GRC: Governance (Part 2).

October 29, 2012

This is the second in a 4-part series on devising a structure to address that ever-expanding and increasingly complex (and crowded) intersection of Governance, Risk, and Compliance (GRC).  This is the new paradigm for compliance programs in modern business, but one should always bear in mind that any Compliance Program should be structured with due consideration for the Scope (range of products and/or services offered), Size (number of employees), and Span (geographic spread, and number and range of legal regimes to which it is subject) regarding the entity; including any and all subsidiaries and any cross-national requirements.

Progress so far: Where did we start?

The corporate compliance function can be defined as “those persons, processes, and protocols whether active or automated, that are employed and deployed by the subject entity to ensure on a continuing basis that governing laws are adhered to, governance is responsible and responsive, risks are contained within acceptable parameters, and that failings on any or all of these priorities, are speedily and sufficiently addressed in accordance with applicable laws, whether general, or case- or situation-specific”.

We started with a quick review of the essential requirements of an effective corporate compliance and ethics program as devised for Canadian and US. Federal jurisdictions, respectively.  We also looked at some of the similarities and differences between these two regimes, and some of the factors and related laws that impact upon ethics in general, and corporate compliance functions.  The next step is to draw many disparate elements together, and start to create an operational framework.

Setting Framework Parameters.

Conceptually, the contemplated framework resembles a chart or matrix.  On the X-axis (running diagonally), there are 3 (“three”) category columns; running from left to right as “Corporate Governance” (Governance), “All-hazards Risk” (Risk); and “Regulatory Compliance” (Compliance).  On the Y-axis (running vertically), there are 7 (“seven”) main category rows and 2 (“two”) reserved category rows which will be identified later.  Those 7 main categories, as read from the top, downwards, are: Regulatory, Environmental, Accounting/Audit, Lessons Learned, Internal/Institutional, Structural/Systemic, and Technical/Tactical.[1]

A third “F-I-X-E-D” or “depth” dimension, accounts for entity scope, size, and span by focusing on “Function” (Human Resources, purchasing, distribution, accounting and audit, and reporting); “Industry” (some of the most closely regulated being food processing, manufacturing, healthcare, energy, natural resources, refining or distilling, construction, chemical manufacturing, information technology, automotive, and transportation); “X-national” aspects (per governing jurisdiction, including states and territories within nations, and multilateral treaties and accords); “Employees” by class (full-time, part-time, contract, line or staff, and officers and directors); and “Divisional” (per business line, sub-entity, product, or service in both centralized and decentralized organizations).  This GRC series includes selections from the F-I-X-E-D, but in no particularized order.

Governance.

The current installment will focus on the “Governance” category column.  Here, we speak of governing laws being adhered to, and of governance as both responsible and responsive.

Regulatory:

Every business entity has one or more laws with which it must comply when forming, whether this is a corporation, a partnership, or a sole proprietorship.  This may include qualifications for and residence of directors, the minimum number of directors, which types of business conduct may or may not be engaged in through a partnership, restrictions on the limitation of liability, and mandatory insurance requirements.  Certain specialized professions may also have mandatory training, licensing, and certification requirements, and certain regulated industries will include detailed regulations for the construction, installation, deconstruction, maintenance, repair, and upgrade or modification of assorted installations and equipment.  Health and safety regulations may also come into play, whether at the formation stage or later with the going concern.  It is always best to: (i) have knowledgeable advice and counsel on which of these laws and regulations are applicable; (ii) secure and assign certified and insured professionals to perform the work; and (iii) assign the compliance function to a senior officer of the entity as early into operations as possible; if not at or even prior to formation, as a matter of good governance best practices.  The compliance officer should be sufficiently independent of day-to-day management and have adequate authority and resources to fulfill his or her role, as well as access to the Board and a mandatory responsibility to make periodic reports to the Board.

