GRC: Compliance (Part 4).

November 12, 2012

This is the fourth and final installment in a series on devising a structure to address that ever-expanding and increasingly complex (and crowded) intersection of Governance, Risk, and Compliance (GRC).  This is the new paradigm for compliance programs in modern business, but one should always bear in mind that any Compliance Program should be structured with due consideration for the Scope (range of products and/or services offered), Size (number of employees), and Span (geographic spread, and number and range of legal regimes to which it is subject) regarding the entity; including any and all subsidiaries and any cross-national requirements.

Progress so far: What have we covered?

The corporate compliance function can be defined as “those persons, processes, and protocols whether active or automated, that are employed and deployed by the subject entity to ensure on a continuing basis that governing laws are adhered to, governance is responsible and responsive, risks are contained within acceptable parameters, and that failings on any or all of these priorities, are speedily and sufficiently addressed in accordance with applicable laws, whether general, or case- or situation-specific”.

We started in Part 1 (GRC: An Overview),[1] with a quick review of the essential requirements of an effective corporate compliance and ethics program as devised for Canadian and US. Federal jurisdictions, respectively.  We also looked at some of the similarities and differences between these two regimes, and some of the factors and related laws that impact upon ethics in general and corporate compliance functions.

Next, in Part 2 (GRC: Governance),[2] we set framework parameters in a chart or matrix.  There were 3 category columns on the X-axis, arranged horizontally; 7 category rows on the Y-axis (with 2 additional but reserved rows), arranged vertically; and as a third or “depth” dimension, containing 5 more categories.  We also ran through a much abbreviated presentation and analysis, using only the first category column (Governance), as we addressed some of its intersection points with the 7 category-rows, as well as with selected elements of the third simultaneous analytical element, the depth dimension (Function, Industry, X-national, Employee class, and Division).

Recently, in Part 3 (GRC: Risk),[3] We presented an analysis using only the second category column (Risk), and addressed some of that column’s intersection points with the 7 category-rows, as well as with elements of the depth dimension (F-I-X-E-D).

Compliance.

Now, we address some compliance or control options and arrangements (involving persons, processes, and protocols) as they intersect with category-rows and the depth dimension.  What additional compliance and control arrangements as encompassed by a compliance program, might be available to address the challenges of governance, government regulation, and the risks that have been identified in the preceding installments of this series?

Regulatory:

In the U.S. financial services industry, for example, passage of Gramm-Leach-Bliley in 1999 ushered-in a Financial Privacy Rule (mandating the entity’s provision, prior to commencing the business relationship, of a privacy notice to customers, and also restricting the entity’s collection, use, and disclosure of customer personal information without consent, along with instructions and the opportunity for customers to opt-out); a Safeguards Rule (mandating the creation by entities, if not already existing, of a comprehensive, written plan and procedures to secure and protect customer information, along with assigned oversight, risk analysis, testing, and modification as needed); and instituting Pretexting protections (primarily through ongoing training of financial industry employees in counter social engineering, to better detect, deflect and report unauthorized attempts to access protected, nonpublic customer personal information).[4]

An effective compliance program with regard to Gramm-Leach-Bliley, for example, would therefore involve entity leadership at the highest levels, recruitment and retention of competent advisors, access to industry best practices through associations, and a painstaking exercise of “checking all the boxes”.  Fraud Risk Assessments (FRA) should also be periodically conducted, with regard to the potential for collusion, whether between insiders, or between insiders and outsiders, combined.  Entities involved in ultra-hazardous activities, national security, or work with the vulnerable sector (children and youth, the elderly, and healthcare or social services), should also be especially mindful of their often enhanced regulatory compliance requirements – and not just with respect to financial disclosures.

Environmental:

Compliance with environmental law is an increasingly complicated task.  Pre-construction Environmental Risk Assessments (ERA) are common, as can be assessments of the cultural and community impacts in some jurisdictions.  Issues raised must be addressed to the satisfaction of regulators and even host communities, in order to proceed with confidence and at times, in peace.  Starting with a government agency’s own specific or omnibus roadmap for its own compliance,[5] is one option, and if it is somewhat dated (unlike the referenced resource at the time of posting this blog) there is no harm in asking a contact person at that agency for guidance on how to access updates or addenda, if any.  In addition, special attention should be paid to legal and regulatory requirements on engineering and efficiency; measurement, disclosure, and mitigation; and ongoing training on tools, threats, and a company-wide mandate for high ethical standards and corporate transparency when dealing with investors, employees, and regulators.

Accounting/Audit:

A study (released in 2005) on Revenue Recognition Practices in the wake of SOX,[6] found that in a survey of 162 public companies, contract management, revenue recognition, and tax provisions and related accounting were among the top 5 contributors of GRC challenges.[7]  As to the direct impact of SOX, both public (162) and private (238) companies were found to be closely aligned in the major factors impacting their revenue recognition policies, being: business model changes (approximately 25% and 30% respectively); new audit requirements (approximately 7% and 5% respectively); and SOX, itself (approximately 25% and 30% respectively).[8]  Being nevertheless well aware of the challenges they faced, the respondents at all 400 companies, both public and private, identified 10 areas where they were exploring and evaluating automation and compliance tools.  Amongst these ten, were: workflow and approval process, contract management, revenue recognition, tax, credit management, and expense reimbursement.[9]

The current fiscal landscape is no different, as fiscal challenges continue and accrue.  It is therefore critically important to first gain a better grasp on the fiscal landscape, in order to fashion a credible and comprehensive fiscal policy matrix, including revenue recognition (Framework).  The fiscal matrix comprises 9 (“nine”) main elements, termed “frapsra” (F, P3, S, R3, A); being:

(i) Framework;

(ii) Procurement (set price range, source or order, receive and verify, pay);

(iii) Projects (budget, issue requirements, evaluate options, start-manage-complete project, evaluate and commission, pay);

(iv) Personnel (establish requirement, interview and verify credentials and fit, hire and train, assign and promote, and otherwise manage);

(v) Sales (set price or range, fix essential terms, take order, ship and fulfill, invoice);

(vi) Receivables (management);

(vii) Revenue (recognition);

(iix) Receipts (apportionment); and

(ix) Audit (internal):

  1. Of Internal Controls ~ to prevent, detect, and timely correct and clarify mistakes and ambiguities before they are released and potentially impact upon the entity as either material misstatements or being materially misleading;
  2. Of Disclosure Controls ~ to give senior officers the confidence to present and defend credible MD&A and forward-looking statements, and certify statements of earnings and financial condition in accordance with law;
  3. Of the GRC Regime ~ to ensure that the 5 (“five”) questions ending this installment and this series, can be asked and answered appropriately.

The fiscal policy “Framework”, comprises 6 (“six”) main elements, being in no particular order:

(a)    Oversight and offshoring:

  1. Transfer costs,
  2. Customs duties,
  3. Country of origin rules,
  4. Tax treatment;

(b)   Business model:

  1. Description and rationale,
  2. Reporting lines and functions,
  3. Transaction example standards,
  4. Sample bottlenecks/sticking points with decision-tree tables;

(c)    Listed procedures for data capture, data control, data typing, and data verification, with backup, secure offsite replication, and recovery; including an identification of approved software tools;

(d)   Improper and prohibited practices identified;

(e)    GAAP and related accounting policies (the options to be applied, as these choices impact the rest of the Framework.  Once selected, these should only be changed on approval at the highest levels, but reviewed with (and preferably prior to) the introduction of any new product or service, or the addition of any sub-entity;

(f)    Effectiveness considerations:

  1. Segregation of duties,
  2. Contracts management with standardized forms and formats,
  3. Standardized sales and procurement forms and formats,
  4. Training and internal + external communications policies,
  5. Credit management for the entity, vendors, and customers,
  6. F-I-X-E-D (depth dimension) application, to share the Framework entity-wide, considering local or regional variations in line with overall GRC policy.

Lessons Learned:

The days of racing to the bottom (lax regulatory regimes of primary organization) and bottom-feeding (seeking out the most lax regulatory jurisdictions in which to operate), should be long gone in light of recent court Alien Tort Statute victories involving Ecuadorians[10] and Nigerians,[11] amongst others likely still to be filed, and the increasing push to recognize international environmental crimes as crimes against humanity and genocide.[12]  Other inroads are also being made in securing redress for colonial wrongs,[13] and so both memories and the retroactive reach of the law, can be extensive.

Additional lessons learned in compliance efforts should focus on industry-specific and geo-specific GRC efforts (labor relations, climate change).  In addition, scandals over the past decade should have proven beyond a doubt that only a combination of manual and automated controls can cover for gaps and human deficiencies, and that there must also be senior officer commitment with active project, process, and contracts management to ensure the proper creation, implementation, enforcement, and ongoing testing and improvement of an effective GRC and ethics program.  Special attention should also be paid to compliance with laws and regulations on Proxy Filings and voting, Stock Options, and Insider Trading disclosures.

