Category: Corporate Social Responsibility

SEC Announces First Non-Prosecution Agreement Involving Foreign Corrupt Practices Act (FCPA) Violations

DrinkerBiddle

On April 22, 2013, the Securities and Exchange Commission (SEC) announced it had entered into a Non-Prosecution Agreement (NPA) with Ralph Lauren Corporation under which the company agreed to disgorge approximately $700,000 in connection with certain unlawful payments made by a foreign subsidiary to government officials in Argentina from 2005 to 2009.  This is the first time the SEC has used a NPA for violations of the Foreign Corrupt Practices Act (FCPA).

According to the NPA, Ralph Lauren Corporation’s Argentine subsidiary paid “bribes,” i.e., payments in violation of the FCPA, to government and customs officials to improperly secure the importation of Ralph Lauren Corporation’s products in Argentina.  The purpose of the unlawful payments, made through a “customs broker,” was to obtain entry of Ralph Lauren Corporation’s products into the country without certain paperwork and to avoid certain inspections by customs officials.  The unlawful payments to Argentine officials totaled $593,000 during a four-year period.

The NPA further notes that the unlawful payments occurred during a period when Ralph Lauren Corporation lacked meaningful anti-corruption compliance and control mechanisms over its Argentine subsidiary.  The company discovered the misconduct in 2010 as a result of measures it adopted to improve its worldwide internal controls and compliance efforts, including implementation of a FCPA compliance training program in Argentina.  The NPA notes that the SEC determined not to charge Ralph Lauren Corporation with violations of the (FCPA) in light of several factors including:  (1) the company’s prompt reporting of the violations on its own initiative, (2) the completeness of the information it provided, and (3) the company’s extensive, thorough, and real-time cooperation with the SEC’s investigation.  According to the SEC, Ralph Lauren Corporation’s cooperation saved the Commission “substantial time and resources.”

In parallel criminal proceedings, the Justice Department also entered into a Non-Prosecution Agreement with Ralph Lauren Corporation under which the company will pay an $882,000 penalty.[1]

NPAs are part of the Enforcement Division’s Cooperation Initiative announced in 2010.  Prior to 2010, the SEC did not have the ability to enter into NPAs or Deferred Prosecution Agreements (DPAs).  The purpose of the Cooperation Initiative was to give the Commission the flexibility to incentivize and reward cooperation while at the same time ensuring that cooperators are held accountable for their misconduct.  Since 2010 and prior to this instance, the Commission has entered into three NPAs[2] and two DPAs[3]  It is likely that the SEC will continue to use DPAs and NPAs particularly in connection with FCPA matters given the factual complexity of the cases and the difficulty in discovering violations, which almost always occur outside the U.S.

The Ralph Lauren NPA provides useful guidance as to what the SEC will consider in assessing corporate cooperation by detailing the significant actions that Ralph Lauren Cooperation took in connection with the parallel investigations.  According to the NPA, Ralph Lauren Corporation:

  • reported preliminary findings of its internal investigation to the staff within two weeks of discovering the illegal payments and gifts:
  • voluntarily and expeditiously produced documents;
  • provided English language translations of documents to the staff;
  • summarized witness interviews that the company’s investigators conducted overseas; and
  • made overseas witnesses available for staff interviews in the U.S.

The NPA also notes that Ralph Lauren Corporation entered into tolling agreements during the staff’s investigation.  The statute of limitations with respect to the 2005 conduct, the earliest conduct charged, would have likely run in 2010, just as the company reported the violations to the SEC.

The Ralph Lauren NPA provides several other takeaways.  First, the Ralph Lauren Corporation agreed to enter into the NPA “without admitting or denying liability.”  While the NPA also contains the standard provision prohibiting the Ralph Lauren Corporation from “denying, directly or indirectly, the factual basis of any aspect of the” NPA, the inclusion of the “without admitting or denying language” seems to run counter to the policy announced by the Enforcement Division in January 2012 to eliminate the use of “neither admit nor deny” language from settlement documents involving parallel (i) criminal convictions or (ii) NPAs or DPAs[4]  This may suggest that the “without admitting or denying liability” language remains negotiable.

Second, under the agreement, the Company must seek the staff’s prior approval of the contents of any press release concerning the NPA.  Third, while the SEC emphasizes the Ralph Lauren Corporation’s enhanced compliance program and successful implementation of the enhancements, it also highlights that the Ralph Lauren Corporation has ceased retail operations in Argentina and is in the process of winding down all operations there.  It is possible Ralph Lauren Corporation’s decision to close operations in Argentina was a significant factor in the SEC’s decision to use a NPA in this circumstance.  Fourth, notably, the NPA does not require the Ralph Lauren Corporation to retain an independent consultant to review its policies and procedures and to prepare a report to the staff regarding any findings.  The financial burden of independent consultant “reviews” is often significant.  The staff’s willingness to forego such an undertaking demonstrates the value of taking quick and full remedial action during an investigation.

Fifth, the NPA also refers to “gifts” such as perfume, dresses and handbags valued at between $400 and $14,000, which were provided to three different government officials during the relevant time.  This underscores the importance of having policies and procedures that extend beyond prohibiting monetary payments to government officials.  Finally, the NPA requires that the Ralph Lauren Corporation “to pay disgorgement obtained or retained as a result of the violations discovered during the investigation.”  In its press release, the SEC notes that Ralph Lauren Corporation will “disgorge” $700,000 in illicit profits and interest.  The disgorgement, however, appears to be the total amount of unlawful payments plus interest made rather than any profit earned as a result of the unlawful payments.  Disgorgement is frequently difficult to calculate, especially in FCPA cases.  It appears that rather than tracing the unlawful payments to profits, the SEC was satisfied to use the amount of unlawful payments as a proxy for disgorgement.  Moreover, the low monetary value of the unlawful payments may have also contributed to the SEC’s decision to enter into a NPA in this instance.