Environmental:

The environment is an increasingly critical area of concern in terms of government regulation and corporate governance.  Canadian businesses doing business entirely within Canada must contend with applicable provincial laws, and the authority of the 5 (“five”) federal departments with responsibility for environmental issues (Environment Canada, Agriculture and Agri-Food Canada, Fisheries and Oceans Canada, Health Canada, and Natural Resources Canada), that not only regulate, but also “collaborate on research, share success stories, and disseminate information”.[2]  In addition, those entities that handle (or have their employees handle) hazardous substances, must abide by the national Workplace Hazardous Materials Information System (WHMIS).[3]  In the United States, state laws and state regulators (sometimes titled Departments of Environmental Protection) supplement the work of the primary federal regulators (Environmental Protection Agency and Food and Drug Administration), and the principal federal laws (Clean Air Act, Clean Water Act, and Environmental Protection Act).  Canadian or American businesses operating in or to the European Union must add compliance with the REACH,[4] ROHS,[5] and WEEE.[6]  Along with a rising concern over carbon capture, carbon trading, and Greenhouse Gas (GHG) emissions (which prompted the EU inclusion of air transportation emissions in its emissions trading scheme),[7] entities operating on a global basis, such as aviation, shipping, electronics, and natural resources, must also consider the applicability of the Basel Convention on the Control of Transboundary Movements of Hazardous Wastes and their Disposal.[8]  It is important to be properly advised in this area, to avoid costly mis-steps, fines, and potentially severe reputational damage.

Accounting/Audit:

With regard to expenditures, expense budgets, and projects, it is good governance practice to have detailed procedures for approval, review, reconciliation, query and follow-up.  There should be strict Separation of Duties (SOD) between approval and audit, and individual and departmental spending and budgetary approval limits should be known and strictly followed.  On the audit side, the independence of auditors should be assured, and conflicts of interest (real or potential), must be completely avoided.  Accounting, oversight, and audit failures have been implicated as far back as the savings and loan crisis; through the Enron, Arthur Andersen, Worldcom, Global Crossing, and Tyco International GRC failures (as listed here in no particular order); and now in the Madoff and Lehman Brothers debacles, the recent U.S. housing crisis, and the current and lingering global financial crisis and economic downturn.

Lessons Learned:

Policies, policies, and more policies!  The entity must create, document, and distribute amongst its staff (with signed acknowledgements of receipt and understanding), internal policies on best and advisable practices, and employee and director charters and codes of conduct and ethics, as and where applicable.  These must be shared with appropriate personnel on a need to know basis, and regularly audited, stress-tested, compared with those of industry peers as and when available, and updated as advisable, all on an ongoing basis.  Incident reports should be kept and detailed after-action assessments made, in order that the entity can learn from past experiences, whether mistakes, or home runs, or something in between; and whether its own or those of another more fortunate or less fortunate peer.  Contractual counterparties will at times try to shift the risks and costs or responsibilities for certain GRC talking-points.  However, these are better if negotiated and not accepted “as is”, for the costs of compliance and consequences of failure, can be high.

Internal/Institutional:

Other governance best practices include having specified and written roles for all directors and officers, as well as detailed job descriptions for employees.  Reporting and communication lines should be clear, and decision-making at the highest levels should be backed by a paper trail with reasons; done by committee with regard to the Board of Directors; and done personally on appropriate advice or direction with regard to senior leadership and middle management, respectively.  Due care and diligence should always be taken in assigning work, staff, and functions, as well as in giving supervisors and subordinates the powers to do the same (authority, administrative, accreditation and assignment delegations).

Structural/Systemic:

It is always a good idea to join an industry or trade group, or another association appropriate to the entity’s main line or lines of work or business.  This helps with timely updates on critical legislation (both as enacted, and pending or under consideration and debate), occasional lobbying efforts, and pertinent suggested best practices.  There is no need to create the wheel anew, if someone else has already made one that works, and that can be tweaked for a better fit.  In the field of IT, for example, myriad standards exist such as Control Objectives for Information and Related Technologies (COBIT), several recommended protocols from the International Standards Organization (ISO), and the Information Technology Infrastructure Library (ITIL).  Major Enterprise Risk Management challenges (to avoid damaging consumer consequences) persist in ensuring that SSL and other credentialing certificates remain valid, proprietary, and up to date,[9] and otherwise compliant with applicable and fast-developing laws.[10]  Furthermore, evolving technology and litigation preservation and production requirements have ushered-in additional protocols such as the Sedona Canada e-Discovery Principles,[11] and the Patent Litigation e-Discovery “Model Order” announced by the Federal Circuit Appellate Chief Judge, the Honorable Randall R. Rader.[12]

Technical/Tactical:

Engagement/Employment Agreements that detail the rights and responsibilities of both sides are also advisable best practices to the extent practicable; for both full- and part-time employees, and contractors.  In the current economic environment, shorter term engagements with fewer strictures and formalities may be the preferred norm, but insurers favour a clearer demonstration of good governance, of which these are a prime example.  Detailed procedures should also be in place to govern company assets (securing facilities, fleets, IT infrastructure, and personnel), as well as the company’s reputation and intellectual property.  Two measures available to better secure the latter (reputation and intellectual property), are through institutionalized training on counter social engineering, and strictly enforced social media usage policies for both intranets (including email and texting), and the internet (blogs, aps., networking, and tweets), in general.

Summary.

Effective internal governance of the entity, and identifying the applicable laws and regulations to include in a compliance program when considering multiple functions, operating units, divisions, and jurisdictions, are no easy task.  Governance offers myriad challenges to, and opportunities for, getting things right.  In the next installment, we will consider “Risks” category column items, as they intersect with points in the 7 category rows and selected “depth” elements.

******************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, and Cloud & Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling in both Canada and the United States).  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.).  See: http://www.ogalaws.com

An avid writer, blogger, and reader, Mr. George is a published author in Environmental Law and Policy (National Security aspects).

Mr. George is also an experienced strategic and management consultant; sourcing, managing, and delivering on large, high stakes, strategic projects with multiple stakeholders, multidisciplinary teams, and budgets of note.  See: http://www.simprime-ca.com

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[1] A number of options exist for establishing a compliance analytical framework, such as that of the Committee of Sponsoring Organizations of the Treadway Commission (COSO), which specifies 5 (“five”) main focal points: Control Environment, Risk Assessment, Control Activities, Information and Communication, and Monitoring Activities.  Additional considerations are the Limitations of Internal Control, and Roles and responsibilities, which appear to be an honest acceptance of the limitations of that framework and an attempt to address same.  However, as our above 3x5x7 matrix allows for more flexibility, we have foregone the COSO option per se, although the framework’s multidimensional nature must invariably persist.  See Committee of Sponsoring Organizations of the Treadway Commission (COSO).  Internal Control – Integrated Framework.  Published in December, 2011.  Online: >http://www.coso.org/documents/coso_framework_body_v6.pdf<

[2] Environment Canada.  Our Key Partners: Other Federal Departments.  Online: >http://www.ec.gc.ca/default.asp?lang=En&n=BD3CE17D-1<

[3] Health Canada.  Workplace Hazardous Materials Information System: Official National Site.  Online: >http://www.hc-sc.gc.ca/ewh-semt/occup-travail/whmis-simdut/index-eng.php<

[4] European Commission.  Regulation No 1907/2006 of the European Parliament and of the Council of 18 December 2006 concerning the Registration, Evaluation, Authorisation and Restriction of Chemicals (REACH), establishing a European Chemicals Agency, amending Directive 1999/45/EC and repealing Council Regulation (EEC) No 793/93 and Commission Regulation (EC) No 1488/94 as well as Council Directive 76/769/EEC and Commission Directives 91/155/EEC, 93/67/EEC, 93/105/EC and 2000/21/EC EC 1907/2006, on the Registration, Evaluation, Authorization and Restriction of Chemical substances (“EU REACH Directive”).  Online: >http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:396:0001:0849:EN:PDF

[5] European Commission.  Directive 2002/95/EC of the European Parliament and of the Council of 27 January 2003 on the restriction of the use of certain hazardous substances in electrical and electronic equipment.  (“EU ROHS I”), online: >http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2003:037:0019:0023:en:PDF<).

See also European Commission.  Directive 2011/65/EU of the European Parliament and of the Council of June 8, 2011 on the restriction of the use of certain hazardous substances in electrical and electronic equipment.  (“EU ROHS II”), online: >http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2011:174:0088:0110:en:PDF<

[6] European Commission.  Directive 2012/19/EU of the European Parliament and of the Council of 4 July 2012 on waste electrical and electronic equipment (“EU WEEE Directive”)Online: >http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2012:197:0038:0071:en:PDF<

[7] European Commission.  Directive 2008/101/EC of the European Parliament and of the Council of 19 November 2008 amending Directive 2003/87/EC so as to include aviation activities in the scheme for greenhouse gas emission allowance trading within the Community (“EU Aviation Emissions Directive”).  Online:>http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:008:0003:0021:EN:PDF<