Internal/Institutional:

As with compliance in the environmental field, touched-upon above, other industries also have their own compliance challenges, which can often be considered in light of specific guidance documents issued, for example in the United States, for the Steel industry,[14] regarding Patent and Trademark law compliance for small businesses,[15] and in the realm of trade compliance.[16]

Achieving compliance can be a significant distraction in some jurisdictions where new and sometimes highly complex laws, are issued[17] and updated[18] on a regular basis; whether in response to an emergency or other critical event, or to address an ongoing issue or series of issues.  In the case of the latter, the Dodd-Frank Wall Street Reform and Consumer Protection Act,[19] for example, ushered-in a sea change to the resource industry landscape with regard to public issuers.  Significant due diligence and disclosure requirements (claimed as onerous in some cases), are now mandatory in order to detect, prevent, and curtail the trade in conflict minerals,[20] which trade has had significant community and cultural impacts.  For instance, wherever “conflict minerals are necessary to the functionality of production of a product manufactured by such person”, annual reports must be filed containing: (i) “a description of the measures taken by the person to exercise due diligence on the source and chain of custody of such minerals”; and (ii) “a description of the products manufactured or contracted to be manufactured that are not DRC conflict free”.[21]

In terms of enforcement, recent caselaw in the United States has expanded the definition of who can constitute a whistleblower under Dodd-Frank.  We see from Kramer, that such a person can be almost anyone who discloses information about a possible violation (being a lower standard than for SOX, which requires disclosure to the SEC of information concerning a securities law violation, as backed by reasonable belief that a possible violation occurred).  We also see from Ott, that a person asserting a retaliation claim under Dodd-Frank need not necessarily/always be a person who would (or could) also have qualified for the whistleblower bounty in making a disclosure in apparent accordance with law, in the first place.[22]

As a result of these laws (SOX and Dodd-Frank), and other laws requiring in-depth and ongoing compliance, appropriate ethics and regulatory compliance training should be developed and broadly instituted across the company.  This is especially critical in entities with depth, i.e. decentralized with multiple divisions or business segments, whether domestic, continental, or more transnational.  Additionally, internal investigations should be properly structured[23] and intermediaries closely monitored to avoid any third-party or vicarious liability, or conspiracy.

Structural/Systemic:

Securities laws in the United States,[24] across Canada,[25] and the European Union,[26] for example, specify the types and extent of information that issuers must disclose, both for registration and as an ongoing requirement.  Securities laws in India[27] and Australia,[28] and such United States amending laws as the Sarbanes-Oxley Act (SOX)[29] and the Gramm-Leach Bliley Act,[30] further address transparency, detailed compliance and reporting requirements, and mandatory aspects of corporate governance and ethics.  Except as otherwise specifically stated,[31] SOX compliance is mandatory,[32] and three noteworthy compliance provisions are Sections 404, 302, and 307.

SOX Section 404:

Section 404 specifies annual disclosure by corporate issuers, re: the existence, management responsibility for, and evaluation of their own internal controls; as further “attested to and reported on” (double-checked and verified as accurate), by the issuing entity’s auditors.[33]  Retaliation against whistleblowers,[34] failure to certify financial statements as required,[35] and evidence tampering that hampers or clouds an investigation,[36] will all now constitute criminal offences under SOX, with significant penalties.

SOX Section 302:

Section 302 further mandates that principal officers of issuers certify by signing that they have: (i) reviewed the subject quarterly or financial report; (ii) found the same to be accurate (“does not contain any untrue statement of a material fact or omit to state a material fact necessary in order to make the statements made, in light of the circumstances under which such statements were made, not misleading”); (iii) found same to be complete (in that the information therein does “fairly present in all material respects the financial condition and results of operations of the issuer as of, and for, the periods presented in the report”); (iv) have appropriately established and maintained and evaluated internal controls; with (v) disclosure to the issuer’s auditors and the audit committee of all “significant deficiencies” and “material weaknesses” of internal controls, as well as “any fraud whether or not material that involves management or other employees who have a significant role in the issuer’s internal controls”; as well as any corrective actions.[37]

SOX Section 307:

Finally, Section 307 provides for a heightened duty of legal counsel to report up the line when finding evidence of any “material violation of securities law or breach of fiduciary duty or similar violation by the company or any agent thereof”[38]  Counsel has an additional duty to report further up the management chain to the Audit Committee or another appropriate Committee of the Board of Directors, if the first person hearing the complaint and report “does not appropriately respond to the evidence”.[39]

Technical/Tactical:

Segregation of duties should be rigorously enforced in accordance with industry best practices, or in excess of industry best practices, where warranted.  Spot audits of social media usage policy compliance should be ingrained, as should be disciplinary procedures for infractions and industry (or above-industry) best practices in IT management policies and procedures; some of which practices I earlier identified in part 3 of this series.

Further technical and tactical compliance efforts should focus on industry-specific and geo-specific risks (earthquake, hurricane or tornado, fire and flood).  Sometimes, however, even the best-laid plans and safety precautions[40] can be overwhelmed under the onslaught of concurrent multiple perils, such as the earthquake and Tsunami in Fukushima, Japan of Monday April 11, 2011.  In any case, there should be interim testing and updates of the written, shared, and practiced compliance guidelines; especially in the rapidly developing e-Commerce and social media realms with regard to Cybersecurity and privacy rights (PIPEDA and provincial privacy laws in Canada, and state privacy laws in the United States); online spam protections in the American CAN-SPAM Act,[41] along with Canada’s equivalent in the Canada Anti-Spam Law;[42] Online copyright infringement protection for ISPs in the American Digital Millennium Copyright Act (DMCA), and Canada’s equivalent Copyright Modernization Act[43], all added areas of concern for entities involved in that space, requiring inclusion in their compliance plans.

Two Additional (reserved) Categories:

The first reserved category is Implementation (covering investigations and improvements; staff inclusion as stakeholders; and inspired giving as a corporate social responsibility).[44]  The second reserved category is Climate (covering conflicts of law; conflicts of culture – whether business or natural; and contingencies – environmental, political, technical, man-made, and popular (with “popular” including riot, insurrection, sit-in/occupation, and pre- or post-sporting event mayhem tantamount to riot or insurrection.[45]  Some of these were touched-upon in the above analysis or earlier installments.  However, being essential to the overall success of any GRC program, they should be checked and re-checked, often and at length, against the F-I-X-E-D (depth dimension).

Summary.

Essentially, a company needs to be able to ask all of its officers, employees, and directors the following 5 questions.  A perfect score includes 4 x yes answers (questions 1, 2, 4, and 5), and 1 x no answer (question 3).  If question 5 yields any or many “no” answers, then the company needs to realize and accept that there is a problem, because over time its business will evolve, the applicable regulations will change, and the market is dynamic, so a functioning and responsive GRC program, if left static and unchanging, cannot be so perfect for all cases, and over all time!

Question 1: Would you take issues and complaints to a responsible officer or director? (are there internal complaints procedures in place, and do all within the company know how to avail themselves of same?);

Question 2: Are you confident that the issues or complaints raised will be adequately and timely addressed?  (do the responsible officers and the set procedures inspire credibility, by a demonstrated commitment of senior management to both GRC and the established complaint procedures?);

Question 3: Do you fear retaliation or punishment for raising issues or complaints in accordance with the established complaint procedures?  (is there a compliance culture, and are there adequate whistleblower protections?);

Question 4: Are these reporting behaviours championed within your organization?  (is there a clear commitment by all management levels to establishing, enunciating, and upholding the entity’s values and mission, and ethical behaviours; and are internal controls established, communicated, and enforced on a uniform and consistent basis?);

Question 5: Is there anything that you can think of and suggest to improve the GRC processes at your place of work? (this includes both the overall employing entity or head office, and suggested local variations for legal jurisdiction; business or actual culture; changing times, climes, and circumstances; and deficiencies or lessons learned).

*****************************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare privacy, Cloud applications, and Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant, and GRC – governance, risk, and compliance investigations, audits, and counseling in both Canada and the United States).  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.).  See: http://www.ogalaws.com

Backed by courses in management, organizational behaviour, and micro-organizational behaviour, Mr. George is a writer, tweeter and blogger (as time permits), and a published author in Environmental Law and Policy (National Security aspects).

Mr. George is an experienced strategic and management consultant; sourcing, managing, and delivering on high stakes, strategic projects with multiple stakeholders and multidisciplinary teams.  See: http://www.simprime-ca.com

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[1] Ekundayo George.  GRC: An Overview (Part 1).  Published on ogalaws.wordpress.com.  October 21, 2012.  Online:>https://ogalaws.wordpress.com/2012/10/21/grc-an-overview-part-1/<

[2] Ekundayo George.  GRC: Governance (Part 2).  Published on ogalaws.wordpress,com.  October 29, 2012.   Online:>https://ogalaws.wordpress.com/2012/10/29/grc-governance-part-2/<

[3] Ekundayo George.  GRC: Risk (Part 3).  Published on ogalaws.wordpress.com.  November 6, 2012.  Online: > https://ogalaws.wordpress.com/2012/11/06/grc-risk-part-3/<

[4] See infra, note 30.

