Friday, November 14, 2008

Corporate Counsel: OPS Risk Priorities...

As General Counsel are you keeping up with the latest technology being deployed in your enterprise? Do any of your employees use Twitter? What about your "Generation Y" and the use of P2P file sharing programs. Does your CxO in charge of Safety, Security, Investigations and Corporate Integrity have the latest report on employee violations of your Information Assurance and Acceptable Use policies?

Unknown to corporate America, the popular peer-to-peer file-sharing networks that allow music and movies to be shared could be sharing something else with the public: company secrets and personal data.

Management-side lawyers are sounding alarms to their corporate clients, warning that peer-to-peer networks are increasingly becoming a gateway for trade secrets, confidential financial information and personal data.


The economy is continually downsizing and employees are now being sent home to work in "Virtual Mode" and Operational Risk loss events are matastasizing. Corporate Counsel and CxO's must provide thorough due diligence, security awareness training and effective annual audits of employees who work from home or may be perpetual "Road Warriors" hopping the globe from hotel to hotel. Why?


In 2007, Citigroup Inc.'s ABN Amro Mortgage Group reported that the personal information, including Social Security numbers, of more than 5,000 customers was leaked when a business analyst signed up to use a P2P file-sharing service on a home computer containing the personal information.


If you are a General Counsel and your organization is authorizing the use of encryption on laptops or other personal social networking sites or systems, it's imperative to pay attention to their application. The use of encryption for data security can be utilized to keep the data secure in the event of a breach or a lost digital asset. It can also be used to cloak fraudulent or criminal activities:


In an expanding probe of investment giant UBS, the Justice Department on Wednesday announced the indictment of the Swiss bank's chairman of global wealth management, accusing him of playing a key role in a tax evasion scheme to shelter secret U.S. account holders from income tax bills and drive up bank revenue.

Raoul Weil, who oversaw the Swiss bank's cross-border private banking business serving 20,000 U.S. clients, helped conceal a combined $20 billion in assets from the Internal Revenue Service, the indictment charged.

"Prosecutors said the executives and managers used nominee entities, encrypted laptops, numbered accounts and other counter-surveillance techniques to conceal their U.S. clients and offshore assets."

"If the company policy is written correctly, employees have no privacy interest in any materials created or accessed on company computers. With such a policy in place, an employer generally can review with impunity an employee's activities on the company's computer system."


Whether information is discoverable is going to be a different matter. A careful review of most social networking sites privacy policies will most likely reveal that posted information is not private, therefore discoverable. Therefore, effective legal and IT security awareness programs and education is essential in any enterprise where employees are working remotely.

The modern day General Counsel must rely on the Chief Privacy Officer working diligently with the Chief Security officer and the Chief Compliance Officer to mitigate Legal Risk. The convergence of these responsibilities lies more on the Chief Operational Risk Officer to see that all parties are synchronous in their strategies and efforts. They may be the best person to insure the entire spectrum of operational risks are being thoroughly addressed.