[8] Basel Action Network (BAN).  Basel Convention on the Control of Transboundary Movements of hazardous Wastes and their Disposal, as adopted by the Conference of the Plenipotentiaries on 22 March, 1989.  Online: >http://ban.org/about_basel_conv/baseleng.pdf<

[9] John P. Mello Jr.  How to protect yourself from certificate bandits.  PC World.  Published on Computerworld UK, 12 September, 2011.  Online: >http://www.computerworlduk.com/how-to/security/3302886/how-to-protect-yourself-from-certificate-bandits/<

[10] The European Union Data Protection Directive (95/46/EC), for example, which incorporated the 7 OECD model personal data privacy principles, has further led, inter alia, to Directive 2002/58/EC (the so-called “Cookie Directive”, as amended).  EU member states were of course obliged to implement national laws complaint with same, and the United States which has passed a number of privacy-impacting laws and regulations since that time, still has no blanket (outside limited Commerce/FTC options) data privacy protection reciprocity agreement with the EU.  Canada, however, does (the Canada-EU PIPEDA Safe Harbour).  Entities planning to operate in the EU or that know or suspect that they will regularly handle the personal information of EU Citizens should seek advice regarding the potential impact of prevailing laws on their privacy practices, general operations, and GRC duties.

See European Commission.  Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“EU Data Protection Directive”).  Online: >http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG:1995L0046:20031120:EN:PDF<

See also European Commission.  Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (“EU Cookie Directive”).  Online: >http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CONSLEG:2002L0058:20091219:EN:PDF <

See also European Commission.  Data protection: Commission recognises adequacy of Canadian regime.  Brussels press release of 14 January, 2010 (“EU-PIPEDA Safe Harbour”).  Online: > http://europa.eu/rapid/press-release_IP-02-46_en.htm?locale=en<

[11] Sedona Canada, Working Group 7 (WG7).  The Sedona Canada Principles: Addressing Electronic Discovery.  A Project of the Sedona Conference, Working Group Series.  January, 2008.  Online: >http://www.lexum.com/e-discovery/documents/SedonaCanadaPrinciples01-08.pdf<

[12] Chief Judge Randall R. Rader, United States Court of Appeals for the Federal Circuit.  The State of Patent Litigation (with Model e-Discovery Order appended); as delivered at a September 27, 2011 speech to the E.D. Texas Judicial Conference.  The Model Order had been drafted and approved by the E-Discovery Committee of the Federal Circuit Advisory Council.  Online: >http://www.catalystsecure.com/blog/wp-content/uploads/2011/10/Rader-The-State-of-Patent-Litigation.pdf<

Advertisements

GRC: An Overview (Part 1).

October 21, 2012

This is the first in a 4-part series on devising a structure to address that ever-expanding and increasingly complex (and crowded) intersection of Governance, Risk, and Compliance (GRC).  This is the new paradigm for compliance programs in modern business, but one should always bear in mind that any Compliance Program should be structured with due consideration for the Scope (range of products and/or services offered), Size (number of employees), and Span (geographic spread, and number and range of legal regimes to which it is subject) regarding the entity; including any and all subsidiaries and any cross-national requirements.

Compliance, generally: Where to start?

The corporate compliance function can be defined as “those persons, processes, and protocols whether active or automated, that are employed and deployed by the subject entity to ensure on a continuing basis that governing laws are adhered to, governance is responsible and responsive, risks are contained within acceptable parameters, and that failings on any or all of these priorities, are speedily and sufficiently addressed in accordance with applicable laws, whether general, or case- or situation-specific”.

Admittedly, this is a very broad order and it can stand as a daunting obstacle to many small and mid-sized businesses that only see a rising stream of (in their eyes avoidable) costs between them and their devising, implementing, and sustaining an effective compliance program.  Fortunately, that is a misconception, as there are ways to achieve same without excessive expense.  First, one should start with the immediate jurisdiction of organization, and any specific guidance on devising and applying effective compliance programs.