[1]  The agreement with the Justice Department stands as yet another example of DOJ’s position that senior management be intricately involved in anti-corruption compliance efforts.  More specifically, the agreement requires that Ralph Lauren’s “directors and senior management provide strong, explicit, and visible support and commitment to its corporate policy against violations of the anti-corruption laws and its compliance code.”  Further, the agreement requires that the company “assign responsibility to one or more senior corporate executives of the Company for the implementation and oversight of the Company’s anti-corruption compliance code, policies and procedures.” 

[2]  In December 2010, the SEC entered into a NPA with Carters Inc. in connection with a financial fraud perpetrated by a former Executive Vice President of Carters.  The NPA focused on the isolated nature of the misconduct, Carters’ prompt self-reporting, extensive cooperation and remedial actions.  In December 2011, the SEC entered into DPAs with Federal Home Loan Mortgage Corporation (Freddie Mac) and Federal National Mortgage Association (Fannie Mae) in connection with certain misleading statements claiming that the companies had minimal holdings of higher-risk mortgage loans including subprime loans.  The NPA focused on Freddie Mac’s and Fannie’s Mae’s cooperation in connection with the SEC’s litigation against former senior executives.

[3]  In May 2011, the SEC entered into a DPA with Tenaris S.A. in connection with FCPA violations.  The DPA required Tenaris to disgorge approximately $5.4 million.  The DPA focused on Tenaris’ early self-reporting, extensive cooperation and remedial actions.  InJuly 2012, the SEC entered into a DPA with Amish Helping Fund in connection with certain misrepresentations and omissions in offering documents.  Again, the DPA focused on Amish Helping Fund’s immediate and complete cooperation, its willingness to offer investors a right of rescission and its remedial efforts. 

[4]  The Amish Helping Fund DPA entered into on July 18, 2012, does not contain the “without admitting or denying” or “neither admitting nor denying” language.

Article By:

 of

Brace for Impact – Final HITECH Rules Will Require Substantially More Breach Reporting

The National Law Review recently published an article, Brace for Impact – Final HITECH Rules Will Require Substantially More Breach Reporting, written by Elizabeth H. Johnson with Poyner Spruill LLP:

Poyner Spruill

 

The U.S. Department of Health and Human Services (HHS) has finally issued its omnibus HITECH Rules.  Our firm will issue a comprehensive summary of the rules shortly (sign up here), but of immediate import is the change to the breach reporting harm threshold.  The modification will make it much more difficult for covered entities and business associates to justify a decision not to notify when an incident occurs.

Under the interim rule, which remains in effect until September 23, 2013, a breach must be reported if it “poses a significant risk of financial, reputational, or other harm to the individual.” The final rule, released yesterday, eliminates that threshold and instead states:

“[A]n acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E [the Privacy Rule] is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:

(i) The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;

(ii) The unauthorized person who used the protected health information or to whom the disclosure was made;

(iii) Whether the protected health information was actually acquired or viewed; and

(iv) The extent to which the risk to the protected health information has been mitigated.”
(Emphasis added).

In other words, if a use or disclosure of information is not permitted by the Privacy Rule (and is not subject to one of only three very narrow exceptions), that use or disclosure will be presumed to be a breach.  Breaches must be reported to affected individuals, HHS and, in some cases, the media.  To rebut the presumption that the incident constitutes a reportable breach, covered entities and business associates must conduct the above-described risk analysis and demonstrate that there is only a low probability the data will be compromised.  If the probability is higher, breach notification is required regardless of whether harm to the individuals affected is likely.  (Interestingly, this analysis means that if there is a low probability of compromise notice may not be required even if the potential harm is very high.)

What is the effect of this change?  First, there will be many more breaches reported resulting in even greater costs and churn than the already staggering figures published by Ponemon which reports that 96% of health care entities have experienced a breach with average annual costs of $6.5 billion since 2010.

Second, enforcement will increase.  Under the new rules, the agency is required (no discretion) to conduct compliance reviews when “a preliminary review of the facts” suggests a violation due to willful neglect.  Any reported breach that suggests willful neglect would then appear to require agency follow-up.  And it is of course free to investigate any breach reported to them.  HHS reports that it already receives an average of 19,000 notifications per year under the current, more favorable breach reporting requirements, so where will it find the time and money to engage in all these reviews?  Well, the agency’s increased fining authority, up to an annual maximum of $1.5 million per type of violation, ought to be some help.

Third, covered entities and business associates can expect to spend a lot of time performing risk analyses.  Every single incident that violates the Privacy Rule and does not fit into one of three narrow exceptions must be the subject of a risk analysis in order to defeat the presumption that it is a reportable breach.  The agency requires that those risk analyses be documented, and they must include at least the factors listed above.

So why did the agency change the reporting standard?  As it says in the rule issuance, “We recognize that some persons may have interpreted the risk of harm standard in the interim final rule as setting a much higher threshold for breach notification than we intended to set. As a result, we have clarified our position that breach notification is necessary in all situations except those in which the covered entity or business associate, as applicable, demonstrates that there is a low probability that the protected health information has been compromised. . . .”

The agency may also have changed the standard because it was criticized for having initially included a harm threshold in the rule, with critics claiming that the HITECH Act did not provide the authority to insert such a standard.  Although the new standard does, in essence, permit covered entities and business associates to engage in a risk-based analysis to determine whether notice is required, the agency takes the position that the new standard is not a “harm threshold.”  As they put it, “[W]e have removed the harm standard and modified the risk assessment to focus more objectively on the risk that the protected health information has been compromised.”  So, the agency got their way in that they will not have to receive notice of every single event that violates the Privacy Rule and they have made a passable argument to satisfy critics that the “harm threshold” was removed.