[5] United States Department of Commerce.  Energy and Environmental Management Manual.  Released in September, 2012.  Online: >http://www.osec.doc.gov/oas/Documents/OSEEP/Docs%20&%20Newsltrs/Documents/EEMM_FINAL_%2826_Sept._2012%29.pdf<

[6] RevenueRecognition.com.  Sarbanes-Oxley and Revenue Recognition Practices: Financial Executive Benchmarking Survey, Revenue Recognition Edition. 2005.  Online: > http://www.complianceweek.com/s/documents/RevRecandIDC-RevenueRecognitionPractices.pdf<

[7] Id. at page 5, figure 6.

[8] Supra. note 6 at page 4, figures 3 and 4.

[9] Supra. note 6 at page 6, figure 7.

[10] See e.g. Karen Gullo and Mark Chediak.  Chevron Bid to Dismiss $18 Billion Award Rejected in Ecuador.  Bloomberg.com, January 4, 2012.  Online: >http://www.bloomberg.com/news/2012-01-04/chevron-loses-bid-to-throw-out-18-billion-award-in-ecuador-pollution-case.html<  Post-judgement actions on the award are ongoing.

[11] See e.g. the matter currently on Appeal to the United States Supreme Court of Kiobel v. Royal Dutch Shell.  Online: >http://www.supremecourt.gov/Search.aspx?FileName=/docketfiles/10-1491.htm<; on appeal from Kiobel v. Royal Dutch Pet. Co., 621 F.3d 111 (2d Cir. 2010), decided on September 17, 2010.  Online: >http://www.ca2.uscourts.gov/decisions/isysquery/3d9bbe68-742b-4422-9de6-1b3c3d48589b/7/doc/06-4800-cv_opn.pdf#xml=http://www.ca2.uscourts.gov/decisions/isysquery/3d9bbe68-742b-4422-9de6-1b3c3d48589b/7/hilite/<

[12] The 2 essential questions to be answered in Kiobel, are: (i) whether corporate civil tort liability under the Alien Tort Statute (“ATS” 28 U.S.C. §1350) goes to subject matter jurisdiction, or goes to merits and has thus already been decided below; and (ii) whether a corporation can be sued as can a private party, or is immune to liability for violating the law of nations regarding genocide, extrajudicial killing, or torture as the 11th Circuit already answered in the affirmative, below.  See United States Supreme Court.  10-1491 Kiobel v. Royal Dutch Petroleum, Decision Below: 621 F.3d 111. Lower Court Case Number: 06-4800, 06-4876.  Questions Presented.  Online: >http://www.supremecourt.gov/qp/10-01491qp.pdf<

[13] See e.g. the ongoing case in the United Kingdom of Mutua and others v. The Foreign and Commonwealth Office (“Mau  Mau” case), [2012] EWHC 2678 (QB), judgement issued on October 5, 2012).  Online:> http://www.judiciary.gov.uk/Resources/JCO/Documents/Judgments/mutua-fco-judgment-05102012.pdf<

[14] United States Department of Commerce, International trade Administration, Import Administration.  Steel Import Monitoring and Analysis System.  Online: >http://ia.ita.doc.gov/steel/license/index.html<

[15] United States Department of Commerce and United States Patent and Trademark Office (USPTO).  Small Entity Compliance Guide: Request for Supplemental Examination.  Released in September, 2012.  Online: >http://www.uspto.gov/aia_implementation/supp-exam-compliance-guide.pdf<

[16] United States Department of Commerce, Bureau of Industry and Security.  Compliance Guidelines: How to Develop an Effective Export Management and Compliance Program and Manual.  Released in June, 2011.  Online: >http://www.bis.doc.gov/complianceandenforcement/emcp_guidelines.pdf<

[17] See e.g. United States Congress.  The Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT ACT) Act of 2001.  Pub. L. 107–56, Oct. 26, 2001; also sometimes referred to as Patriot I.  Online: >http://www.gpo.gov/fdsys/pkg/PLAW-107publ56/pdf/PLAW-107publ56.pdf

[18] See United States Congress.  USA Patriot Improvement and Reauthorization Act of 2005.  Pub. L. 109–177, Mar. 9, 2006; also sometimes referred to as Patriot II.  Online: >http://www.intelligence.senate.gov/laws/pl109-177.pdf<; See also United States Congress.  PATRIOT Sunsets Extension Act of 2011.  Pub. L. 112–14, May 26, 2011; also sometimes referred to as Patriot III.  Online: >http://www.gpo.gov/fdsys/pkg/PLAW-112publ14/pdf/PLAW-112publ14.pdf<

[19] United States Congress.  The Dodd–Frank Wall Street Reform and Consumer Protection Act, Pub. L. 111-203, July 21, 2012.  Online: >http://www.gpo.gov/fdsys/pkg/PLAW-111publ203/pdf/PLAW-111publ203.pdf<

[20] Id. at Section 1502.

[21] Id.

[22] See Kramer v. Trans-Lux Corp., No. 3:11cv1424, 2012 U.S. Dist. (D. Conn. Sept. 25, 2012), at page 11 of the Order.  In partially denying the defendant’s Motion for Summary Judgement (seeking dismissal of the plaintiff’s Complaint for failure to state a claim for which relief can be granted, under FRCP 12 (b)(6)), the Honorable Stefan R. Underhill, U.S.D.J., held that “Sarbanes-Oxley protects persons who disclose information they reasonably believe constitutes a violation of SEC rules or regulations (…) by the language of the whistleblower provision, the whistleblower need only have reasonably believed that it was a violation (…) [t]herefore, Kramer has alleged sufficient facts to support a Dodd-Frank Act whistleblower claim based on his internal and external communications”.  Online: >http://courtweb.pamd.uscourts.gov/courtwebsearch/ctxc/11cv1424mtdrul.pdf<

See also Ott v. Fred Alger Management, Inc., No. 11 Civ. 4418, 2012 U.S. Dist. (SDNY Sept 27, 2012), at page 9 of 20 in the Order.  In her Memorandum and Order denying the defendant’s Motion for Summary Judgement under FRCP 12(b)(6) and FRCP 23.1 (Derivative Actions by Shareholders, of which this was one such), the Honorable Loretta A, Preska, U.S.D.J., held that the “anti-retaliation protections apply whether or not you satisfy the requirements, procedures and conditions to qualify for an award.”  The American Law Institute, Continuing Legal Education.  The SEC’s Whistleblower Program: One Year Later Cosponsored by the ABA Business Law Section and the ABA Section of Public Utility, Communications and Transportation Law.  Telephone seminar/audio webcast as delivered on October 9, 2012.  Online: >http://files.ali-cle.org/files/coursebooks/pdf/TSUP04_chapter_02.pdf<

[23] Caselaw in the European Union has left In-House Counsel somewhat exposed when rendering advice or conducting In-House investigations, as there is an absence of effective privilege.  See e.g. Akzo Nobel Chemicals & Akcros Chemicals v Commission (Competition) [2007] EUECJ T-125/03 (17 September 2007).  Online: >http://www.bailii.org/eu/cases/EUECJ/2007/T12503.html<  On the part of outside Counsel, another risk that he or she may face is to be (or find oneself alleged to be) caught-up in the misconduct of a client as more than an innocent advisor.  Joseph P. Collins has so far been able to secure a retrial since his earlier criminal conviction.  See US v. Joseph P. Collins, 10-1048-cr, NYLJ 1202537905466, at *1 (2d Cir., Decided January 9, 2012).  Online: >http://www.law.com/jsp/decision.jsp?id=1202537905466<

[24] United States Congress.  The Securities Act of 1933 (Truth in Securities Act), 15 U.S.C. §77a et seq.  Online: >http://www.sec.gov/about/laws/sa33.pdf<; The Securities Act of 1934 (Securities Exchange Act), 15 U.S.C. §78a et seq.  Online: >http://www.sec.gov/about/laws/sea34.pdf<

[25] Each province creates, implements, and enforces its own securities laws, as there is no national regulator.  Indeed, this may remain the case for the foreseeable future as a “Reference” question put to the Supreme Court of Canada approximately one year ago, was returned with a decision that the federal power granted under the 1867 Constitution Act to regulate trade and commerce was insufficient to authorize creation of a national securities regulator over and above the existing provincial securities regulators.  See Reference Re Securities Act, 2011 SCC 66, [2011] 3 S.C.R. 837.  Online: >http://www.scc-csc.gc.ca/case-dossier/cms-sgd/dock-regi-eng.aspx?cas=33718<  However, the Province of Ontario passed An Act to implement Budget measures and other initiatives of the Government, S.O. 2002, S.O. 2002, ch. 22-bill 198 (effective April 7, 2003), which at its Title XXVI amended the Ontario Securities Act with: (i) updated definitions for materiality, (i) clarification of continuing disclosure provisions, (iii) encoding of privacy protections for issuers under the Freedom of Information and Protection of Privacy Act, R.S.O. 1990, Chapter F.31, (iv) raising the fine levels from $1 million to $5 million in certain cases, (v) barring fraud, market manipulation, and the making of misleading or untrue statements, and (vi) imposing liability on directors and officers or a “person who authorized, permitted or acquiesced in the non-compliance”.  Online:  >http://www.ontla.on.ca/web/bills/bills_detail.do?locale=en&BillID=1067&isCurrent=false&ParlSessionID=37%3A3<.  This laid the groundwork for Canada’s security regulators to work together and issue what became National Instrument 52-109: Certification of Disclosure In Issuer’s Annual and Interim Filings; also sometimes termed SOX Canada.  Online: >http://www.bcsc.bc.ca/uploadedFiles/securitieslaw/policy5/52-109NI_Advance_Notice.pdf<  Subsequent amendments and collateral instruments have strengthened the disclosure regime for public issuers in Canada’s various provinces.

[26] European Commission.  Directive 2004/109/EC of the European Parliament and of the Council of 15 December 2004, on the harmonisation of transparency requirements in relation to information about issuers whose securities are admitted to trading on a regulated market and amending Directive 2001/34/EC.  Online: >http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2004:390:0038:0057:EN:PDF<

[27] National Stock Exchange of India Limited.  Listing Agreement, §49 at pages 77-91; also sometimes termed SOX India.  Online: >http://www.nse-india.com/getting_listed/content/listing_agreement.htm<

[28] Government of Australia.  Corporate Law Economic Reform Program (Audit Reform and Corporate Disclosure) Act 2004; also sometimes termed SOX Australia.  Online: >http://www.comlaw.gov.au/Details/C2004A01334/Download<

[29] United States Congress.  The Sarbanes-Oxley Act of 2002 (The Public Company Accounting Reform and Investor Protection Act), Pub. L. 107–204, July 30, 2002, 116 Stat. 745.  Online: >http://www.sec.gov/about/laws/soa2002.pdf<

[30] United States Congress.  The Gramm-Leach-Bliley Act (Financial Services Modernization Act of 1999), Pub. L. 106-102, November 12, 1999, 113 Stat. 1338.  Online: >http://www.gpo.gov/fdsys/pkg/PLAW-106publ102/pdf/PLAW-106publ102.pdf<

[31] For example, limited exemptions exist under Securities and Exchange Commission (SEC) Final Rule 33-9142: Internal Control over Financial Reporting in Exchange Act Periodic Reports of Non-Accelerated Filers. 17 CFR Parts 210, 229 and 249.  Effective September 21, 2012.  Online: >http://www.sec.gov/rules/final/2010/33-9142.pdf<

[32] Some additional SOX carve-outs and modifiers were created by the JOBS Act, which passed with the strong support of both parties (380:41 in the House with 10 more not voting, and 73:26 in the Senate); although not without some controversy from interest groups.  See e.g. Congress of the United States.  Jumpstart Our Business Startups Act (“JOBS Act”).  Pub. L. 112-106, Apr. 5, 2012.  Online:>http://www.gpo.gov/fdsys/pkg/PLAW-112publ106/pdf/PLAW-112publ106.pdf<.  See also JOBS Act Critique: Consumer Federation of America. Public Interest Groups Oppose Anti-Investor “Capital Formation” Bills.  March 5, 2012 Open Letter to the United States Senate, Committee on Banking, Housing and Urban Affairs.  Online: >http://www.consumerfed.org/news/467<

[33] Supra note 29, SOX at Section 404 (Management assessment of internal controls)See also United States Securities and Exchange Commission (SEC) Final Rule 33-8238: Management’s Report on Internal Control Over Financial Reporting and Certification of Disclosure in Exchange Act Periodic Reports.  17 CFR Parts 210, 228, 229, 240, 249, 270 and 274.  Effective August 14, 2003.  Online: >http://www.sec.gov/rules/final/33-8238.htm<

[34] Supra note 29, SOX at Section 1107 (Corporate Fraud Accountability Act of 2002), within SOX Title XI.

[35] Id. at SOX Section 906 (White Collar Crime Penalty Enhancement Act of 2002), within SOX Title IX.

[36] Supra note 29, SOX at Section 802 (Corporate and Criminal Fraud Accountability Act of 2002), within SOX Title VIII.

[37] This section applies to all U.S. issuers regardless of their place of incorporation or re-incorporation.  Supra note 29, SOX at Section 302 (Corporate responsibility for financial reports)See also United States Securities and Exchange Commission.  Final Rule 33-8124: Certification of Disclosure in Companies’ Quarterly and Annual Reports.  17 CFR Parts 228, 229, 232, 240, 249, 270 and 274.  Effective August 29, 2002.  Online: >http://www.sec.gov/rules/final/33-8124.htm<

[38] United States Congress.  The Sarbanes-Oxley Act of 2002 (The Public Company Accounting Reform and Investor Protection Act), Pub. L. 107–204, July 30, 2002, at Section 307(1): Rules of Professional Responsibility for Attorneys.  Online: >http://www.sec.gov/about/laws/soa2002.pdf<

[39] Id. at Section 307(2).  Pursuant to that section, the Securities and Exchange Commission has issued Final Rule 33-8185: Implementation of Standards of Professional Conduct for Attorneys, 17 CFR Part 205, effective August 5, 2003).  See Securities and Exchange Commission (SEC).  Online: >http://www.sec.gov/rules/final/33-8185.htm<

[40] In the lead-up to Hurricane Sandy of October, 2012, that wreaked havoc on Cuba, Jamaica, Haiti, and the Bahamas in the Caribbean, and had its heaviest U.S. impact on New York and New Jersey, some businesses including AT&T in New Jersey, purchased entire fuel tanker trucks as part of their contingency planning, in order to avoid the line-ups at empty filling stations, the business interruptions caused by employees unable to get to work, and the inability to themselves operate due to lost power and gasless backup generators.  See Katie Eder.  Gas becomes hot commodity for N.J. businesses, post-Sandy.  Published on njbiz.com, November 5, 2012.  Online: >http://www.njbiz.com/article/20121105/NJBIZ01/121109942/-1/enews_dailyT1See also The Associated Press.  Hurricane Sandy Hits Bahamas After Sweeping Through Cuba and Haiti.  Published on nytimes.com, October 25, 2012.  Online: >http://www.nytimes.com/2012/10/26/world/americas/sandy-hits-bahamas-after-havoc-in-cuba-and-haiti.html<

[41] United States Congress.  Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003.  Pub. L. 108-187, Dec. 16, 2003 (CAN-SPAM Act).  Online: >http://www.gpo.gov/fdsys/pkg/PLAW-108publ187/pdf/PLAW-108publ187.pdf<

[42] Government of Canada.  An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radiotelevision and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act.  S.C. 2010, c. 23 (also termed the “Canada Anti-Spam Law”).  Online: >http://laws-lois.justice.gc.ca/PDF/E-1.6.pdf<

[43] Bill C-11, The Copyright Modernization Act, received Royal Assent on June 29, 2012.  Notification and counter-notification provisions for ISP’s and certain other webhosts – as akin to the DMCA – can be found in sections 41.25, 41.26, and 41.27 of the Act.  Admittedly, certain public interest entities are protected against harsh penalties in Bill C-11, with the delineation of an injunction as the appropriate penalty for their non-willful copyright infringement.  However, due to the threat (and very real legal option) for infringing websites to be blocked outright in certain jurisdictions, Canadian entities hosting content that might infringe the copyright of ”someone, somewhere” (such as blogs and other social media sites) might include notification and counter-notification measures in their online usage policies and contact forms.  We have been approached, and advised, with regard to this option as a potential demonstrated due diligence compliance measure.  See Government of Canada.  Copyright Modernization Act, S.C. 2012, c. 20.  Online: >http://laws-lois.justice.gc.ca/eng/AnnualStatutes/2012_20/page-1.html<

[44] Undoubtedly, employees who see their employer taking a lead when the situation requires it, and who are encouraged to find ways to become personally involved – whether by selecting and presenting CSR opportunities, enjoying matching donations from the employer, volunteering, or otherwise, will be more likely to buy-in to the company’s values, mission, and longevity (by mutually enforcing amongst their peers, improving by individual or group and committee contributions, and themselves personally adhering, each and all, to its compliance and ethics program).  See generally Beth Fitzgerald.  N.J. business community pitches in for Sandy relief.  Published on NJBIZ.com, November 6, 2012.  Online: >http://www.njbiz.com/article/20121106/NJBIZ01/121109925/-1/enews_dailyT2<

[45] Those who have had the foresight and planning to secure appropriate insurance coverage for wind, fire, flooding, and business interruptions, are always happier than others when their paid-up policies are available for claims in times of great need after such “contingencies”.  See e.g. Joseph N. DiStefano.  Philly Deals: Sandy incites twice as many insurance claims as Irene.  Published on phillydeals.com, Tuesday, November 6, 2012.  Online: >http://www.philly.com/philly/business/20121106_PhillyDeals__Sandy_incites_twice_as_many_insurance_claims_as_Irene.html<

Advertisements

What about hospital BYOD?

October 7, 2012

WOW!

I was just leafing-through the Ottawa Citizen of Saturday, October 6, 2012, and I came across an article on rising BYOD at the Children’s Hospital of Eastern Ontario (CHEO).[1]

WHAT?

BYOD, literally means “bring your own device”, and refers to the growing practice of employers allowing employees to bring their own mobile devices into the workplace (smart phones, tablets, laptops), in order that they may access proprietary and work-related information on those platforms with which they are already quite comfortable.

WHY?

