminals will often take weeks or months getting to know a place before even coming in the door, according to O’Neill. Posing as a client or service technician is one of many possibilities. Knowing the right thing to say, who to ask for, and having confidence are often all it takes for an unauthorized person to gain access to a facility, according to Nickerson.
Other old stand-bys according to O’Neill are: “Can you hold the door for me? I don’t have my key/access card on me.”. An another version would be “Can you hold the door for me?” while carrying a box of “paper for a printer” using both hands. How many people at your organization would turn away a HVAC person on an emergency call after normal business hours? Would the air conditioner / heater actually be serviced? Or would bugs be planted, phones be tapped, pictures be taken? Would computer drives be duplicated, papers photocopied, or data altered?
Another ruse is Flash Drives distributed at conferences or left in strategic locations. Flash drives left unattended in a parking lot, public bathroom or elevator of a targeted company may be a part of a sophisticated social engineering attack. These drives may be seeded with a trojan horse set to automatically run as soon as the drive is inserted and quietly steal your personal or company information in the background. This happened in an actual attack against the U.S. Pentagon!
Take Away: Closely check the background and reputation of any data destruction vendors. Verify that the data is actually destroyed in a non-usable format, and monitor closely that your corporate record destruction procedures are being faithfully followed. Remember the simple and obvious ways that corporate spies can try to gain your trust and gain access to vital information. Be wary of free give away computer devices or cast off computer items that can be inserted into your computer.
Eric M. O’Neill is the founding partner of the Georgetown Group, where he specializes in counterintelligence and counterterrorism operations, security risk assessments, investigations into economic espionage, internal investigations, and background investigations. Eric served as an undercover operative for the F.B.I., where he conducted national security field operations against terrorists and foreign intelligence agents. His role in the investigation and capture of Robert Phillip Hanssen, the most notorious spy in United States history, became the subject of Universal Studio’s , movie Breach , released to critical acclaim in 2007.