The new rules are effective March 26, 2013 with a compliance deadline of September 23, 2013.  Until then, the current breach notification rule with its “significant risk of harm” threshold is in effect.  To prepare for compliance with this new rule, covered entities and business associates need to do the following:

  • Create a risk analysis procedure to facilitate the types of analyses HHS now requires and prepare to apply it in virtually every situation where a use or disclosure of PHI violates the Privacy Rule.
  • Revisit security incident response and breach notification procedures and modify them to adjust notification standards and the need to conduct the risk analysis.
  • Revisit contracts with business associates and subcontractors to ensure that they are reporting appropriate incidents (the definition of a “breach” has now changed and may no longer be correct in your contracts, among other things).
  • If you have not already, consider strong breach mitigation, cost coverage, and indemnification provisions in those contracts.
  • Revisit your data security and breach insurance policies to evaluate coverage, or lack thereof, if applicable.
  • Consider strengthening and reissuing training.  With every Privacy Rule violation now a potentially reportable breach, it’s more important than ever to avoid mistakes by your workforce.  And if they happen anyway, during a subsequent compliance review, it will be important to be able to show that your staff was appropriately trained.
  • Update your policies to address in full these new HIPAA rules.  The rules require it, and it will improve your compliance posture if HHS does conduct a review following a reported breach.

As noted above, our firm will issue a more comprehensive summary of these new HIPAA rules in coming days.

© 2013 Poyner Spruill LLP

New York Enhances Employee and Consumer Privacy Rights Under its Social Security Number Protection Law

Four years ago, New York enacted a Social Security Number Protection Law, N.Y. Gen. Bus. Law, §399-dd, aimed at combating identity theft by requiring employers to better safeguard employee social security numbers in their possession.  (Click here for our summary of the law).  Now, New York is going one step further with its passage of two new Social Security Number Protection laws.

First a note: as of November 12, 2012, §399-dd – the original Social Security Protection Law – will be re-codified as new §399-ddd, and it will also add the statutory language of the first of these two new laws, which prohibits employers from hiring inmates for any job that would provide them with access to social security numbers of other individuals.

The second law, which is codified as a separate new §399-ddd, enhances the requirements for safeguarding employee social security number while also adding similar protections for consumers.  This law prohibits companies from requiring employees and consumers to disclose their social security numbers or to refuse any service, privilege or right to the employee or customer for refusing to make that disclosure, unless (i) required by law, (ii) subject to one of its many exceptions, or (iii) encrypted by the employer.  This law also applies to any numbers derived from the individual’s social security number, which means that it extends, for example, to situations where the company asks the individual for the last four digits of their number.  It is unclear whether this law will prove effective in accomplishing its objectives.

First, it contains an exception with the potential to swallow the rule – where the individual consents to the use of the social security number, which many individuals may freely provide absent knowledge of this law’s protections.  Even with an employee’s consent, however, employers must still be mindful that other provisions of the original Social Security Number Protection Law requires them to institute certain safeguards to protect against the number’s disclosure.  And further, even if the employer obtains the employee’s consent, the original law still prohibits employers from utilizing an employee’s social security account number on any card or tag required for the individual to access products, services or benefits provided by the employer.

Second, the penalties for violations are minimal – up to $500 for the first violation and $1,000 for each violation thereafter, and can be avoided where the employer shows the violation was unintentional and occurred notwithstanding the existence of procedures designed to avoid such violations.  Further, there is no private right of action, and only the Attorney General can enforce the law.

Governor Cuomo signed the acts into law on August 14, 2012.  The inmate law will take effect on November 12, 2012 and the disclosure law will take effect thirty days later on December 12, 2012.  Now if he would only sign the recently passed wage deduction law.

©1994-2012 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C.

“Brogrammers” Giving Silicon Valley a Bad Name?

An article by Emily Holbrook of Risk and Insurance Management Society, Inc. (RIMS) regarding “Brogrammers” recently appeared in The National Law Review:

According to a recent article, Silicon Valley tech firms are using marketing tactics geared more towards fraternity brothers than programming savants. The problem? Not only is it sexist at times, but it is alienating a large chunk of qualified tech professionals. Here are a few examples:

Of course, this is only a snipet of what’s going on as many of the antics are never publicized. Barbaic events like these may not only cost companies money (several businesses pulled their sponsorship from the Sqoot event), but it alienates those who may be talented programmers, but don’t adhere to the frat boy mentality.

There’s also an audience that feels left out of the joke. Women made up 21% of all programmers in 2010, down from 24% in 2000, according to the U.S. Bureau of Labor Statistics. Anything that encourages the perception of tech as being male-dominated is likely to contribute to this decline, says Sara Chipps, founder of Girl Develop It, a series of software development workshops. “This brogramming thing would definitely turn off a lot of women from working” at startups, says Chipps.

But is this really a serious problem in Silicon Valley or just young men being young men? I’ve heard both sides of the argument. Some companies that have taken this seriously, such as Etsy, have decided to do something about it. The e-commerce website is donating $5,000 to at least 10 women in an attempt to lure female coders to New York’s Hacker School this summer.

Whether this is an epidemic that should cause concern or merely programmers acting their age, one thing is for sure — having a working envrionment void of diversity is aiken to siloed idea generation. Silicon Valley should know this.

Risk Management Magazine and Risk Management Monitor

U.S. Announces Innovative Clean Air Agreement For Industrial Flares With Marathon Petroleum Company

Recently The National Law Review published an article by the U.S. Environmental Protection Agency regarding a New Clean Air Agreement:

The U.S. Environmental Protection Agency (EPA) and the Department of Justice today announced an innovative environmental agreement with Ohio-based Marathon Petroleum Company that already has significantly reduced air pollution from all six of the company’s petroleum refineries. In a first for the refining industry, Marathon has agreed to state-of-the-art controls on combustion devices known as flares and to a cap on the volume of waste gas it will send to its flares. When fully implemented, the agreement is expected to reduce harmful air pollution by approximately 5,400 tons per year and result in future cost savings for the company.

“Today’s agreement will result in cleaner air for communities across the South and Midwest,” said Cynthia Giles, assistant administrator for EPA’s Office of Enforcement and Compliance Assurance. “By working with EPA, Marathon helped advance new approaches that reduce air pollution and improve efficiency at its refineries and provide the U.S. with new knowledge to bring similar improvements in air quality to other communities across the nation.”

“This agreement is a great victory for the environment and will result in cleaner and healthier air for the benefit of communities across the country in Illinois, Kentucky, Louisiana, Michigan, Ohio and Texas,” said Ignacia S. Moreno, assistant attorney general for the Environment and Natural Resources Division of the Department of Justice. “By spurring corporate ingenuity, this settlement will dramatically reduce emissions from all 22 flares at Marathon’s six refineries.”

The settlement is part of EPA’s national effort to reduce air pollution from refinery, petrochemical and chemical flares. A flare is a mechanical device, ordinarily elevated high off the ground, used to combust waste gases. The more waste gas a company sends to a flare, the more pollution occurs. The less efficient a flare is in burning waste gas, the more pollution occurs. EPA wants companies to flare less, and when they do flare, to fully combust the harmful chemicals found in the waste gas.

A consent decree filed today in the U.S. District Court in Detroit resolves Marathon’s alleged violations of the Clean Air Act. As part of the effort to reach this agreement, Marathon, under the direction and oversight of EPA, spent more than $2.4 million to develop and conduct pioneering combustion efficiency testing of flares and to advance the understanding of the relationship between flare operating parameters and flare combustion efficiency.

In addition, beginning in 2009, Marathon installed equipment, such as flow monitors and gas chromatographs, to improve the combustion efficiency of its flares. To date, Marathon has spent approximately $45 million on this equipment and projects, and plans to spend an additional $6.5 million. Marathon also will spend an as yet undetermined sum to comply with the flaring caps required in the consent decree.

At the same time, Marathon indicates that the equipment it already has installed is saving it approximately $5 million per year through reduced steam usage and product recovery. Marathon also projects additional savings through the operation of the equipment to be installed in the future.

From 2008 to the end of 2011, the controls Marathon installed eliminated approximately 4720 tons per year of volatile organic compounds (VOCs) and 110 tons per year of hazardous air pollutants (HAPs) from the air. An additional 530 tons per year of VOCs and 30 tons per year of HAPs are projected to be eliminated in the future.

Under the agreement, Marathon will also implement a project at its Detroit refinery to remove another 15 tons per year of VOCs and another one ton per year of benzene from the air. At an estimated cost of $2.2 million, Marathon will install controls on numerous sludge handling tanks and equipment.

Marathon’s six refineries are located in: Robinson, Ill.; Catlettsburg, Ky.; Garyville, La.; Detroit; Canton, Ohio; and Texas City, Texas. Together, the refineries have a capacity of more than 1.15 million barrels per day.

Marathon, headquartered in Findlay, Ohio, will pay a civil penalty of $460,000 to the United States.

The consent decree is subject to a 30-day public comment period and final court approval.

More about the settlement: http://www.epa.gov/compliance/resources/cases/civil/caa/marathonrefining.html

More about EPA’s civil enforcement of the Clean Air Act: http://www.epa.gov/compliance/civil/caa/index.html

More about EPA’s refinery initiative: http://www.epa.gov/compliance/resources/cases/civil/caa/oil/

© Copyright 2012 United States Environmental Protection Agency

Electronically Stored Information, Social Media and the Rules of Professional Conduct: Are you compliant with your duties of competence and diligence?

Recently published in The National Law Review was an article about Compliance and Diligence and Electronic Media by  Charles H. Gardner of  Much Shelist, P.C.:

Electronically Stored Information and its increasingly complex progeny, social media evidence (collectively, “ESI”) are quickly being woven into the fabric of discovery and the practice of law.  As the cases and rules of professional conduct discussed below demonstrate, lawyers who fail to thoughtfully investigate and use social media evidence (both that of their own client and that of the opposing party(ies)) are not engaged in best practices.

The American Bar Association (“ABA”) Model Rule of Professional Conduct 1.1 (Competence) states that “[a] lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” (The Model Rules have been adopted in all of the fifty states, except California, and in the District of Columbia and the U.S. Virgin Islands). Comment 5 to Rule 1.1 provides, in part, that “[c]ompetent handling of a particular matter includes inquiry into and analysis of the factual and legal elements of the problem, and use of methods and procedures meeting the standards of competent practitioners. It also includes adequate preparation (emphasis added).” Further, the ABA Standing Committee on Ethics and Professional Responsibility Formal Opinion No. 98-411(1998) states, “[w]e believe the ethical issues are the same whether [involving] substantial legal or procedural aspects of a client’s matter or [a lawyer’s] ethical duties in furtherance of the client’s matter.”

Much has changed since the ABA adopted the Model Rules of Professional Conduct and its predecessor guidelines. Electronic data and communication and social media communities such as Facebook, MySpace, and Twitter have become linchpins of society and discourse. As of December 2011, Facebook alone reported that it had 845 million monthly users and more than 483 million average daily users (http://newsroom.fb.com/content/default.aspx?NewsAreaId=22, last visited Feb. 12, 2012).

In the recent case of Griffin v. Maryland, 192 Md. App. 518, 535 (2010), the court opined, “[i]t should now be a matter of professional competence for attorneys to take the time to investigate social networking sites (emphasis added).” In addition, a 2010 study by the American Association of Matrimonial Attorneys found that an overwhelming eighty-one percent of the nation’s top divorce attorneys said that they have seen an increase in the number of cases in which social media evidence plays a role. Sixty-six percent of those attorneys cite Facebook as the primary source of such evidence. Accepting as an imminent practical reality that an attorney has or will soon have an affirmative duty to investigate social media evidence, what might the cost be to the attorney, the client, or both for failing to do so or, worse, failing to preserve such evidence?

Consider hypothetically the evidentiary value of photographs posted on a disability claimant’s social media page showing her rock climbing, for example. One can see just how persuasive ESI can be.  However, ESI can also be a minefield of professional liability. Consider the case of Lester v. Allied Concrete Company, Nos. CL08-150, CL09-223 (Va. Cir. Ct. Oct. 21, 2011) in which a Virginia attorney was found to have instructed his assistant to tell his client to remove a photograph from a social media website. Finding that the lawyer had violated Virginia’s equivalent of Model Rules 3.3 (Candor toward the tribunal), 3.4 (Fairness to opposing parties and counsel), 5.3 (Responsibilities regarding non-lawyer assistants), 8.4 (Misconduct) and rules of court regarding conduct that tends to defeat the administration of justice or to bring the courts or the legal profession into disrepute, the court sanctioned the attorney with a fine of $540,000. In addition, the court fined the client $180,000 for spoliation of evidence. For the twenty-first century practitioner, a well thought-out ESI discovery plan could mean not only the difference between success and failure in the matter at hand, but may also mean the difference between a grateful client and a client that brings a malpractice claim, a disciplinary complaint or both for ineffectiveness in investigation and preparation. However, case investigation and preparation are not the only source of risk for attorneys and judicial officers.

The case of In re: B. Carlton Terry, Jr., No. 08234 (N.C. Judicial Standards Commission, April 1, 2009) demonstrates how critical it is for attorneys to be savvy in social media and ESI discovery in general. In that family law case, the judge, plaintiff’s counsel and defense counsel were discussing Facebook in a meeting in chambers. Plaintiff’s attorney commented that she did not know what Facebook was and did not have time for it. Following the meeting in chambers, Judge Terry and defense counsel became friends on Facebook and discussed the case in some detail. Judge Terry also conducted independent investigation into plaintiff’s social media pages and quoted from them at the hearing. The judge did not inform plaintiff’s counsel of his actions until after he had entered an oral order. Plaintiff’s counsel immediately sought to and did have the judge’s order vacated. Judge Terry voluntarily disqualified himself and the case was remanded for a new hearing, costing the taxpayers a considerable amount. Ultimately Judge Terry was publicly reprimanded by consent in formal proceedings before the Judicial Standards Committee.

Had plaintiff’s counsel conducted a thorough, or even a rudimentary, ESI investigation, the wrongdoing on the part of defense counsel and the bench could have been addressed promptly which would have spared both Plaintiff and the taxpayers significant costs in having to try the same matter twice.

Furthermore, it is worth noting that the rules of professional conduct apply equally to in-house counsel and transactional attorneys as to litigators. In the more casual in-house and transactional business environments, the line between clients and business colleagues can become easily blurred. These attorneys should be especially mindful of their professional responsibilities and the implications that their actions may have on their organization in the event that litigation ensues.

Following are six simple and practical suggested steps towards developing a strong ESI discovery plan and investigation process:

  1. Educate yourself about social media and ESI in general. If you do not know where to look, you could be lost in a search engine “black hole”. Not only can you place yourself ahead of the pack in the legal community, you will also be able to communicate with your children and grandchildren!
  2. Draft a written ESI discovery plan that includes an immediate request for a discovery hold on ESI.  Be systematic and judicious in your requests. And be mindful of Model Rule 1.3 (diligence).
  3. Draft and circulate acknowledgement forms to all personnel in your organization and obtain their signatures.  These documents should educate your personnel about sound social media practices and emphasize ethical concerns as well as the legal liability to the organization, to you and to the employee, who could also face appropriate discipline for violating company policy.  Be mindful of Model Rule 5.3 (responsibilities regarding non-lawyer assistants). And, with respect to employees, be mindful of the limitations imposed by the National Labor Relations Act when drafting your policies and acknowledgement forms.
  4. Instruct your client that ESI is evidence and that the client should not tamper with or destroy such evidence until the case is completely resolved, including during the time allowed for appeals and in appellate proceedings, if any.
  5. Check your client’s social media pages.  Know what you are up against.
  6. Conduct a thorough review of any and all available ESI of the other party.  Be careful to abide by the “no contact” rules.  For example, do not send a surreptitious friend request to gain access to another party’s ESI, but rather, look only at what is publicly available to you and obtain proper warrants for any additional information.  And be prepared to argue to the court why the evidence is relevant and why it should be produced and admitted.

If you are not making diligent and competent use of ESI, you place yourself and your client at a severe disadvantage and you are arguably breaching your ethical obligations. The immediate future is a rare opportunity to be on the cutting edge of developing law.  With a little knowledge and a reasonable amount of follow-through, you can set yourself apart in the new media frontier by making sound use of the bountiful resources that new media technologies have brought to the practice of law.

Charles H. Gardner is Special Counsel to the Intellectual Property & Technology group at Much Shelist, P.C. and head of its social media practice.  Mr. Gardner is a frequent writer and lecturer on the topic of social media and new media technologies. He has been featured in Crain’s Chicago Business and The Chicago Daily Law Bulletin and will be leading a CLE seminar on the “Laws of Social Media” (tailored for house counsel and business executives) on February 21, 2012.* Before joining Much Shelist, Mr. Gardner served as Director of Legal and Business Affairs for Harpo Studios, Inc. Mr. Gardner has a juris doctorate from Loyola Law School, Los Angeles (Entertainment Law Review) and a bachelor’s degree from the University of California, Berkeley.  He is admitted to practice law in California, New York, Illinois, the District of Columbia and before the United States Supreme Court.

*For more information and/or for complimentary registration, please call or e-mail Mr. Rodney Abstone at CLS Executive Search at (312) 251-2564 or email rabstone@clsexecutivesearch.com. 

© 2012 Much Shelist, P.C.

Federal Authorities Warn of Terrorism: Three Steps Toward Comprehensive Risk Management for the Hotel Industry

Recently posted at the National Law Review by Richard J. Fildes of Lowndes, Drosdick, Doster, Kantor & Reed, P.A. – news about a recent federal government terror alert involving hotels and resort properties: 

Quality service, prime amenities, ideal locations and excellent accommodations are the repertoire of successful hotels. In light of a recent warning issued by federal authorities to the U.S. hotel industry, that checklist may need to expand, according to the American Hotel & Lodging Educational Institute. Though Mumbai-style attacks have thankfully not come to fruition on American soil in recent years, the need for vigilance is ever-present. Based on intelligence reports gathered by the U.S. government, terror plots on the hotel industry are a looming threat;however, a panic-free plan for potentially devastating crises can easily be developed.

Attacks of terrorism and natural disasters can often share the same elements of surprise, chaos, structural destruction and health-related concerns. Just as hotels should plan for before, during, and after a storm (more details), there should be a similarly structured program for staff and guests when dealing with terrorist attacks. Combining the consideration of both events can streamline the process of training employees and increasing familiarity with risk management in the aftermath of such events. Some considerations are as follows:

 Lobbies tend to be the most dangerous part of hotels because they are typically unsecured open areas where guests congregate. If finances permit, have plain clothed security personnel in the lobby. The presence of uniformed security guards can create a perception of safety; however, non-uniformed guards can be more attuned as the eyes and ears of hotel security.

• Staff should be trained to spot potentially dangerous activities. All employees who may have contact with guests, including housekeeping, maintenance, front desk, guest services, food and beverage, transportation, and parking should be given detailed instructions on what types of activity should be reported to hotel security.

 Staff should also have equally detailed instructions on panic control and ways to manage the turmoil of natural disasters.

 Record keeping is also vital, especially with health related issues. Knowing which employees have medical ailments or potential concerns will help reduce health risks stemming from natural disasters and terrorist attacks. Though some guests may not want to disclose such information, consider asking guests whether they have any heart conditions, diabetes or other issues that would be necessary for the staff to know in case of an emergency. Such inquiries should be phrased “as non-intrusive” inquiries geared toward providing the best possible customer care and service in the rare chance that something may happen.

• Keeping both paper and electronic copies of records, including which guests are checked into the hotel at any given time, is also key to minimizing confusion and chaos when responding to an emergency.

• Develop specific evacuation plans. The standard “in-case-of-a-fire” evacuation route may not be helpful during a chemical weapon attack, bombing or hurricane.

• Have designated evacuation areas equipped (or readily able to be equipped) with vital supplies. Back up energy sources, medical supplies and non-perishable foods, and bottled waters are all necessary to keep guests safe and calm.

• Make the evacuation routes easy to follow, and ensure that the staff knows exactly where guests should be located during the different emergencies.

Being vigilant, heightening security efforts, and ensuring staff preparedness will help reduce the stress, commotion and devastating aftermath of natural disasters and terrorist related incidents.

* Tara L. Tedrow is co-author of this article. She is a rising third year law student and has not been admitted to the Florida Bar.

To read the press release issued by the American Hotel & Lodging Association, please click on the following : AHLEI PR_TerrorWarningReinforcesNeedVigilanceTraining.pdf

© Lowndes, Drosdick, Doster, Kantor & Reed, PA, 2011. All rights reserved.

Interview with C. David Morris, Senior Counsel International at Northrop Grumman Corporation

Recently postd at the National Law Review by Michele Westergaard of marcus evans an interview with a Senior in house Counsel of Northrop Grumman about FCPA compliance issues: 

With the steady increase in enforcement, organizations need to now move beyond FCPA compliance and embrace a global anti-corruption compliance program. Global companies should assess their existing anti-corruption compliance programs and adjust them to meet potentially more stringent requirements.

C. David Morris, Senior Counsel International at Northrop Grumman Corporation is a speaker at the 6th FCPA & Anti-Corruption Compliance Conference taking place on June 22-24, 2011 in Washington, DC.

Mr. Morris is Senior Counsel in the Northrop Grumman Corporation International Law Department located in Linthicum, MD. His practice focuses on international regulatory compliance and cross-border transactions involving the corporation’s domestic and international businesses and joint ventures. David answered a series of questions on how to enhance FCPA and anti-bribery initiatives to adapt to heightened global anti-corruption enforcement.

What is the importance for companies to conduct regular compliance training for FCPA and foreign anti corruption laws?

DM:  From a legal perspective, the U.S. Government has made it clear through many Department of Justice and Securities and Exchange Commission settlement agreements and the Federal Sentencing Guidelines that regular training is an essential component of a corporate compliance program for companies that conduct business with foreign government entities. As such, a company’s history of conducting anti-corruption training can be viewed as either a mitigating or aggravating factor should a company find itself in litigation on a FCPA matter. Likewise, the Guidance to the UK Bribery Act also identifies training as a key component to the corporate defense of having adequate compliance procedures. In this regard, the failure to provide training could be detrimental to the statutory defense. From a business perspective, anti-corruption training is a wise investment as part of a preventative law program.  Regular anti-corruption training helps to reinforce and shape a corporation’s ethical culture and standards of business conduct. When clear policies and expectations are communicated, a culture for ethical behavior becomes engrained throughout the enterprise.    

How can companies not only meet the minimal expectationsforFCPA compliancebut also exceed them?

DM: Two features of a robust compliance program that companies can undertake to achieve top tier status are to conduct benchmarking activities relative to their industry peer companies and to regularly conduct comprehensive internal risk assessments on a periodic basis. Collaboration with outside experts on these activities can be particularly helpful because they can bring an independent perspective to aid in the decision making process. In addition, there are numerous webinars, conferences, and bar association committees that provide useful practice tips and networking opportunities to stay abreast of best practices. Finally, the OECD published guidance in this area last year with their Good Practice Guidance on Internal Controls, Ethics, and Compliance, which is often cited by enforcement authorities as a model for companies to embrace.

What are the effects of non-compliance on share price, organizational reputation etc?

DM:  The effects of a corruption related enforcement action can be devastating on all of a company’s constituencies. For shareholders, it is fairly common to see a company’s market capitalization decline following the announcement of a government investigation or a financial reserve set aside to cover potential fines and penalties. In 2010 alone, there were five settlements with the DOJ and SEC in excess of $100M.  For customers and trading partners, uncertainties about the reliability of a company undergoing an enforcement action can be problematic because of the possibility of suspension, debarment, and/or revocation of export privileges in some cases. For employees, morale can take a hit when they observe their leaders prosecuted for criminal activity. Lastly, the enterprise as a whole can suffer because the lifecycle of a typical enforcement action (investigation, litigation, consent decree, and compliance monitor) can consume management focus for many years.

How can existing anti corruption programs be strengthened to take account of emerging global anti-corruption trends?

DM:  Given the extra-territorial reach of the FCPA, the jurisdictional reach of the UK Bribery Act, and the level of inter-country prosecutorial cooperation, companies need to review their policies, procedures, and internal controls to ensure their anti-corruption compliance program is in lock-step with their corporate footprint. As with any business activity, capital, human, and technological resources need to be deployed where they will be most effective and adjusted as the business evolves. An internal risk assessment and procedural gap review are two features of a healthy continuous improvement program. Lastly, I would add that partnering with Internal Auditors, Country Managers, Ethics Officers, Finance personnel and others with an anti-corruption focus can be a beneficial way to leverage and extend the reach of existing resources.

How best can red flags of possible FCPA violations be identified?

DM:  The FCPA’s accounting and internal controls provisions require companies to devise and maintain a system of internal accounting controls sufficient to provide reasonable assurances that transactions are executed in accordance with management’s authorization and are recorded as necessary to maintain accountability for assets. In addition, there are Sarbanes-Oxley requirements for management to provide a statement of the effectiveness of the company’s internal control structure and procedures for financial reporting. As such, procedures and controls should be established for entering into third party commitments, making payments, and cash disbursements to detect red flags which may require additional due diligence. In addition to periodic internal risk assessments and related interviews of key personnel, it is a good practice to provide awareness training on red flags and to require those involved with international transactions to certify if they are aware of red flags or adverse information at milestones throughout a business transaction. The establishment of an anonymous hot line to report ethical concerns is also often cited as a best practice to detect red flags. In terms of identifying red flags of external trading partners, periodic media searches can reveal a wealth of information.  The commercial attaché of the US Embassy of the country in question can also be a valuable red flag identification resource, as well as in-country employees and outside counsel.

© Copyright 2011 marcus evans

 

 

 

California and Florida Lead Trend of New State-Level Iran Sanctions

Posted this week at the National Law Review by Reid Whitten  of Sheppard, Mullin, Richter & Hampton LLP a good summary of recent  state legislation targeting potential contractors that deal with Iran.  

On June 2, 2011, Florida Governor Rick Scott signed a new state law prohibiting Florida government entities from contracting with companies invested in Iran’s petroleum energy sector.  Florida’s law, and a similar California law that went into effect on June 1, 2011, announce a coming trend of state laws targeting potential contractors that also deal with Iran.  These two laws, and several others on the horizon, present pitfalls for unwary companies as well as unique opportunities for informed, well-advised businesses.

On July 1, 2010, President Obama signed the Comprehensive Iran Sanctions, Accountability, and Divestment Act of 2010 (“CISADA”) into law.  CISADA targets companies invested in Iran’s petroleum sector through provisions prohibiting the U.S. Government from contracting with such companies.  CISADA also permits the states to enact similar prohibitions against state contracts with companies invested in the Iranian petroleum sector.  Within months of enactment of the U.S. law, California and Florida passed their own laws, citing the desire to put further economic pressure on such companies. The legislatures of Oregon, Kansas, and other states are considering similar actions. Arizona also has a prohibition on contracting with companies invested in Iran that became law as part of a 2008 divestment act. Companies, particularly non-U.S. companies, intending to bid on state government contracts need to pay close attention to individual state statues, and review their own investments for connections to Iran’s petroleum energy sector.  U.S.-organized companies are unlikely to have such investments because (except in very narrow circumstances) the pre-existing U.S. economic embargo against Iran prohibits them.

On September 30, 2010, California passed the Iran Contracting Act of 2010 (“California Act”) requiring, among other actions, that the California Department of General Services compile a list of persons or companies involved in business or investment activities in Iran.  The California Act also declares that any person identified as having business or investment activities of $20 million dollars or more in the energy sector of Iran “is ineligible to, and shall not bid on, submit a proposal for, or enter into or renew, a contract with a public entity for goods or services of one million dollars ($1,000,000) or more.”  See Cal. Pub. Contr. § 2203(a)(1) (West 2010). Companies that are notified of their designation as doing significant business in Iran’s petroleum energy sectors must demonstrate to the government’s satisfaction that they should not be so designated. If they fail to do so, they will be subject to the contracting prohibition.

Similarly, the Florida Scrutinized Companies law (“Florida Act”) will take effect July 1, 2011. Under a 2008 Iran divestment act, Florida’s State Board of Administration maintains a “Scrutinized Companies with Activities in the Iran Petroleum Energy Sector List” (“Scrutinized Companies List”). The Florida Act prohibits a Florida state agency or local governmental entity from contracting for goods and services of more than $1 million dollars or more with any company on the Scrutinized Companies List.

The Florida Act requires contractors to certify that they are not on the Scrutinized Companies List before submitting a bid for, entering into, or renewing a contract with, a state agency or local government entity. In addition, any contract entered into or renewed on or after July 1, 2011 must contain a provision allowing for termination of that contract if the company is found to have submitted a false certification. Further, the bill would require the Florida state government to bring a civil action against any company that does not disprove a determination of false certification within a specified time.

The state laws present both a concern and an opportunity for contracting companies. Concerns, in particular, arise because states lack substantial experience in administering international sanctions policy. As a result, Companies may be mistakenly designated as a business significantly invested in Iran’s energy petroleum industry. Individual state resources, already spread thin, may not provide the means accurately to designate the correct companies falling under the new laws’ prohibitions. States are likely to borrow names of possible target companies from Federal CISADA actions and from one another, sometimes without independently verifying the alleged reasons for designating a company. Additionally, we have seen instances of private groups (such as human rights and anti-nuclear activists groups) distributing inaccurate lists of companies alleged to be violating CISADA.

Contracting companies may be presented with an opportunity, however, to get ahead of this trend of state sanctions in a number of ways. If a company receives notice that it is under scrutiny from one state, that company and its counsel can prepare a response that is both tailored and general;  a response that not only answers the initial notice but that can also be repeated to respond to any other notices it might receive from other states in the future. Companies may also have opportunities to communicate with the state administrators of these new laws about their application. Many of these administrators may not have extensive substantive experience with international sanctions policy;  therefore, companies and their counsel, particularly counsel with experience in international sanctions work, would be in a strong position to discuss with state officials the laws and the means of implementation.

Companies intending to contract with any state agencies need to pay close attention to the changing landscape of state-level sanctions laws and remain aware of the continuing risks and opportunities that landscape presents.

Copyright © 2011, Sheppard Mullin Richter & Hampton LLP.

 

6th Anti-Corruption and FCPA Compliance Conference Set for June 22-24, 2011 in Washington, DC

The National Law Review wants to bring your attention to the following upcoming event(s): 

Building on our past successful FCPA conference series, marcus evans invites you to attend the 6th Anti-Corruption & FCPA Compliance Conference in Washington, DC, June 22-24, 2011, co-located with the Life Sciences Strategies for Anti-Corruption and Compliance ConferenceThe event will bring together Government officials and industry leaders in FCPA, Anti-Corruption and Compliance to share best practices, strategies and tools on executing, monitoring and auditing a strong and effective anti-corruption / FCPA compliance program.

Now more than ever organizations need to pay close attention to their anti-corruption compliance programs and ensure robust internalcontrols are in place especially in countries with high corruption to ensure their business transactions are compliant with the FCPA as well as  global anti-corruption laws.

Hear From Leading FCPA Compliance and Anti-Corruption Experts Including:

Jay G. Martin, Vice President, Chief Compliance Officer, Senior Deputy General Counsel, Baker Hughes

C. David Morris, Senior Counsel International, Northrop Grumman Corporation

Melissa Chia, Executive Director, Morgan Stanley Investment Management

Debra Kuper, Vice President, General Counsel and Secretary, AGCO

Stephen Donovan, Chief Counsel, Global Compliance, International Paper Company

Why You Should Attend

1. Learn how to embrace a global anti-corruption compliance program
2. Analyze recent regulatory updates and proposals
3. Understand best practices in effective due diligence and management of third parties
4. Discover ways to monitor and disclose FCPA violations
5. Gain insights on how to tackle upcoming regulatory changes and how to best implement updated policies and procedures into your organization
6. Identify possible violations by examining recent enforcement against companies for committing corrupt practices

With a one-track focus, the 6th Anti-Corruption & FCPA Compliance Conference is a highly intensive, content-driven event that includes case studies, presentations and panel discussions over two full days. This conference targets industry leaders from a variety of top industries in order to provide an intimate atmosphere for both the delegates and speakers.

This is not a trade show; our FCPA conference series is targeted at a focused group of senior level executives to maintain an intimate atmosphere for the delegates and speakers. Since we are not a vendor driven conference, the higher level focus allows delegates to network with their industry peers.

marcus evans has requested CLE accreditation from all appropriate states. marcus evans certifies that this conference has been pre approved for CLE credits by the Pennsylvania, California and West Virginia State continuining legal education authorities and also approved for New Jersey and Colorado CLE credit via reciprocity.

 For more information on this conference or to get a complete list of speakers, sessions or past attendees, visit http://www.marcusevansch.com/NLR_FCPA.