FCPA Compliance and Ethics Blog

June 17, 2015

Never Tick Off a Redbird

Angry RedbirdAt a Press Conference today, Satan officially announced that Hell has frozen over. He made this stunning announcement after the New York Times (NYT) reported that the baseball team with the most World Series wins in the history of the National League (NL), the St. Louis Cardinals, had hacked those paragons of virtue, enormity and the very symbol of baseball greatness, the Houston Astros, to view confidential information. The Cardinals have managed to win 5 World Series in the past 50 years; how many World Series have the Astros won? That would be a big fat nada, ZERO, none, zilch. The NL team with the most World Series wins in the past 50 years was caught hacking into the inner most secrets of one of the worst teams in that same time period. Where are Tom Brady’s deflated balls when you need them?

As reported by Michael Schmidt, in a piece entitled “Cardinals Face F.B.I. Inquiry in Hacking of Astros’ Network, Major League Baseball (MLB) asked the FBI and Department of Justice (DOJ) to investigate the hacking of the Astros “Last year, some of the information was posted anonymously online, according to an article on Deadspin. Among the details that were exposed were trade discussions that the Astros had with other teams. No doubt expecting that nefarious rogue agents of the Chinese government (or worse-the Chinese military) were seeking to wreck havoc on the game once known as ‘America’s pastime’ or “Believing that the Astros’ network had been compromised by a rogue hacker, Major League Baseball notified the F.B.I., and the authorities in Houston opened an investigation. Agents soon found that the Astros’ network had been entered from a computer at a home that some Cardinals officials had lived in. The agents then turned their attention to the team’s front office.” Oops, those darn Chinese; they are never around to blame when you need them.

So move aside New England Patriots, with your petty attempts to manipulate footballs in a championship game. Stop allowing your quarterback to dictate how he uses the tools of his trade, footballs. Do not cheat and call it getting an edge; all of this makes you look like rank amateurs next to the St. Louis Cardinals. Act like a real team and enlist your front office executives to steal information from the worst team in football. For long term pathetic-ness, you might try the Oakland Raiders or just go with the current joke of a team, the Tampa Bay Buccaneers whose No. One draft pick, and now face of the franchise, was one of the most ‘ethically challenged’ college players in recent years. If you really want great information about poor football, steal it from the Jacksonville Jaguars. Bill Belichek, you are only limited by your imagination!

As to the Cardinals, what on earth could the Astros have that they could possibly want? Take the Astros record over the past five years; it’s the worst in baseball. You want a piece of that? How about secret information on the leadership savoir fare of the Astros owner ‘Mr. I am smarter than everyone in the room because I made a $100mm in business’ Jim Crane. Why be one of the best-run sports franchises, when you can mimic the Astros? First you can tell everyone how stupid they are because they do not understand how it is in your interest to try and lose; next why you should cut off over 70% of your fan base from even watching games on television so they will not see your joke of a team play and, finally, how to sue the prior owner who sold you the team for mis-representing the quality of the assets.

But do not stop with the owner. The apparent ire of St. Louis (never under-estimate a pissed off Redbird) was directed at a former Cardinal employee who left to become the General Manager of the Astros, Jeff Luhnow. Apparently the Cardinals were upset that the baseball knowledge in Luhnow’s head was now being used by the Astros. (Did I mention the Astros had baseball’s worst record for the past 5 years?) Of course, perhaps the Cardinals could learn how make an offer to the top draft pick in the annual amateur draft and then withdraw the offer so they could make a lower one, thereby losing two top draft picks. That certainly was a brilliant move by the Astros that you would want to use going forward.

The Cardinals action brings up one of the greatest areas of corporate angst; when a business gets its feelings hurt. Heaven forbid. No doubt having recently seen a recent late night showing of the movie Animal House the Cardinals decided not to get mad; they decided to get even. So with this newfound information gleaned from the Astros, it now clear how the Cardinals have been so successful. Not simply being content to cheat, they broke the law to hack into the confidential information of another baseball team to learn that other team’s secret. Now I know why the Astros have been so bad over the years; they had all their confidential information sucked out of their organization by the evil Cardinals. So that giant sucking sound you hear from south Texas is not American jobs going to Mexico because of NAFTA but all the confidential information being sucked out of the Houston Astros.

What are the lessons for a Chief Compliance Officer (CCO) or compliance practitioner? One lesson is it points to the myriad of reasons that companies and individuals engage in bribery and corruption. It is laughable to think that the St. Louis Cardinals, one of the best-run franchises’ in all of sports (or so we thought); could learn anything from the idiots who run the Astros. Yet here we are; out of spite, vindictiveness or just plain old malevolence, front office executives of the Cardinals engaged in conduct that has drawn the scrutiny of the FBI and DOJ. This points to other motivations than fidelity to monetary gain as a reason for bribery and corruption.

Also, cybersecurity is a compliance concern. What protocols to you have in place to protect your data? How will you respond to a breach? What happens if another member of the cartel your business is in engages in criminal activity against you? Will you demand that they are kicked out of the cartel?

I think it also points up how actually Doing Compliance differs from having a paper compliance program in place. Whether you use the McNulty’s Maxims formulations (What did you do to prevent? What did you do to detect it? What did you do after you found out about it?) or the FCPA Guidance formulation that a best practices compliance program should prevent, detect and remedy violations. I am relatively certain the St. Louis Cardinals had a policy against breaking the law by hacking into the database of another baseball team. With equal certainty, I am sure the Cardinals had no program to prevent or detect such illegal conduct for if they did, it would certainly appear they conveniently looked the other way.

Finally, American businesses need to wise up. Stop all the whining, moaning and complaining about data breaches from Chinese/Russian/Bulgarian/the Galactic Empire/the Borg/(name your Evil Empire); you are most at risk from other US companies. For if the best team in the history of the NL will break the law to steal the trade secrets and confidential information of one of the worst teams, is anyone safe? Further, what are the chances that the Cardinals have been trying to steal trade secrets from winning teams? That would be a number way too high for me to even imagine. Quit crying to Congress that it is unfair for you to be required to protect your own data or that it would cost you money or jobs; secure your data now.

Now for a free tip from my consulting company, Advanced Compliance Solutions-if you have super-secret confidential information, make sure it password protected. But more than simply password protected, change you password every 90 days. That is a good first step in case the St. Louis Cardinals come hacking your company.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2015

October 3, 2014

Hammer Films, “We Sell Hammers” and Other Famous Last Words

Hammer FilmsToday is the first of five Fridays in October so today I will begin my now annual October FrightFest blog posts. Over the past couple of years I have focused on the classic Universal horror movies from the 1930s and 40s. This year I am going to re-watch and blog about the classic Hammer Studio monster movies from the late 1950s. Hammer Films was founded in the UK in 1934 and are best known for their Gothic “Hammer Horror” films, produced from the mid-1950-70s. They also Peter Cushing and Christopher Lee, for which fans of Star Wars are eternally grateful, to the greater movie watching audience.

Another type of hammer informs today’s compliance moment, as in “We sell hammers.” That was the excuse given by Home Depot managers when their own cybersecurity department employees would try to obtain budget to update cybersecurity software or to even put on training about the dangers of a data breach. If you have attended any compliance conference this year, you have been subjected to one or more sessions on cybersecurity and/or data breaches. As if the Target fiasco from last year was not enough, the most recent massive breach comes courtesy of Home Depot. Unfortunately the Home Depot saga provides some excellent lessons for the anti-corruption compliance practitioner or a company subject to the Foreign Corrupt Practices Act (FCPA) or UK Bribery Act.

In an article which appeared on the front page of the New York Times (NYT) entitled “Warned of Risk, Home Depot Left Data Vulnerable”, Julie Creswell and Nicole Perlroth, reported that the Home Depot data breach and theft was “The biggest data breach in retailing history” and it had “compromised 56 million of its customers credit cards.” Moreover, the “data has popped up on black markets, and, by one estimate, could be used to make $3 billion in illegal purchases.” How could such an event have happened even after the very public debacle endured by Target?

It certainly did not happen overnight but the article noted that “Industry experts were flabbergasted that Home Depot, one of the world’s largest retailing companies, was caught so flat-footed after the breach at Target, which resulted in the theft of more than 40 million cards before the holiday season.” The article reported Home Depot had been warned by its own employees of data security issues as far back as 2008. But a series of missteps, or perhaps more appropriately non-steps, led to the Home Depot’s current problems. One of the major problems was “Home Depot relied on outdated software to protect its network.” This included information that some of the company was still relying on “outdated Symantec software from 2007 and did not continuously monitor the network for unusual behavior, such as a strange server talking to its checkout registers.”

Another failure by Home Depot was in the area of ongoing monitoring. The article reported that “Credit card industry security rules require large retailers like Home Depot to conduct scans at least once per quarter, using technologies approved by the Payment Card Industry Security Standards Council, which develops technical requirements for its members’ data security programs. The P.C.I. Council requires that approved, third-party quality security assessors perform routine tests to ensure that merchants are compliant.” Unfortunately the article reported that two former employees stated “more than a dozen systems handling customer information were not assessed and were off limits to much of the security staff.” Rather unbelievably, this scanning is not only fundamental to data security but also one of the simplest and least costly. The article quoted Avivah Litan, a cybersecurity expert at Gartner, who said, “Scanning is the easiest part of compliance. There are lots of services that do this. And they can be run cheaply from the cloud.”

Yet another FUBAR by Home Depot was in the hiring for its cybersecurity team. No doubt due to his very Southern name, the company hired Ricky Joe Mitchell, a security engineer, who was swiftly promoted up to a “job in which he oversaw security systems in Home Depot stores.” The problem for Home Depot and indeed Ricky Joe was that he had been terminated from, the articled stated “he was fired by EnerVest Operating, an oil and gas company, and before he left, he disabled EnerVest’s computers for a month.” For that cute little good-bye present, he was “sentenced to four years in federal prison in April.”

The article also reported that many cybersecurity focused employees in the company had departed over the years. The reason was that it appeared no one was listening to their concerns. The company simply refused to believe that it was at risk for a data breach.

So what lessons can be drawn for the anti-corruption compliance specialist who must deal with laws such as the FCPA or UK Bribery Act? Clearly Home Depot failed to adequately assess its risks for a data breach. For the compliance practitioner, I think the lesson here is to understand not only your company’s business sales model, products and services and foreign government touch-points but to reassess those risks on a regular basis.

You should keep track of external and internal events that may cause change to business processes, policies and procedures. Some examples are new laws applicable to your business organization and internal events driving changes within a company. Such internal changes could be a company reorganization or major acquisition. This type of review appears to be similar to the Department of Justice (DOJ) advocacy of ongoing risk assessments. The FCPA Guidance specifies, “a good compliance program should constantly evolve. A company’s business changes over time, as do the environments in which it operates, the nature of its customers, the laws that govern its actions, and the standards of its industry. In addition, compliance programs that do not just exist on paper but are followed in practice will inevitably uncover compliance weaknesses and require enhancements. Consequently, DOJ and SEC evaluate whether companies regularly review and improve their compliance programs and not allow them to become stale.”

Ongoing monitoring is another lesson to be drawn from Home Depot’s fiasco. While ongoing monitoring in the compliance realm is not as easy or inexpensive, ongoing monitoring is a commitment to reviewing and detecting compliance variances in real time and then reacting quickly to remediate them. A primary goal of monitoring is to identify and address gaps in your program on a regular and consistent basis across a wide spectrum of data and information. As in the cybersecurity world, there are both companies and software which you can use to help you in ongoing monitoring.

How about that good-ole boy Ricky Joe? Do you really want to have a head of a critical cybersecurity team who has sabotaged a prior employer? Similarly, in the compliance realm, do you want to have a top salesman or even Chief Compliance Officer (CCO) who engaged in bribery and corruption in a prior job? If the answer is yes, go directly to jail and DO NOT collect $200. What does Ricky Joe’s hiring and rapid promotion tell you about the pre-hire vetting done by Home Depot? Yes, I thought so.

I usually use sports as a mirror to look at compliance issues. Of course living in Houston, there are the sad-sack Houston Astros and their owner who are always around to provide some lessons. But the actions and inactions of Home Depot even rival those of the Astros for some lessons learned on compliance. In my title, I used the “We Sell Hammers” line and promised other famous last words. Unfortunately they come from one, un-named former Home Depot employee, who “went so far as to warn friends to use cash, rather than credit cards at the company’s store.” Famous last words indeed.

This publication contains general information only and is based on the experiences and research of the author. The author is not, by means of this publication, rendering business, legal advice, or other professional advice or services. This publication is not a substitute for such legal advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified legal advisor. The author, his affiliates, and related entities shall not be responsible for any loss sustained by any person or entity that relies on this publication. The Author gives his permission to link, post, distribute, or reference this article for any lawful purpose, provided attribution is made to the author. The author can be reached at tfox@tfoxlaw.com.

© Thomas R. Fox, 2014

Blog at WordPress.com.