Some of the advantages of BYOD identified in that article, include: (i) cashflow savings (not having to buy and replace devices for employees on an employer’s own tab, whether with operating funds or debt); (ii) currency (allowing employees to transport and deploy what is likely the most cutting-edge technology); (iii) speed and efficiency (permitting staffers to quickly access “more timely and accurate information” almost anywhere, as hosted on proprietary servers or those of cloud service providers/vendors);[2] and (iv) good environmental stewardship (cutting down on the use of paper, and copying costs, through the increasing use of EHR, or electronic health records).[3]

WHOA!

Doubtless, CHEO is already very-well advised on these and related matters.  However, in the race for similar BYOD gains by others,[4] let us try not to forget the clear potential for pains and strains; on which I have blogged at some length.[5]  There are 4 (“four”) main keys to creating and implementing a BYOD/Cybersecurity Policy to guard against these, and employers hoping to exploit the gains of BYOD are well advised to have legal counsel – preferably counsel who are also familiar with the laws outside Canada, due to the global nature of the internet and Cybercrime – assist them in devising an appropriate framework within which BYOD can thrive, responsibly.  These keys follow, in brief.

Systemic Security:

Stringent efforts must be made to secure access to the information accessible on or through these many mobile devices.  The employer’s I.T. staff also needs (or specialized contractors also need) to remain busy and vigilant in ensuring that no malicious code is present on these devices, or is input into the system by means of these devices.  This, of course, will require copious amounts of training and retraining on counter social engineering techniques, safe browsing outside the workplace, and other device security measures.  Although an added inconvenience for the user, internal rules may mandate that browsers not remember passwords, requiring a re-typing for each access or use.  In addition and at the very least, BYOD mobile devices must, themselves, be protected with passwords and where applicable, programmed to alert the owner as to their location or remotely “self-wipe” and restore themselves to factory defaults, if stolen or misplaced.

Active Management:

Spot checks, and random audits must be used to ensure and maintain compliance with any mobile security policy designed for the “anywhere, any device, anytimeBYOD-enabled workspace; or as more accurately put, the “BYOD-uw” (ubiquitous workplace).

Internal Controls:

Information access controls must also be strictly enforced, so that employees have access to only that information of which they have a business-specific need to know.  BYOD should not be a free license for fishing expeditions, or an invitation to forget medical ethics and use identifiable patient records in social media posts (medical blogs, “would you believe’s”, and juicy tidbits of malice post breakup/rejection); not to mention  the truly inadvertent disclosures or keying slip-ups.  Data may also be protected against cut/paste or dragging, download, and covered by strict write and edit permissions.  This level of openness for use and potential abuse also makes the initial background checks and vulnerable sector screens, that much more important.  Behavioural interviewing techniques and other means of heightened pre-employment due diligence have already become the norm, due to the increasing use (and abuse) of social media, and a generally heightened, global security awareness in both the public and private sectors.

Legal and Regulatory Compliance:

Compliance must always be at the forefront, as there will be a host of regulatory regimes that are business or industry-specific (protecting Intellectual property Rights /IPR in the technology sector), risk-specific (countering leaks and espionage in the government sector), and privacy-centred (PHIPPA[6] in the Ontario healthcare sector).[7]  Privacy insurance is becoming increasingly popular, advisable, and even mandatory in certain cases, and several jurisdictions now have stringent notice and remediation laws in the case of a privacy breach.

WHITHER?

Forward, yes – but with caution, commonsense, and advice from legal and I.T. professionals.

Happy Thanksgiving!

***********************************************************************

Author:

Ekundayo George is a sociologist and a lawyer, with over a decade of legal experience including business law and counseling (business formation, outsourcing, commercial leasing, healthcare and privacy, Cybersecurity); diverse litigation, as well as ADR; and regulatory practice (planning and zoning, environmental controls, landlord and tenant).  He is licensed to practice law in Ontario, Canada, as well as in New York, New Jersey, and Washington, D.C., in the United States of America (U.S.A.).  See, for example: http://www.ogalaws.com

An avid writer, blogger, and reader, Mr. George is a published author in Environmental Law and Policy (National Security aspects).

Mr. George is also an experienced strategic and management consultant; sourcing, managing, and delivering on large, high stakes, strategic projects with multiple stakeholders, large budgets, and multidisciplinary teams.  See, for example: http://www.simprime-ca.com

Hyperlinks to external sites are provided to readers of this blog as a courtesy and convenience, only, and no warranty is made or responsibility assumed by either or both of George Law Offices and Strategic IMPRIME Consulting & Advisory, Inc. (“S’imprime-ça”), in whole or in part for their content, or their accuracy, or their availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[1] Vito Pilieci.  CHEO prescribes BYOD: Just What the Doctor Ordered.  Ottawa Citizen.  Section F, Business & Technology, at F1, F2 (print version of Saturday, October 6, 2012).  Also available online: > http://www.ottawacitizen.com/business/CHEO+prescribes+BYOD/7353691/story.html<

[2] The use of cloud services should also be strongly considered and managed, as the storage of the personal information of Canadians on servers based within the United States, or its inadvertent passage through those servers, may lead to warrantless disclosures of said information to the arms and entities of a foreign nation without the consent or knowledge of the information subject, and in certain cases, the knowledge of a legally responsible information custodian.  See e.g. Ekundayo George.  To Cloud or Not to Cloud: What are Some of the Current, Most Pertinent Pros and Cons?  Published on http://www.Ogalaws.wordpress.com, on December 28, 2011.

Online: >https://ogalaws.wordpress.com/2011/12/28/to-cloud-or-not-to-cloud-what-are-some-of-the-current-most-pertinent-pros-and-cons/<

[3]Supra note 1.

[4]Id. The article also cites Citrix Systems, a CHEO vendor, as saying “more than 34 per cent of Canadian companies already have policies in place to allow employees to bring in personal devices.  Another 27 per cent of Canadian firms plan to roll out some form of BYOD initiative over the next 12 months”.

[5]See e.g. Ekundayo George.  Cybersecurity (the Nitty-Gritty; and what is Cyberspace?): A Different, Flexible Approach.  Published on http://www.Ogalaws.wordpress.com, December 9, 2011.

Online: >https://ogalaws.wordpress.com/2011/12/09/cybersecurity-the-nitty-gritty-a-different-flexible-approach/<

[6] PHIPPA (Personal Health Information Protection Act, S.O. 2004, CHAPTER 3.  Online: >http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_04p03_e.htm

[7]  Also consider the potential applicability, whether in Ontario alone, of MFIPPA and PIPEDA, or elsewhere in Canada and at the federal level, as well as outside Canada with regard to the latter, PIPEDA.  See MFIPPA (Municipal Freedom of Information and Protection of Privacy Act, R.S.O. 1990, CHAPTER M.56).  Online: > http://www.e-laws.gov.on.ca/html/statutes/english/elaws_statutes_90m56_e.htmSee also PIPEDA (Personal Information and Protection of Electronic Documents Act, S.C. 2000, c.5).  Online: >http://laws-lois.justice.gc.ca/eng/acts/P-8.6/index.html<

As briefly as possible, let us consider the essential pros and cons of Cloud Computing, so that you can be better informed to make a decision on whether or not to join the club.  A detailed analysis on each point and its many sub-points could easily run into a multi-volume treatise.  Hence, I will try to give you enough to get the right questions asked.

ADVANTAGES (potential):

Floor Space: Of course, when you cut down on the amount of space you need for your own servers, wiring, HVAC, and individual desktops with full monitor and CPU packages, you can re-dedicate the space to other internal purposes and business units, earn revenues by sub-leasing (to the extent the landlord lets you), or move to a smaller location.  These are increasingly pertinent considerations in any cost-conscious climate.

Operational Efficiencies: Cloud providers allow clients to pay for only that amount of service that they actually use, in addition to any standby or contingent services that are retained as available for purposes of surge capacity, emergencies, or other events whether or not specified.  This allows for the streamlining of staff and functions, a slimmer I.T. department, and a clearer focus on essential, mission-critical business functions.

Capex to Opex: What would formerly have been capital expenditures for I.T. equipment, including servers, setup and administration costs, and repairs and replacements, can now be expensed as operational costs.  Even with the loss of those once available depreciation allowances, the CFO should be happier with the cleaner budget, and greater cost control through a better defined and appropriately confined predictability of outflows.  Software licensing costs do not have to be so closely monitored and temperamental legacy servers running dedicated software in-house that can or cannot be easily upgraded and updated, can be downgraded in priority, as Cloud Vendors can often accommodate a variety of Cloud subscription fee arrangements including per-seat, per use, per tier, and so forth.

Ubiquity: As defined by the National Institute of Standards and Technology (NIST) of the United States Department of Commerce: “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model is composed of five essential characteristics, three service models, and four deployment models.”[1]  The key word here, is “ubiquitous”, with a one to many service model available anywhere, to any or all persons, and at one or all times.  Wireless and satellite Internet access, and portable hotspots where no fixed-site or sufficiently secure or reliable Internet on-ramp exists, make this all possible.  However, this ubiquity comes with costs, as I will outline under the Disadvantages, below; specifically under the Legal and Liability Issues section.

Scalability: The prudent and professional Cloud Vendor will generally maintain sufficient spare capacity to handle the surge requirements of all of its clients.  Certain industries and business models, as well as regular business events – such as for accounting and regulatory filings at the end of a month, quarter, or year – and the happening of special or otherwise distinctive events (public offerings, mergers, bankruptcies, or litigation), will generally lead to a heightened usage requirement due to the additional activities and actors that will be brought online.   That is “really” not the time, if ever, for a Cloud Vendor to say that there is no more to give, or that the capacity to handle such an expected spike was never actually considered or built-in, to the service model.  This nightmare scenario will invariably lead to side litigation on the main instigation, and nervous General Counsel calls to insurers, counterparties, and regulators.  But, we are still listing the Pros; yes?!  Always, always, discuss your actual, anticipated, and remotely potential needs, thoroughly, with the Cloud Vendor, so that “your” package fits “you”.  Besides which, savvy parties are already moving to put adequate and secure capacity in place[2], to ground the infrastructure for this promising but tricky new platform.

DISADVANTAGES (potential):

Vendor Inelasticity: Once you have decided on a particular Vendor, with its services and cost structure, it can be hard to move.  There will always be costs associated with any change in vendor, and it may take quite some time to have the same service or a comparable or better service (depending, of course, on the reason for your relocation), up and running in the successor location, including potentially significant unanticipated costs and delays.  Once you are in, then you should plan to be there for the long-haul.  This is why, one again, due diligence and a mutuality of party good faith, are essential.  In Cloud and outsourcing contracts that I have drafted, I provide for open party communication lines, detailed ADR clauses, and a means to address any failure to meet agreed SLAs.  In addition – always a detailed exit protocol with a combination of specific steps, cost structures, and room to negotiate if and where possible.  Cloud Vendors offering no exit strategy, or an overly-rigid or convoluted one, should be approached with high caution.

Access to Data: There are at least 5 (“five”) viewpoints on this issue, depending on whether you are talking about source code, backup and contingency planning, customers in the third-party, server location, or insolvency.

(a) The cloud vendor will be very reluctant to escrow its source code, the very essence of its competitive advantage, as we now often see touted by many a commentator.  Onlookers argue that such an escrow arrangement is essential to providing the customer with the peace of mind that their data will always be accessible, and that the service will be replicable, should any calamity befall their Cloud Vendor or a related provider in the chain.  Indeed, there is more than one way to provide peace of mind.

(b) Sensible backup and contingency planning requires multiple levels of redundancy, and the United States Securities and Exchange Commission (SEC),[3] for one, has issued guidance on the disclosure of Cybersecurity risks by issuers.  In time, this may expand to non-issuers in that and other jurisdictions.  I would advise that the customer, and the Cloud Vendor must have and share, and coordinate, their disaster management policies, plans, and procedures.  To the extent that this will require that the customers of a specific Cloud Vendor all know one another and thereby decrease their mutual security, or that a third-party “security coordinating group or consultant” intervenes to preserve some anonymity, or some other solution or suite of solutions is developed for this requirement of mutually assured security and stability, will remain to be seen.

(c) In some industries, such as healthcare in the United States,[4] and generally under the Privacy laws of Canada,[5] the patient (or data subject, as appropriate) of the Cloud Vendor’s client – and therefore who is not in direct privity of contract with the Cloud Vendor – will have a right to access, and track, and by implication correct errors in, their own personal data.  In a growing number of jurisdictions, the right of governments to access data on individuals with or without warrants, and with or without notification to the subject individual, is expanding.  Without a doubt, new legislation will be created, or existing legislation will be interpreted, to permit the accessing of this information in the hands of the Cloud Vendor, without notice to the Customer, or to the third-party customer as patient, for example.  This complicated mix of privacy, information technology, National Security, and contract, should be closely watched, bracketed and predicted and controlled by appropriate and adequate insurance and drafting, and disclosed in advance by all parties collecting or holding information on individuals, and to all parties considering the use or offering of Cloud-based or Cloud-amenable services.

(d) Server location, is a critical issue that may feed or impede point (c).  Having your data in the jurisdiction or jurisdictions that you know, will always let you more easily manage those hiccups that may occur from time to time.  Going after your data in a jurisdiction where you don’t speak the language, where you are unfamiliar with the laws, or where there is hostility to you or one or more of your Cloud Vendors or your government, will always make data recovery and re-custody, that much harder.[6]  Some commentators and practitioners in the field have alerted others to the danger of employees and contractors working with Trade Secrets and other critical information on mobile media and otherwise through the Cloud, including by backing-up devices; even going do far as to say that “no” Trade Secrets should ever be put on the Cloud, at least not yet.[7]  This is a legitimate concern, and cannot be lightly dismissed, because, as they point-out, nobody really wants to be that first test case.  However, with many industries, including the legal profession,[8] moving to the Cloud – albeit cautiously – I think the genie is already pretty much out of that lamp.

(e) Insolvency can be a very complex area with regard to a Cloud Vendor, itself in distress, or when a holder of Intellectual Property Rights (I.P.R.) or an I.P.R. licensee is in distress and a Cloud Vendor gets caught in the middle.  Under recent caselaw in the United States of America, we have seen that sometimes the court will decide that the proper venue is that where the injury is deemed to have taken place and thereby where the I.P.R. claimed to have been violated, were originally held.[9]  Where does this leave the Cloud Vendor that provides the means to access that material across jurisdictions?  Sometimes, the court will refuse to permit a foreign licensor in receivership or a similar insolvency situation, to disclaim or otherwise curtail or constrain the I.P.R. licenses granted to United States entities.[10]  Where does this leave the Cloud Vendor who can be sued by one or both sides for compliance and non-compliance alike, and for contributory infringement,[11] or as an accessory to, or as a first party in, I.P.R. infringement?[12]  Foresight, experience, broad practice area knowledge, and good drafting can address some, but not all of the potentially very serious wrinkles that might very easily arise.

Uptime and SLAs: Service Level Availability agreements run from light, through adequate, to (almost) iron-clad.  Some Cloud Vendors will want to exclude mandatory downtime for maintenance and upgrades, or for addressing user-generated issues (such as hacks and malicious code), and the customer, depending on its business model and leverage, may or may not agree or even be comfortable with this.  In addition, many Cloud Vendors will want to limit available remedies for failing to meet stated or contracted-for SLAs, to service credits, exclusively.  Hence, SLAs must always be cautiously and thoughtfully negotiated.  However, some Cloud Vendors will offer a set menu from which to choose, in which case a potential customer should choose wisely, because when things go wrong, as they well may,[13] downtime could be extensive.[14]

Legal and Liability Issues: There are an appreciable number of legal and liability grey areas that remain to be addressed by contract or legislation, and I have addressed some of these in the foregoing.  Now, the transfer of personal data between jurisdictions in North America and the Pacific Rim has also been eased by the recent establishment of the Asia-Pacific Economic Cooperation (APEC) Privacy Rules, involving 21 (“twenty-one”) nation-parties.[15]

Technical Issues: These mainly revolve around security, privacy, and e-Discovery.  The truth of the matter, actually, is that most people are already using, often heavily, some form of Cloud.  Examples include BlackBerry,[16] Google,[17] Hotmail,[18] and Gmail,[19] for a host of social media, email, regimented,[20] and telecommunications (“Smert”) applications.  2011, alone, has seen technical challenges identified for all of these 4 (“four”), some other known or knowable risks,[21] and spectacular failures to failover.[22]

In terms of privacy and security, the potential to use a Cloud service for wrongdoing[23] has heightened the awareness of the public, of legislators, and of law enforcement and national security entities and their operatives, globally,[24] as to the obvious security and privacy challenges presented by this platform.

Indeed, with the move to criminalize so much misconduct involving e-Commerce and the Internet, a test case will surely come when an as yet unknown Cloud Vendor in e-Discovery, and using a 5th Amendment argument,[25] finally and successfully refuses to turn-over discoverable records that are clearly within its possession or control – whether or not those records are ultimately its own – that may, or indeed, would, tend to incriminate it for some bad act or acts, whether in doing a thing, failing to do a thing, or having a wanton or reckless disregard for risks of harm from doing or not doing a thing.[26]

SUMMARY? (in a way, somewhat):

I say “in a way”, because this fast-moving business platform that touches so many areas of law, as I described in an earlier blog,[27] cannot be so easily summarized.  Many honest I.T. professionals will tell you that their skills can be fast outpaced by the market, very easily, if they do not work very hard to stay current and abreast of developments in the industry.  I do not think you can identify too many weather systems, if any (at least not on this planet of ours), that just stay over the same spot of geography with clouds, rain, high winds, thunder, and lightning that does not stop, waver, or let the sun in now and then.

The above, however, is still a handy checklist to have and consider when looking at the Cloud industry and its development over the coming little while.  The Cloud Vendor contracts may be or become quite complex, if you are a potential Cloud customer, and the customer demands or prerequisite requirements may be or become almost impossible to meet, if you are a prospective Cloud Vendor.  However, seasoned and knowledgeable legal counsel, properly structured insurance coverage, and due diligence coupled with stringent and zealously enforced internal controls, including Social Media usage policies, may still let some or all of those involved, sleep soundly.

Sweet dreams, then, count the sheep well, and don’t forget to set your alarm.  Happy New Year, 2012.

Author:

Ekundayo George is a Sociologist, Lawyer, and Strategic Consultant, with experience in business law and counseling, diverse litigation, and regulatory practice. He is licensed to practice law in Ontario, Canada, as well as multiple states of the United States of America (U.S.A.); and he has published in Environmental Law and Policy (National Security aspects).

Hyperlinks to external sites are provided as a courtesy and convenience, only, and no warranty is made or responsibility assumed for their content, accuracy, or availability.

This article does not constitute legal advice or create any lawyer-client relationship.


[1]Peter Mell and Timothy Grance.  Computer Security Resource Center of the National Institute of Standards and Technology (NIST). The NIST Definition of Cloud Computing: Recommendations of the National Institute of Standards and Technology.  Published in September, 2011, at Section 2.  Available at: http://csrc.nist.gov/publications/nistpubs/800-145/SP800-145.pdf

[2]Greg Markey.  Ottawa Business Journal.  Building data storage capacity.  Published on December 21, 2011.  Available at: http://www.obj.ca/Technology/2011-12-21/article-2844044/Building-data-storage-capacity/1

[3] Division of Corporation Finance, United States Securities and Exchange Commission (SEC). CF Disclosure Guidance: Topic No. 2 – Cybersecurity. Released October 13, 2011.  Available at: http://www.sec.gov/divisions/corpfin/guidance/cfguidance-topic2.htm

[4] Under Section 13405 of the HITECH Act, an individual has rights: in subsection (a), to restrict a Covered Entity’s disclosure of their Electronic Health Records (EHR) including Protected Health Information (PHI) and electronic Protected Health Information (ePHI) in certain cases; in subsection (c), to request and receive an accounting of all disclosures of their PHI and ePHI by a Covered Entity; in subsection (d), to be protected against the sale of their PHI and ePHI without “a valid authorization that includes, in accordance with such section, a specification of whether the protected health information can be further exchanged for remuneration by the entity receiving protected health information of that individual”; and, in subsection (e), to request and receive a copy of their EHR, PHI and ePHI, or designate that said records in the hands of a HIPAA Covered Entity be sent or transmitted to “an entity or person designated by the individual, provided that any such choice is clear, conspicuous, and specific.”  See: Section 13405, Title XIII ELECTRONIC HEALTH RECORDS. American Recovery and Reinvestment Act of 2009 (ARRA), Pub. L. 111-5, as signed into law on February 17. 2009.

[5] As provided in 4.9, Principle 9 (Individual Access), of Canada’s federal Personal Information and Protection of Electronic Documents Act (PIPEDA): “Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.See generally PIPEDA, SCHEDULE 1 (Section 5). PRINCIPLES SET OUT IN THE NATIONAL STANDARD OF CANADA ENTITLED MODEL CODE FOR THE PROTECTION OF PERSONAL INFORMATION, CAN/CSA-Q830-96.

[6] Rob McCauley and Ming-Tao Yang.  Finnegan, Henderson, Farabow, Garrett & Dunner, LLP.  Rob McCauley and Ming Yang Discuss the Impact of Cloud, Mobile, and Social Technologies on Trade Secret Law, Podcast, released on December 5, 2011. Available at:  http://www.finnegan.com/lawyers/bio.aspx?lawyer=8a4f9668-a2be-4fc9-8700-800969d07a0&mode=podcasts

[7]Id.

[8]See, e.g. United Kingdom, Information Commissioner’s Office (ICO), Advocate’s legal files lost after unencrypted laptop theft. News release: 16 November, 2011.  Available at: http://www.ico.gov.uk/news/latest_news/2011/advocates-legal-files-lost-after-unencrypted-laptop-theft-16112011.aspx  Lawyers may well be moving to the Cloud, but even offline, significant risks remain that need to be addressed.

[9]See, generally Penguin Group (USA) Inc. v. American Buddha, 16 N.Y. 3d 295 (2011), No. 7, 2011 WL 1044581 (N.Y. Mar. 24, 2011), where the New York Court of Appeals first noted that §302(a)(3)(ii) of the New York, Civil Practice Law and Rules (C.P.L.R.) gave 3 options to determine the situs of the injury, being: “(i) any place where plaintiff does business; (ii) the principal place of business of the plaintiff; and (iii) the place where plaintiff lost business” (16 N.Y.3d at 304).  But then, the New York Court of Appeals determined that due to the ubiquity of the internet and the potential for global and near instantaneous infringement, the best choice was (ii), the principal place of business of the I.P.R. holder, for purposes of establishing personal jurisdiction in that modern-day copyright infringement case (16 N.Y.3d at 307).

[10] In the United States Bankruptcy Court for the Eastern District of Virginia, the court found that it would be against United States public policy to permit the domestic application, in America, of the result of a German insolvency proceeding that would have deprived U.S. I.P.R. licensees of the use of patents granted by a foreign entity that was no longer solvent, under German law.  See In Re Qimonda AG, 433 B.R. 547 (E.D. Va. 2010); decided on October 28, 2011.

[11] Thankfully, [t]he Supreme Court of Canada (SCC) recently ruled that linking to a libelous blog, was not, without more, sufficient to hold the linker additionally liable for “publication” of that defamation.  See Crookes v. Newton, 2011 SCC 47 (CanLII); decided on October 19, 2011.  Perhaps a Cloud Vendor so implicated under Canadian law, might find a way to avail itself of this very solid precedent; which may also one day be analogized and/or stretched to work with “like”, “friend”, and “follow”, but for obvious reasons, perhaps not with “retweets”.   Available at: http://www.canlii.org/eliisa/highlight.do?text=crookes+v+newton&language=en&searchTitle=Search+all+CanLII+Databases&path=/en/ca/scc/doc/2011/2011scc47/2011scc47.html

[12] Amazon recently introduced the Cloud Drive and Cloud Player services, that permit “customers to upload music files to private, user-specific online drives (the Cloud Drive) and then listen to these files remotely using the Cloud Player”.  Questions have been raised, and linger, about issues of I.P.R. management and infringement in relation thereto.  See generally Nickolas B. Solish. The Law of Tomorrow Today.  Is Amazon’s Head in the Clouds?  Published on May 4, 2011.  Available at: http://lawoftomorrow.com/2011/05/04/is-amazon%E2%80%99s-head-in-the-clouds/

[13] On Thursday, April 21, 2011, the Amazon Web Service (AWS) suffered a significant outage as a result of an incorrectly performed capacity upgrade.  A cascading failure of attempted but incomplete re-mirroring efforts resulted in a number of Amazon Elastic Block Stores (EBS) becoming stuck and failing to receive or transmit further instructions, and an even larger impact on the Relational Database Service (RDS), which utilizes multiple EBS.  Amongst the lessons learned, Amazon stated an intention to: alter its procedures (increasing automation to reduce the chance of future human error); modify its platform (for more robust capacity planning and alarming and redundancies to better deal with large scale failures); and its processes (finding and fixing hitherto unknown bugs that causes the events to cascade to such an elevated degree of systemic severity).  See generally Amazon.comSummary of the Amazon EC2 and Amazon RDS Service Disruption in the US East Region; Undated.  Available at: http://aws.amazon.com/message/65648/

[14] From one commentator closely following that April, 2011 Amazon outage, we learn that EBS are spread across multiple Availability Zones (AZ), within each Region of operation.  The above-referenced Amazon outage was especially significant in its impact on those multiple AZ, and therefore upon clients of Amazon’s Elastic Compute Cloud (EC2) that should have been insulated from one another and from any failure in a distinct subsection of a platform that was, logically if not geographically, so widely distributed.   See Cade Metz in San Francisco.  Infrastructure.  Amazon outage spans clouds ‘insulated’ from each other – not what it says on the tin.  Published on April 21, 2011.  Available at: http://www.theregister.co.uk/2011/04/21/amazon_web_services_outages_spans_zones/print.html

See also Cade Metz in San Francisco.  Infrastructure.  Amazon cloud still on fritz after 36 hours “All hands on deck”.  Published on April 22, 2011. http://www.theregister.co.uk/2011/04/22/amazon_elastic_compute_cloud_still_experiencing_problems/print.html

[15] The United States Federal Trade Commission (FTC) announced the inauguration of the APEC Cross-Border Privacy Rules on November 14, 2011.  The 21 (“twenty-one”) APEC members, are: Australia, Brunei, Canada, Chile, China, Hong Kong, Indonesia, Japan, Korea, Malaysia, Mexico, New Zealand, Papua New Guinea, Peru, the Philippines, Russia, Singapore, Taiwan, Thailand, the United States of America, and Vietnam.  Press Release available at: http://www.ftc.gov/opa/2011/11/apec.shtm  As separately implemented, developed, and enforced by each jurisdiction of application, the APEC Privacy Rules are to generally adhere to the 7 (“seven”) principles underlying the E.U. Directive on the Protection of Personal Data, being: Notice, Choice, Onward Transfer, Security, Data Integrity, Access, and Enforcement.  It is interesting to note that while the emphasis is or appears to be on greater monitoring and controls on the Western side of the Atlantic, there is a tendency on the eastern side of the Atlantic to favor a more liberal model.  See e.g. Scarlet Extended SA v. Société belge des auteurs, compositeurs et éditeurs SCRL C-70/10; decided on November 24, 2011 (I.S.P.s cannot be obligated to implement a general monitoring or filtering policy, as it would infringe fundamental rights and Directives applicable in the E.U.)