Canada:

Canada is a federal state, meaning that competent authority over specific areas of law, including the organization and regulation of business entities, is shared between the central government (Canada) and its federating units, being the provinces and territories.  Most business entities will have the option of initially organizing or forming, either within a province or territory, or federally.  Provincial organization generally requires additional filings and fees for each one of the other Canadian jurisdictions within which it intends to operate.  These costs can rise rather fast, and so federal organization – which may still necessitate additional authorizations, with certain exceptions – is another option.

Concentrating then on the federal level, through which a number of nationally applicable laws are enacted and enforced, it is noteworthy that the Competition Bureau of Canada, states that a corporate compliance program is not mandatory,[1] but nevertheless provides the critical elements that such a program if devised and implemented by a Canadian business and potentially supporting any “due diligence defence”,[2] should include.[3]  Furthermore, changes in the Criminal Code of Canada made within the last decade, now provide for corporate criminal liability when directing the work of others,[4] including for death or serious injury by way of negligence.[5]  Amongst the penalties that a court may impose on a business entity, are the mandatory creation and use of a corporate compliance program,[6] and one of the sentencing considerations the court may consider is steps taken by the entity to ensure that the conduct is not repeated; in other words, strengthening (if already existing) or implementing (if not) a corporate compliance program.[7]  Hence, just like an “optional” insurance policy…. its “really” not a bad idea to have!

Those 5 (“five”) elements of an effective corporate compliance program, as revised and contained in a bulletin of September 27, 2010 (having been originally issued in 1997, revised in 2006, and subjected to further public consultations in 2008),[8] are:

1.         “Senior Management involvement and support;

2.         Corporate Compliance policies and procedures;

3.         Training and education;

4.         Monitoring, auditing and reporting mechanisms;

5.         Consistent disciplinary procedures and incentives”.

Additional details are then provided within the Bulletin under each one of these headings.

United States of America:

The United States of America also divides areas of legislative competence between the states and the central government, in accordance with the Constitution.  With a similar division of criminal enforcement authority between the states and the central government, the best place to start is with the United States Sentencing Commission (“Sentencing Commission”), which provides nationally-applicable guidelines for the sentencing of both individuals and organizations with regard to serious crimes and breaches of federal law;[9] with one chapter solely dedicated to the sentencing of organizations, and the provision of “key criteria” for establishing an “effective compliance program”.[10]

An overview provided by the Sentencing Commission, itself,[11] succinctly presents the 7 (“seven”) elements of an effective compliance program.  These are:

1.         “Compliance standards and procedures reasonably capable of reducing the prospect of criminal activity;

2.         Oversight by high-level personnel;

3.         Due Care in delegating substantial discretionary authority;

4.         Effective communication to all levels of employees;

5.         Reasonable steps to achieve compliance, which include systems for monitoring, auditing, and reporting suspected wrongdoing without fear of reprisal;

6.         Consistent enforcement of compliance standards including disciplinary mechanisms;

7.         Reasonable steps to respond to and prevent further similar offenses upon detection of a violation”.

Additional details are then provided within the body of Chapter 8 of the Sentencing Guidelines,[12] under each one of these headings.  Originally effective on November 1, 1991, the organizational sentencing guidelines apply to “corporations, partnerships, labor unions, pension funds, trusts, non-profit entities, and governmental units;”[13] and data collected over the years of their application shows that most common organizational infractions for which such organizational sentencing has ensued, are: (i)fraud; (ii)environmental waste discharge; (iii)tax offenses; (iv)antitrust offenses; (v) and food and drug violations (listed in descending occurrence order).[14]

As the foregoing shows, Canada and the United States[15] do appear to have major similarities in their approaches to corporate compliance programs, and one would likely not be far amiss in surmising the same for common organizational infractions.  However, additional areas of concern in light of advancing globalization and technology now include privacy breaches[16], and cybersecurity.[17]

Compliance, specifically: How to move forwards?

Now that the compliance function has been outlined in brief, with critical elements identified, one can move forwards and start to devise a structure for appropriately addressing governance, risk, and compliance (GRC) in the corporate context.  The following 3 (“three”) articles in this series will put together a matrix of suggested issues and addressable items to be considered in a competent GRC program.

***********************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, and Cloud & Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling in both Canada and the United States).  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.).  See: http://www.ogalaws.com

An avid writer, blogger, and reader, Mr. George is a published author in Environmental Law and Policy (National Security aspects).

Mr. George is also an experienced strategic and management consultant; sourcing, managing, and delivering on large, high stakes, strategic projects with multiple stakeholders, multidisciplinary teams, and budgets of note.  See: http://www.simprime-ca.com

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[1] Competition Bureau of Canada.  Corporate Compliance Programs, at Preface.  Released on September 27, 2010 to replace the Bulletin: Corporate Compliance Programs, as released on September 10, 2008.  Online: >http://www.competitionbureau.gc.ca/eic/site/cb-bc.nsf/vwapj/CorporateCompliancePrograms-sept-2010-e.pdf/$FILE/CorporateCompliancePrograms-sept-2010-e.pdf<

[2] Id., at page 16.

5.2.4 Due Diligence Defence.

For certain false or misleading representations and deceptive marketing practices provisions under the Competition Act and certain provisions of the Consumer Packaging and Labelling Act, the Textile Labelling Act and the Precious Metals Marking Act, a company may argue that it had exercised due diligence to prevent the conduct.”

“Although the pre-existence of a program is not, in and of itself, a defence to allegations of wrongdoing under any of the Acts, a credible and effective program may enable a business to demonstrate that it took reasonable steps to avoid contravening the law. In this regard, such a program may support a claim of due diligence. Documented evidence of corporate compliance will assist a company in advancing a defence of due diligence, where available.

[3] The Competition Bureau of Canada administers the Competition Act, R.S.C., 1985, c. C-34; the Consumer Packaging and Labelling Act, R.S.C., 1985, c. C-38; the Textile Labelling Act, R.S.C., 1985, c. T-10; and the Precious Metals Marking Act, R.S.C., 1985, c. P-19 as the competent national authority.  However, a Canadian Corporate Compliance Program meeting the given standard could, doubtless, be adopted and applied by entities not directly subject to any or all of these 4 (“four”) competition-specific Acts.

[4] See Criminal Code, R.S.C., 1985, c. C-46.  §217.1 Duty of persons directing work.

Every one who undertakes, or has the authority, to direct how another person does work or performs a task is under a legal duty to take reasonable steps to prevent bodily harm to that person, or any other person, arising from that work or task”.  Online: > http://laws-lois.justice.gc.ca/eng/acts/C-46/index.html<

[5] Id.  §22.1 Offences of Negligence – organizations; §22.2 Other Offences – organizations.

[6] Supra note 4.  §732.1 (3.1) Optional conditions – organization.

[7] Id. §718.21 Sentencing Organizations.

A court that imposes a sentence on an organization shall also take into consideration the following factors: (…)

(j) any measures that the organization has taken to reduce the likelihood of it committing a subsequent offence”.

[8] Competition Bureau Canada.  Competition Bureau Revises Two Bulletins to Reflect Amendments to the Competition Act.  Announcements, September 27, 2010.  Online: > http://www.competitionbureau.gc.ca/eic/site/cb-bc.nsf/eng/03292.html<

[9] United States Sentencing Commission.  2011 Federal Sentencing Guidelines Manual, as effective November 1, 2011.  Online:  >http://www.ussc.gov/Guidelines/2011_Guidelines/index.cfm<

[10] IdChapter 8 – Sentencing of Organizations.  Online: >http://www.ussc.gov/Guidelines/Organizational_Guidelines/guidelines_chapter_8.htm<

[11] Supra note 9.  Paula Desio, Deputy General Counsel, United States Sentencing Commission.  An Overview of the Organizational Guidelines.  Online:  >http://www.ussc.gov/Guidelines/Organizational_Guidelines/ORGOVERVIEW.pdf<

[12] See supra note 10.

[13] Supra note 11.

[14] Id.

[15] On a stylistic and grammatical note, the United States and Canada spell things differently, which I have accommodated in this series by using preferred forms of each jurisdiction where severable content is identifiable.

[16] See Sara Schmidt.  Federal government privacy breaches hit record number last year: Report.  PostMedia News, published November 17, 2011.  Online:  >http://news.nationalpost.com/2011/11/17/federal-government-privacy-breaches-hit-record-number-last-year-report/<

The federal government reported a record number of breaches of personal information to Canada’s privacy watchdog last year, new statistics show.”

“Sixty-four breaches in 2010-11, up from 38 the previous year and more than double the 27 breaches reported in 2004-05, are itemized in Privacy Commissioner Jennifer Stoddart’s annual report tabled Thursday in the House of Commons.

See also Heather Ormerod.  When using technology to safeguard personal information, sometimes small steps can prevent a big loss.  Office of the Privacy Commissioner of Canada.  Published on May 10, 2012.  Online: > http://blog.privcom.gc.ca/index.php/2012/05/10/when-using-technology-to-safeguard-personal-information-sometimes-small-steps-can-prevent-a-big-loss/<

An Office of the Privacy Commissioner of Canada (OPC) survey of 1,006 companies across Canada shows that many businesses are not employing recommended technological tools or practices to protect the digitally-stored personal information of their customers”.

See also United States Department of Health and Human Services: Health information Privacy.  As required under federal law (HIPAA, HITECH, Breach Notification Rule), the Department maintains an online, publicly-accessible, searchable catalogue of health record data breaches affecting 500 or more individuals.  As one can plainly see, the incidence and breadth of these breaches in the field of healthcare, alone, is really quite astounding.

Online: > http://www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/postedbreaches.html<

[17] See Division of Corporation Finance, United States Securities and Exchange Commission: CF Disclosure Guidance Topic No. 2 – Cybersecurity.  On October 13, 2011, the United States Securities and Exchange Commission (SEC), opined on the disclosure of both cybersecurity risk and actual cyber incidents for public issuers; but it stopped short of mandating disclosure in all cases.  Online:  >http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm<

See also Public Safety Canada.  On October 17, 2012, the Government of Canada announced that it was investing an additional $155 million in cybersecurity.  2012-10-17: Backgrounder: Investing in Cybersecurity.  Online: >http://www.publicsafety.gc.ca/media/nr/2012/nr20121017-1-eng.aspx<

What about hospital BYOD?

October 7, 2012

WOW!

I was just leafing-through the Ottawa Citizen of Saturday, October 6, 2012, and I came across an article on rising BYOD at the Children’s Hospital of Eastern Ontario (CHEO).[1]

WHAT?

BYOD, literally means “bring your own device”, and refers to the growing practice of employers allowing employees to bring their own mobile devices into the workplace (smart phones, tablets, laptops), in order that they may access proprietary and work-related information on those platforms with which they are already quite comfortable.

WHY?

Some of the advantages of BYOD identified in that article, include: (i) cashflow savings (not having to buy and replace devices for employees on an employer’s own tab, whether with operating funds or debt); (ii) currency (allowing employees to transport and deploy what is likely the most cutting-edge technology); (iii) speed and efficiency (permitting staffers to quickly access “more timely and accurate information” almost anywhere, as hosted on proprietary servers or those of cloud service providers/vendors);[2] and (iv) good environmental stewardship (cutting down on the use of paper, and copying costs, through the increasing use of EHR, or electronic health records).[3]

WHOA!

Doubtless, CHEO is already very-well advised on these and related matters.  However, in the race for similar BYOD gains by others,[4] let us try not to forget the clear potential for pains and strains; on which I have blogged at some length.[5]  There are 4 (“four”) main keys to creating and implementing a BYOD/Cybersecurity Policy to guard against these, and employers hoping to exploit the gains of BYOD are well advised to have legal counsel – preferably counsel who are also familiar with the laws outside Canada, due to the global nature of the internet and Cybercrime – assist them in devising an appropriate framework within which BYOD can thrive, responsibly.  These keys follow, in brief.

Systemic Security:

Stringent efforts must be made to secure access to the information accessible on or through these many mobile devices.  The employer’s I.T. staff also needs (or specialized contractors also need) to remain busy and vigilant in ensuring that no malicious code is present on these devices, or is input into the system by means of these devices.  This, of course, will require copious amounts of training and retraining on counter social engineering techniques, safe browsing outside the workplace, and other device security measures.  Although an added inconvenience for the user, internal rules may mandate that browsers not remember passwords, requiring a re-typing for each access or use.  In addition and at the very least, BYOD mobile devices must, themselves, be protected with passwords and where applicable, programmed to alert the owner as to their location or remotely “self-wipe” and restore themselves to factory defaults, if stolen or misplaced.

Active Management:

Spot checks, and random audits must be used to ensure and maintain compliance with any mobile security policy designed for the “anywhere, any device, anytimeBYOD-enabled workspace; or as more accurately put, the “BYOD-uw” (ubiquitous workplace).

Internal Controls:

Information access controls must also be strictly enforced, so that employees have access to only that information of which they have a business-specific need to know.  BYOD should not be a free license for fishing expeditions, or an invitation to forget medical ethics and use identifiable patient records in social media posts (medical blogs, “would you believe’s”, and juicy tidbits of malice post breakup/rejection); not to mention  the truly inadvertent disclosures or keying slip-ups.  Data may also be protected against cut/paste or dragging, download, and covered by strict write and edit permissions.  This level of openness for use and potential abuse also makes the initial background checks and vulnerable sector screens, that much more important.  Behavioural interviewing techniques and other means of heightened pre-employment due diligence have already become the norm, due to the increasing use (and abuse) of social media, and a generally heightened, global security awareness in both the public and private sectors.

Legal and Regulatory Compliance:

Compliance must always be at the forefront, as there will be a host of regulatory regimes that are business or industry-specific (protecting Intellectual property Rights /IPR in the technology sector), risk-specific (countering leaks and espionage in the government sector), and privacy-centred (PHIPPA[6] in the Ontario healthcare sector).[7]  Privacy insurance is becoming increasingly popular, advisable, and even mandatory in certain cases, and several jurisdictions now have stringent notice and remediation laws in the case of a privacy breach.

WHITHER?

Forward, yes – but with caution, commonsense, and advice from legal and I.T. professionals.

Happy Thanksgiving!

***********************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare and privacy, Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant).  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.).  See, for example: http://www.ogalaws.com

An avid writer, blogger, and reader, Mr. George is a published author in Environmental Law and Policy (National Security aspects).

Mr. George is also an experienced strategic and management consultant; sourcing, managing, and delivering on large, high stakes, strategic projects with multiple stakeholders, large budgets, and multidisciplinary teams.  See, for example: http://www.simprime-ca.com

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[1] Vito Pilieci.  CHEO prescribes BYOD: Just What the Doctor Ordered.  Ottawa Citizen.  Section F, Business & Technology, at F1, F2 (print version of Saturday, October 6, 2012).  Also available online: > http://www.ottawacitizen.com/business/CHEO+prescribes+BYOD/7353691/story.html<

[2] The use of cloud services should also be strongly considered and managed, as the storage of the personal information of Canadians on servers based within the United States, or its inadvertent passage through those servers, may lead to warrantless disclosures of said information to the arms and entities of a foreign nation without the consent or knowledge of the information subject, and in certain cases, the knowledge of a legally responsible information custodian.  See e.g. Ekundayo George.  To Cloud or Not to Cloud: What are Some of the Current, Most Pertinent Pros and Cons?  Published on http://www.Ogalaws.wordpress.com, on December 28, 2011.

Online: >https://ogalaws.wordpress.com/2011/12/28/to-cloud-or-not-to-cloud-what-are-some-of-the-current-most-pertinent-pros-and-cons/<

[3]Supra note 1.

[4]Id. The article also cites Citrix Systems, a CHEO vendor, as saying “more than 34 per cent of Canadian companies already have policies in place to allow employees to bring in personal devices.  Another 27 per cent of Canadian firms plan to roll out some form of BYOD initiative over the next 12 months”.

[5]See e.g. Ekundayo George.  Cybersecurity (the Nitty-Gritty; and what is Cyberspace?): A Different, Flexible Approach.  Published on http://www.Ogalaws.wordpress.com, December 9, 2011.

Online: >https://ogalaws.wordpress.com/2011/12/09/cybersecurity-the-nitty-gritty-a-different-flexible-approach/<

[6] PHIPPA (Personal Health Information Protection Act, S.O. 2004, CHAPTER 3.  Online: >http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_04p03_e.htm

[7]  Also consider the potential applicability, whether in Ontario alone, of MFIPPA and PIPEDA, or elsewhere in Canada and at the federal level, as well as outside Canada with regard to the latter, PIPEDA.  See MFIPPA (Municipal Freedom of Information and Protection of Privacy Act, R.S.O. 1990, CHAPTER M.56).  Online: > http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_90m56_e.htmSee also PIPEDA (Personal Information and Protection of Electronic Documents Act, S.C. 2000, c.5).  Online: >http://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html<

%d bloggers like this: