FCPA Compliance and Ethics Blog

October 3, 2014

Hammer Films, “We Sell Hammers” and Other Famous Last Words

Hammer FilmsToday is the first of five Fridays in October so today I will begin my now annual October FrightFest blog posts. Over the past couple of years I have focused on the classic Universal horror movies from the 1930s and 40s. This year I am going to re-watch and blog about the classic Hammer Studio monster movies from the late 1950s. Hammer Films was founded in the UK in 1934 and are best known for their Gothic “Hammer Horror” films, produced from the mid-1950-70s. They also Peter Cushing and Christopher Lee, for which fans of Star Wars are eternally grateful, to the greater movie watching audience.

Another type of hammer informs today’s compliance moment, as in “We sell hammers.” That was the excuse given by Home Depot managers when their own cybersecurity department employees would try to obtain budget to update cybersecurity software or to even put on training about the dangers of a data breach. If you have attended any compliance conference this year, you have been subjected to one or more sessions on cybersecurity and/or data breaches. As if the Target fiasco from last year was not enough, the most recent massive breach comes courtesy of Home Depot. Unfortunately the Home Depot saga provides some excellent lessons for the anti-corruption compliance practitioner or a company subject to the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act.

In an article which appeared on the front page of the New York Times (NYT) entitled “Warned of Risk, Home Depot Left Data Vulnerable”, Julie Creswell and Nicole Perlroth, reported that the Home Depot data breach and theft was “The biggest data breach in retailing history” and it had “compromised 56 million of its customers credit cards.” Moreover, the “data has popped up on black markets, and, by one estimate, could be used to make $3 billion in illegal purchases.” How could such an event have happened even after the very public debacle endured by Target?

It certainly did not happen overnight but the article noted that “Industry experts were flabbergasted that Home Depot, one of the world’s largest retailing companies, was caught so flat-footed after the breach at Target, which resulted in the theft of more than 40 million cards before the holiday season.” The article reported Home Depot had been warned by its own employees of data security issues as far back as 2008. But a series of missteps, or perhaps more appropriately non-steps, led to the Home Depot’s current problems. One of the major problems was “Home Depot relied on outdated software to protect its network.” This included information that some of the company was still relying on “outdated Symantec software from 2007 and did not continuously monitor the network for unusual behavior, such as a strange server talking to its checkout registers.”

Another failure by Home Depot was in the area of ongoing monitoring. The article reported that “Credit card industry security rules require large retailers like Home Depot to conduct scans at least once per quarter, using technologies approved by the Payment Card Industry Security Standards Council, which develops technical requirements for its members’ data security programs. The P.C.I. Council requires that approved, third-party quality security assessors perform routine tests to ensure that merchants are compliant.” Unfortunately the article reported that two former employees stated “more than a dozen systems handling customer information were not assessed and were off limits to much of the security staff.” Rather unbelievably, this scanning is not only fundamental to data security but also one of the simplest and least costly. The article quoted Avivah Litan, a cybersecurity expert at Gartner, who said, “Scanning is the easiest part of compliance. There are lots of services that do this. And they can be run cheaply from the cloud.”

Yet another FUBAR by Home Depot was in the hiring for its cybersecurity team. No doubt due to his very Southern name, the company hired Ricky Joe Mitchell, a security engineer, who was swiftly promoted up to a “job in which he oversaw security systems in Home Depot stores.” The problem for Home Depot and indeed Ricky Joe was that he had been terminated from, the articled stated “he was fired by EnerVest Operating, an oil and gas company, and before he left, he disabled EnerVest’s computers for a month.” For that cute little good-bye present, he was “sentenced to four years in federal prison in April.”

The article also reported that many cybersecurity focused employees in the company had departed over the years. The reason was that it appeared no one was listening to their concerns. The company simply refused to believe that it was at risk for a data breach.

So what lessons can be drawn for the anti-corruption compliance specialist who must deal with laws such as the FCPA or UK Bribery Act? Clearly Home Depot failed to adequately assess its risks for a data breach. For the compliance practitioner, I think the lesson here is to understand not only your company’s business sales model, products and services and foreign government touch-points but to reassess those risks on a regular basis.

You should keep track of external and internal events that may cause change to business processes, policies and procedures. Some examples are new laws applicable to your business organization and internal events driving changes within a company. Such internal changes could be a company reorganization or major acquisition. This type of review appears to be similar to the Department of Justice (DOJ) advocacy of ongoing risk assessments. The FCPA Guidance specifies, “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.”

Ongoing monitoring is another lesson to be drawn from Home Depot’s fiasco. While ongoing monitoring in the compliance realm is not as easy or inexpensive, ongoing monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information. As in the cybersecurity world, there are both companies and software which you can use to help you in ongoing monitoring.

How about that good-ole boy Ricky Joe? Do you really want to have a head of a critical cybersecurity team who has sabotaged a prior employer? Similarly, in the compliance realm, do you want to have a top salesman or even Chief Compliance Officer (CCO) who engaged in bribery and corruption in a prior job? If the answer is yes, go directly to jail and DO NOT collect $200. What does Ricky Joe’s hiring and rapid promotion tell you about the pre-hire vetting done by Home Depot? Yes, I thought so.

I usually use sports as a mirror to look at compliance issues. Of course living in Houston, there are the sad-sack Houston Astros and their owner who are always around to provide some lessons. But the actions and inactions of Home Depot even rival those of the Astros for some lessons learned on compliance. In my title, I used the “We Sell Hammers” line and promised other famous last words. Unfortunately they come from one, un-named former Home Depot employee, who “went so far as to warn friends to use cash, rather than credit cards at the company’s store.” Famous last words indeed.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Blog at WordPress.com.