[16] There was a service outage in the BlackBerry service of Research In Motion (RIM), in October, 2011.  See e.g. Research In Motion. BlackBerry Service Update; visited on December 27, 2011.  Available at: http://www.rim.com/newsroom/service-update.shtml.  See also Charles Arthur.  guardian.co.uk. BlackBerry outage: RIM boss’s YouTube apology in full, with transcript.  Published on Thursday, October 13, 2011.  Available at: http://www.guardian.co.uk/technology/2011/oct/13/blackberry-outage-rim-apology-youtube

[17] There was a service outage at Google on September 7, 2011, where again, as with Amazon, an attempted upgrade exposed a hitherto unforeseen technical issue.  See e.g. Official Google Enterprise Blog. What Happened to Google Docs on Wednesday.  Published on Friday, September 9, 2011. Available at: http://googleenterprise.blogspot.com/2011/09/what-happened-wednesday.html

[18] There was a service outage at Microsoft’s hotmail service on December 31, 2010, where user mail and profiles apparently disappeared, with additional incoming messages being rejected; as first initiated by a glitch in system test procedures, and left undetected for a length of time due to a subsequent failing in the customer issue management matrix.  See generally  Mike Schackwitz.  Inside Windows Live.  What happened in the recent Hotmail outage.  Published on January 6, 2011.  Available at: http://windowsteamblog.com/windows_live/b/windowslive/archive/2011/01/06/what-happened-in-the-recent-hotmail-outage.aspx

[19] There had been an earlier service outage involving Gmail and Google Apps on February 27, 2011.  Again, as with the Hotmail outage, user mail and profiles apparently disappeared, with additional incoming messages being rejected; as first initiated by a bug “inadvertently introduced in a Gmail storage software update.” See e.g. Google Apps Masters.  Google Apps Tips.  Google Gmail Outage – February 27, 2011 – What happened to my E-mail?  Published on March 10, 2011.  Available at: http://blog.gappsmasters.com/2011/03/google-gmail-outage-february-27-2011-what-happened-to-my-e-mail/

[20] Social Media can be used for a variety of things, including networking, play, jobsearch, and actual work.  Whether one works from home, virtually, on the road, or in a bricks and mortar establishment, there will always be some boundaries, caveats, deliverables, and regulations.  This is why I use the term “regimented”, here, to mean something that has a structure, or some boundaries and rules.  It therefore covers whatever is left of the work-space.

[21] On June 22, 2011, Microsoft’s Business Productivity Online Suite (BPOS), a cloud service, suffered an outage that one commentator described as its “fourth in two months”; wherein users could not use the Exchange email servers or use the Online Web Access (OWA) browser client.  The same commentator reports that Microsoft alluded to the cause being a hardware issue.  See. The Microsoft Update. Julie Bort.  Networkworld.  Microsoft confirms BPOS cloud outage.  Published, on Wednesday, June 22, 2011.  Available at: http://www.networkworld.com/community/blog/microsoft-confirms-bpos-cloud-outage

Later, on August 17, 2011, Microsoft’s Office 365 and Skydrive, additional cloud offerings and with Office 365 having been designed, launched on June 28, 2011, and marketed as a more robust successor to BPOS, suffered service outages.  Once again, access to email and calendars was disrupted, and this time Microsoft declined to give a reason or the cause for the outage.  The company did, however, issue a letter of apology and offer a credit to its customers.  See generally  Mary Jo Foley.  All About Microsoft.  Microsoft: Here’s what caused our cloud outage this week. Published on August 19, 2011.  Available at: http://www.zdnet.com/blog/microsoft/microsoft-heres-what-caused-our-cloud-outage-this-week/10381

[22] The Cloud Foundry outage of April 25, 2011, was initially traced by the company, in total candor and transparency, to a partial loss of the power supply for a systems storage cabinet.  Then, in what was supposed to be a dry-run, tabletop exercise to establish an improved protocol for dealing with the types of events caused by that first outage, someone touched their keyboard, in unmistakable human error, leading to a second outage of April 26, 2011; and as again explained by the company in total candor and transparency.  See Dekel Tankel. Cloud Foundry Forums.  Analysis of April 25 and 26, 2011 Downtime.  Published on April 29, 2011.  Available at: http://support.cloudfoundry.com/entries/20067876-analysis-of-april-25-and-26-2011-downtime

Still on the subject of power supplies, a utility company outage in Dublin, Ireland, on August 7, 2011, first caused a service disruption in the cloud offerings of both Amazon and Microsoft, which have established significant data center facilities in that jurisdiction.  Ordinarily, backup generators would have taken-over and immediately started to supply power.  However, due to the strange nature of the outage – which a number of parties including both Microsoft and Amazon had originally and erroneously blamed on a lightning strike – their emergency backup system failed.  See Rich Miller. Data Center Knowledge. Dublin Utility: Power Outage Not caused by Lightning Strike.  Published on August 10, 2011.  Available at: http://www.datacenterknowledge.com/archives/2011/08/10/dublin-utility-power-outage-not-caused-by-lightning-strike/

[23]Dan Goodin.  Security.  Researcher cracks Wi-Fi passwords with Amazon cloud.  Return of the Caveman attack.  Published on January 11, 2011.  Available at: http://www.theregister.co.uk/2011/01/11/amazon_cloud_wifi_cracking/print.html

[24] An after-hours raid by the United States Federal Bureau of Investigation (FBI) on a Reston, Virginia data centre, and targeting the Lulz Security group, on Tuesday, June 21, 2011, managed to disrupt services for multiple and non-targeted, innocent users.  Where one serves many, a raid on a few can still inconvenience more than the one, as discomfort is passed along.  Whether a warrant was used, I cannot say.  However, it was fortunate that the gag and delay orders on warrantless and warranted searches under antiterrorism and other laws, were not.  Otherwise, the data center operator would not have been able to explain to the client what happened when the client called from Switzerland, or explain where the missing servers had gone, when someone was sent to physically determine why the services that they hosted were all down.  A report of a theft, an insurance claim, or a call to the police, would have had somewhat interesting consequences with regard to jurisdiction issues, and investigating the “disappearance”.  Would that make a false claim or report, one filed on incomplete information, or both?  For an account of that Lulz Security raid, see Verne G. Kopytoff.  NYTimes bitsblogs. F.B.I. Seizes Web Servers, Knocking Sites Offline.  Published on June 21, 2011.  Available at: http://bits.blogs.nytimes.com/2011/06/21/f-b-i-seizes-web-servers-knocking-sites-offline/

[25] The Fifth Amendment to the Constitution of the United States of America provides, inter alia, that a person charged with a criminal offence under U.S. law shall not suffer compulsory self-incrimination.  To date, no corporate entity has been permitted to use this “individual” right.

However, as the proliferation of rich clients and thin clients means that Electronically Stored Information (ESI) that may be relevant to the litigation is in the custody or control of multiple, third-party data custodians, including Cloud Vendors and their associates in multiple jurisdictions, who will strenuously argue that they have absolutely nothing to do with what happens on their servers, within their social media, or otherwise, in using them as an innocent conduit, this right may very well be extended at some point; absent some legislative and global, or regional cooperative guarantees, protections, and both specific and generalized immunities, that go far beyond the simple “hold harmless, defend, and indemnify“, found in their contracts.

The United States’ Stop Online Piracy Act (SOPA) that threatens to knock websites offline, which may well include the rights of Cloud Vendors and their affiliates to “vend cloud services”, very much bespeaks caution, and is a portent of some very trying and litigious times to come for that business model, and indeed also for any and all online providers of a “one to many” service, or solution, or suite.

Indeed, the recently publicized Model Electronic Discovery Order adopted by the [t]he Advisory Council for the United States Court of Appeals for the Federal Circuit, may also fall far short in the number of records custodians permitted to be listed and ordered to produce.  See generally website of the United States Court of Appeals for the Federal Circuit.  Available at: http://www.cafc.uscourts.gov/the-court/advisory-council.html; with the actual order available on that same site at: http://www.cafc.uscourts.gov/images/stories/the-court/Ediscovery_Model_Order.pdf

[26] To its credit and in demonstration of its leadership role in the field, Amazon has published and updated a whitepaper on suggested cloud best practices.  See  Jinesh Varia, Architecting for the Cloud: Best Practices Whitepaper.  Version first released by Amazon Web Services (AWS) in January, 2010, and last updated on January, 2011.  Available at:  http://media.amazonwebservices.com/AWS_Cloud_Best_Practices.pdf

[27]Ekundayo George.  Ogalaws. Well-seeding “the Cloud”: Some basic caveats and pointers in “Cloud-sourcing”.  Published in this Blog, on December 1, 2011.  Available at: https://ogalaws.wordpress.com/category/strategic-consulting/outsourcing-and-cloud-computing/

%d bloggers like this: