For more on drafting a successful compliance policy, see our online exclusive "Creating a compliance program."
In this time of mounting regulation and enforcement activity, the in-house bar faces the unending task of identifying and addressing its risks and its compliance needs.
2. Hacker Attacks
Sony’s PlayStation network shut down for 24 days in 2011 after hackers stole personally identifiable information for 77 million players. In 2010, a Hungarian hacker lifted financial and other confidential proprietary information from Marriott International’s computer systems and threatened to go public with it if the company didn’t give him an IT job. In June, hackers breached the user passwords of social networking site LinkedIn and the dating site eHarmony. Government- and private-sector hackers based in China have targeted myriad U.S. corporations, including Google Inc., members of the U.S. Chamber of Commerce and Nortel Networks Corp., where hackers are believed to have accessed networks for up to 10 years.
At an alarming rate, more and more companies are falling victim to computer hackers, whether they’re rogue employees, competitors, foreign nationals, good old-fashioned identity thieves stealing credit card numbers or hacktivists trying to make a statement.
4. Supply Chains
Between the Food Safety Modernization Act, the Consumer Product Safety Improvement Act, Dodd-Frank’s conflict minerals provision and California’s Transparency in Supply Chains Act, companies increasingly find themselves combing through extensive and sprawling supply chains for noncompliant or problematic links.
Regulations under the Food Safety Modernization Act are aimed at the food industry, but they promise to affect entire supply chains, says John Shapiro, a partner at Freeborn & Peters. “Although industry-specific, it’s applicable to all kinds of companies that move goods and provide services and are somewhere along that supply chain,” he says. “It changes the nature of supply relationships.”
6. Data Privacy Protection
In recent years, technological innovations such as behavioral targeting and advertising, location-based services, facial recognition and biometrics have sparked debate about data privacy among consumer groups, industry groups and regulatory agencies such as the Federal Trade Commission (FTC), Federal Communications Commission and Department of Commerce.
Data privacy legislation is expected to arrive at some point in the distant future, but in the meantime, industry guidelines and agency guidance are beginning to weigh in on what’s acceptable and what’s expected of affected companies. And the enforcement has already begun: Failures to adequately protect user data at Facebook Inc. and Google have led to FTC settlements mandating they implement privacy programs and submit to outside privacy audits for 20 years. Beyond the usual suspects—Internet companies, software companies and social networks—action on data privacy will likely have effects on the financial services industry, telecommunications companies and retailers.
10 expert tips for a successful compliance program
- One size doesn’t fit all. “There’s a tendency for companies that either aren’t publicly traded or aren’t in any particularly sensitive industry to gravitate toward an off-the-shelf compliance infrastructure,” says Jeffrey Lehtman, a partner at Richards Kibbe & Orbe. “While there may be a limited number of circumstances in which that approach is adequate, in most cases companies should strive for their compliance programs to be risk-based and narrowly tailored to fit their profile and its operations.”
- Corporate culture matters and will trickle down. “You hear ‘tone at the top,’ and it really does mean something,” says Jacqueline Wolff, a partner at Manatt, Phelps & Phillips. “If the manager of a company gives lip service to compliance, you’re going to find a company with internal control weaknesses.”
- A successfully customized compliance program complements the existing business operations. “It is kind of a folly for a compliance team to say you must conform and do your business this way, for compliance reasons, without taking into account the structure and operations that are already there in the business,” says Dana Nahlen, director of international compliance at SunGard Data Systems Inc. “If you don’t take into account the systems and processes that are already in place and are supporting the operations of the company, you are at very high risk of not having it a compliance program that will be followed.”
- Audit the compliance program regularly to see if it’s working for the company. “You can have the greatest compliance program in the world in terms of procedures, policies and training, but some procedures may work well in one company and fall short in another company,” Wolff says. “The only way you’re going to find out what doesn’t work is if you’re actually testing it on a regular basis.”
- If the compliance program is not working for your company, change it. “There isn’t any ‘perfect’ compliance program,” Nahlen says. “It can always be improved and changed. It has to live—it’s never going to stay exactly the same, and it can’t be perfect.”
- Employee training is an ongoing process. “Companies should do compliance training at least on an annual basis, if not more often,” says David Perlman, a partner in the energy practice at Bracewell & Giuliani. “The expectation is that the rank and file won’t memorize everything but they’ll get sensitized to it enough so that they understand that if they see something that could be an issue, they’ll stop before they cross the Rubicon and bring the issue up with the right people.”
- Be realistic. “It doesn’t help to have very Draconian procedures that are simply not followed by personnel. You have to have things that work,” Wolff says.
- Work with what your company already has. “You may be able to find things to use that the business is already doing, and your compliance program can repurpose that for what you need,” Nahlen says. “You also will find a much more receptive response from the business team if you’re working with what you already have and tweaking what’s there instead of building from scratch.” (See “Creating a Compliance Program,” on InsideCounsel.com)
- Don’t overpromise. “If you tell the public—not to mention the government—that you are operating at a certain elevated compliance level, but in your day-to-day practices fall short of your ‘paper promises,’ you are unnecessarily putting yourself in serious legal jeopardy,” says Perkins Coie Partner Markus Funk. “Put simply, there is no reason to set your own bar so high that you can't clear it.”
- You don’t have to—and probably cannot—do it all. “Where the rubber meets the road, you have to have a program you can pay for,” Nahlen says. “Budgetary constraints are different [from company to company], but some budget constraint is always there. You can’t implement every good idea, and you don’t need to. You have to look at what your company is doing and what risks are presented by what your company is doing, both in terms of which of the compliance areas are important to your company and where you are likely to run afoul of the law.”