Online consumer security and privacy remains in the headlines as big-name companies continue to report cybersecurity breaches. Further investigations into the JPMorgan Chase cyberhack revealed that 13 other financial institutions’ computers were also breached, while Dairy Queen and Kmart’s in-store payment systems were compromised in recent hacks. In other consumer privacy news, Google added information on European de-indexing requests to its Transparency Report.
JPMorgan Chase hackers targeted 13 more financial companies
More than a month after the JPMorgan Chase cyberattack was made public, the Obama administration and top national security advisers still don’t know whether the financial company’s hack was a typical act of theft or perhaps retaliation initiated by Vladimir Putin for U.S. sanctions on Russia. In addition to JPMorgan Chase, the hackers who perpetrated the attack targeted 13 other financial institutions, including Citigroup, HSBC Holdings, E*Trade Financial and Automated Data Processing, according to a Bloomberg news report. Signs of intruders were discovered in these companies’ computers or logged by their security tools, sources said.
The FBI, the U.S. Secret Service, attorneys general from at least two states and New York federal prosecutors are also conducting investigations, as questions remain regarding the hackers’ motives and the impact of the attacks on the financial industry.
Kmart, Dairy Queen payment systems hit by cyberattacks
Two more U.S. retailers are victims of cyberbreaches that compromised their customers’ payment card information. As in the recent Home Depot breach, hackers infected in-store payment systems at Kmart and Dairy Queen with malware meant to evade antivirus software.
Kmart announced its breach last Friday; company representatives said it was attacked in early September and is working with law enforcement and forensics teams to determine the source of the attack. The company didn’t disclose how many of its stores were affected or how many cards were compromised, but said the malware has been removed from its systems.
Dairy Queen revealed last Thursday that its in-store payment systems were infected, and that it’s working with franchisees to determine which locations were affected. Details of the attacks are provided on its website. According to forensics experts, customer account numbers and expiration dates were stolen.
Google adds details on European de-indexing requests to transparency report
Google is adding a new section to its online Transparency Report called “European privacy requests for search removal,” where it’s listing details about requests for search-listing removals the company receives in Europe.
The section lays out the total number of URLs Google has received for removal, as well as the number of de-listing requests it has received. To date, Google has received 146,938 removal requests and 498,830 URLs to evaluate. The report also breaks down those numbers by European country. Overall, Google grants about 41% of requests, according to the report.
Google’s Transparency report also details removal requests from governments and courts, as well as copyright requests. In May, the Court of Justice of the European Union ruled that Google and other search engines must evaluate individuals’ requests for de-indexing, and that they can only list display results if they serve public interest.
Facebook has unveiled a new ad platform that promises marketers deeper insight into the data of billions of its users — a move that has raises big concerns among privacy advocates. Also in data privacy headlines this week: Law enforcement officials are uneasy about Apple’s and Google’s new mobile encryption policy; the EU’s antitrust agency continues to call on Google to change its search practices; and mobile developers clamor for clear-cut health data guidelines.
Facebook’s new ad platform equips marketers with deep user data
On Monday, Facebook rolled out a revamped version of Atlas, its digital advertising platform. The updated platform will allow marketers to analyze the data of Facebook’s 1.3 billion users to target ads to these individuals on other websites and within mobile apps. Atlas also provides advertisers with information that determines which ads are most successful.
With the platform, Facebook plans to compete with Google, Yahoo and other online companies’ advertising networks. But while the detailed tracking Facebook conducts on its users’ information certainly provides marketers with a uniquely valuable tool, the revamped version of Atlas has also caused consumers and their advocates to voice privacy concerns. Facebook representatives are on the record claiming that the company never reveals users’ identity to advertisers.
Law enforcement uneasy about Apple’s, Google’s new encryption policy
Both Apple and Google’s new mobile operating systems, iOS 8 and Android L, respectively, include encryption protection that doesn’t allow the companies to extract information from smartphones protected by a four-digit passcode, even when a warrant is issued. This development has spurred members of the law enforcement community, including Law Enforcement Legal Defense Fund President Ronald T. Hosko, to express concern that such policies would hinder efforts to solve crimes and punish criminals.
Apple’s and Google’s new policies “will create needless delays that could cost victims their lives,” Hosko said. He pointed out that while these policies won’t make it more difficult for law enforcement officials to intercept calls, it will be more challenging for them to access information stored on the devices.
EU’s antitrust authorities again demand that Google amend search settlement
European Union antitrust chief Joaquín Almunia is demanding that Google amend its settlement proposal for a fourth time, as antitrust authorities continue a nearly four-years-long investigation into the company’s search practices in Europe.
Almunia’s agency has been probing allegations that Google tweaks its search results in order to prioritize the company’s own products. The agency and Google reached a deal in February that would have allowed the search company to evade fines of around $6 billion if Google agreed to present rivals’ search results in a manner similar to its own. The settlement collapsed, however, when senior EU politicians and prominent publishing houses criticized the decision and called for authorities to diminish Google’s dominance of the search market.
Mobile app startups pursue developer-friendly health data guidelines
Earlier this month, a group of mobile app developers filed a letter of complaint to Rep. Tom Marino (R-Pa.) regarding the lack of current online guidance concerning the Health Information Portability and Accountability Act’s patient health information privacy rules. The App Association, a group that claims to represent 5,000 mobile app providers, was among the letter’s signers.
Developers say it’s difficult to compete with larger rivals that have the means to hire legal experts, while startups must rely on out-of-date information available on government websites, according to Reuters. The group of developers also requested resources including better guidance for storing health data in the cloud, as well as increased participation by members of the Department of Health and Human Services in mobile health events.
Five former Home Depot employees claim the company lacked adequate customer data protection tools and that executives discouraged security system improvements that could have helped prevent the widespread hack of its payment systems earlier this month. Also in compliance and governance news this week: The Securities and Exchange Commission (SEC) vowed to put insider trading practices under closer scrutiny, and a study found that good corporate governance, combined with environmental and social factors, contribute to better stock performance.
Former Home Depot staffers reveal inadequate customer data protection
Home Depot’s in-store payment system did not include encryption tools to protect customers’ payment card data, according to five former employees interviewed by Bloomberg Businessweek. This vulnerability possibly opened the door for the payment system hack that could have begun in early April; the company revealed it Sept. 8.
One former information security manager also disclosed that a Symantec check of Home Depot’s security systems two months ago revealed out-of-date antivirus systems. The former staffers also claimed there was high employee turnover in the company’s information security department, and that technology executives preferred “C-level security” processes because ambitious upgrades would have been too expensive.
SEC fines corporate executives for late insider trade notices
The SEC has filed charges against 36 companies and individuals for allegedly failing to comply with security rules for reporting insider transactions. These charges are part of a broader SEC strategy to take a closer look at how executives and insiders manage stockholdings and trades.
The SEC used algorithms to identify insiders who allegedly broke the rules, including 13 officers and directors, 15 shareholders and six companies. The cases showed filing delays of insider transaction reports that ranged from weeks to years. Except for one case still being contested, all enforcement actions were settled for sanctions that totaled $2.6 million.
Andrew Ceresney, the SEC’s enforcement chief, said that the actions were “the first time where we have systematically brought a series of cases in this area,” and that their purpose was to urge companies, investors and executives to improve compliance. Some legal experts, however, felt that such technical rule breaches are low-hanging fruit for the SEC when compared with proving insider trading by company executives.
Governance, environmental and social factors boost stock performance
Improving compliance processes benefits the business, according to a study conducted by the Smith School of Enterprise and the Environment at the University of Oxford and Arabesque Asset Management. The study found that companies that practice good corporate governance and target environmental and social issues improve stock price performance and lower capital costs. Workforce relations, environmental management and executive compensation all had a strong effect on these improvements, according to the study.
“We believe that the most successful future investors will be those with continuous research programmes that analyze a range of ESG (environmental, social and governance) factors,” said Andreas Feiner of Arabesque. The report was based on about 200 academic research studies, industry reports and books.
Apple security under fire in iCloud celebrity hack
Apple announced Tuesday that it would probe media reports suggesting that vulnerabilities in iCloud, its online storage service, led to the hacks of celebrities’ accounts last weekend. In one scenario, a GitHub user found a weakness in Apple’s Find My iPhone app, an iCloud service that tracks an iPhone’s location and allows its user to remotely disable it, according to a post on the online code-sharing site. The vulnerability could have allowed the hacker to perform “brute force” attacks until the correct passwords were identified.
Rich Mogull, chief executive of security research and advisory firm Securosis, told the Wall Street Journal it’s possible that hackers exploited the Find My iPhone bug, but added it’s more likely that they hacked the celebrities’ individual accounts.
Apple said in a statement that the hacks were a result of hackers deducing the victims’ login credentials by targeting user names, passwords and security questions, and not by breaching Apple’s security systems. The company did, however, patch a flaw in its Find My iPhone app that security experts said could be partially responsible for the leak.
Apple’s efforts to ensure that HealthKit is compliant with U.S. regulatory requirements is noteworthy as health data has gained value with advertisers, according to Forbes, which cited a Senate Commerce Committee report that said companies are developing databases consisting solely of people’s health-related information. Apple’s new privacy rules allow developers to share users’ health data with third parties “for medical purposes,” which could potentially be a loophole in the policy. Developers will, however, need users’ permission to do so.
Microsoft defies U.S. data search ruling
Microsoft is still standing its ground against Judge Loretta Preska’s ruling to turn over customer emails and records stored at its Ireland data center. In July, Judge Preska upheld a U.S. magistrate judge’s ruling that because Microsoft can control data stored physically in Ireland without actually entering the country’s domain, the data’s location isn’t relevant and Microsoft must comply with a government search warrant for that data. Microsoft argued that user emails should be afforded the same legal protections as U.S. mail and phone conversations.
Microsoft said that it will not be turning over the customer records and will bring the case to the appeals court. AT&T, Apple and other tech heavyweights are submitting briefs to support Microsoft’s defiance of the search warrant.
E.U. reforms data protection law to include steeper penalties
The E.U. will soon reform its 1995 data protection rules in an effort to unify legislation across Europe and strengthen privacy guarantees, as well as enforce steep penalties should the new rules be violated. Under the reforms, the responsibility for violations would be shared between the organizations that own the data, or data controllers, and data processors, such as cloud providers that store the data.
Peter Groucutt, managing director at cloud backup provider Databarracks, told Business Cloud News that the proposed reforms could spur organizations to toughen their IT security policies. Additionally, the upcoming changes could help chief security officers acquire greater security funding due to the number of potential fines, which make it a priority for boards of directors, he added.
U.S. companies, particularly those in the financial services industry, continue to wrestle with compliance regulations: Recent headlines show that the current regulatory environment remains a top issue for CEOs and that many companies have difficulty measuring the effectiveness of compliance training programs. Meanwhile, in recent weeks, PricewaterhouseCoopers was fined for watering down a bank report, and a complaint filed with the Federal Communications Commission (FCC) alleges that 30-some U.S. tech giants are violating Safe Harbor agreements.
Regulatory issues No. 1 challenge for U.S. CEOs
The regulatory environment in the wake of the recent recession is the top issue that could have the most impact on business operations, according to a Forbes Insight and KPMG study. Of the 400 U.S. CEOs surveyed across all major industries, 34% reported spending more time with government officials and regulators than they did before the downturn, or are considering doing so.
Financial services is among the sectors most affected due to the sheer number of regulations requiring transparency and risk reduction processes, according to Forbes. Companies also face additional regulatory costs, such as those related to revamping data monitoring systems to remain compliant. KPMG representatives advised CEOs to extract business value from mandated compliance processes, such as by using regulatory data to analyze sales and compile insight into product profitability.
PwC hit by penalties for diluting bank report
Wall Street consulting firm PricewaterhouseCoopers (PwC) is facing heat from New York financial regulators. The firm, according to interviews and confidential documents reviewed by The New York Times, watered down its report on one of the world’s largest banks, Bank of Tokyo-Mitsubishi UFJ. PwC agreed to pay a $25 million fine, and one of its regulatory consulting units cannot undertake assignments from New York-regulated banks for two years.
In 2007, the Bank of Tokyo-Mitsubishi recruited PwC to quantify its improper transactions with U.S.-blacklisted countries. The initial draft of PwC’s report showed that the bank excluded names of Iranian customers to evade detection. The consulting firm, however, under pressure from Bank of Tokyo-Mitsubishi’s legal team and executives, deleted or diluted harsh characterizations and critical passages when it filed the report, according to the Times‘ sources.
This case highlights how authorities are reassessing their relationships with consulting firms, according to the Times. While regulators have previously ignored these firms’ potential conflicts with banking institutions, federal authorities are now releasing guidelines for employing consultants.
Compliance officers struggle to measure training effectiveness
Many firms, especially those in financial services, have improved their compliance and ethics training programs but are finding it difficult to measure their efficacy, according to two Navex Global researchers who spoke with Thomas Reuters. Chief compliance officers also have difficulty making a business case for investing in such programs, said the researchers.
The best training programs, the researchers found, are those customized to the needs of a particular job and contribute to an organization-wide “culture of compliance” that encourages ethical behavior. There is a gap in compliance training, the researchers said, because effectiveness measures vary widely. To improve training, the researchers advised partnering with other business groups within an organization to draw on their expertise, as well as investing more in manager training.
U.S. tech titans violating Safe Harbor, FTC complaint claims
More than 30 large tech companies are violating their Safe Harbor commitment to keep European citizens’ data private, according to a complaint filed with the Federal Trade Commission (FTC). The Washington, D.C.-based Center for Digital Democracy (CDD) claimed that these firms, which include AOL, Adobe, Salesforce, Datalogix and Marketo, are “compiling, using and sharing EU consumers’ personal information without their awareness and meaningful consent.”
In the complaint, the CDD also claimed that the aforementioned tech firms are involved in “data profiling,” entangled in a “web of powerful multiple data broker partners who, unknown to the EU public, pool their data on them so they can be profiled and targeted online.” It also alleges that the FTC is failing to enforce Safe Harbor regulations by neglecting to impose sanctions. Currently, the U.S. and EU are negotiating a new data privacy agreement that could give European citizens the same rights of redress as U.S. citizens should their data be used wrongly.
The Internet user privacy debate is raging on multiple fronts lately, and some big names in the technology industry are getting in on the action. In the past few weeks, Facebook saw a European privacy group challenge the social media giant’s data use policy, Microsoft lost a battle over its user data stored abroad and Google used email scans to clue police in on a child abuser’s identity. The debate probably won’t end any time soon, either, warned a recent HP study on the mounting susceptibility of data on connected devices.
Facebook faces lawsuit from EU privacy group
The privacy advocacy group Europe vs. Facebook has instigated an international class action lawsuit against Facebook’s Irish subsidiary, Facebook Ireland, in the latest chapter of a years-long legal battle.
The class action suit now has approximately 11,000 participants, Europe vs. Facebook told TechCrunch, and targets a number of Facebook business practices that the group says violate privacy and consent policies under the EU Data Protection Law. The suit accuses Facebook of violations that include enacting a legally invalid data use policy, passing unauthorized user data onto external applications and tracking user activity on external websites via “Like” buttons.
The lawsuit seeks €500 (about $668) in damages per user. “We are only claiming a small amount, as our primary objective is to ensure correct data protection,” said Europe vs. Facebook’s leader Max Schrems, an Austrian lawyer and activist. “However, if many thousands of people participate, we would reach an amount that will have a serious impact on Facebook.”
U.S. judge rejects Microsoft’s protection of overseas data
U.S. Federal Judge Loretta Preska has ruled against Microsoft’s challenge to a search warrant seeking an unidentified user’s emails and records stored in an Ireland data center. Microsoft argued that U.S. prosecutors do not have the authority to seize data stored in Ireland without permission from the local government because U.S. law does not apply there. The company has also argued that emails are a personal form of communication that belongs to the user. “What is at stake is the privacy protection of individuals’ email and the ability of American tech companies to sustain trust around the world,” Bradford L. Smith, Microsoft’s general counsel, told the New York Times.
However, Preet Bharara, U.S. Attorney for the Southern District of New York, argued that Microsoft’s analysis is wrong, and that overseas records must be turned over domestically when a valid subpoena, order or warrant is presented. Judge Preska concurred, declaring that because Microsoft is able to control the information without physically entering Ireland’s sovereignty, it must comply with a warrant for said data. Preska put the ruling on hold while Microsoft files an appeal. Major technology companies, including Apple, Verizon and AT&T, have filed briefs supporting Microsoft’s argument.
Google alerts authorities of child abuse after email scan
Another recent event illuminated Google’s role in policing the Web: After Google allegedly detected explicit images of a young girl in a user’s email, it alerted the National Center for Missing and Exploited Children. The Center then informed Houston police, who arrested and charged 41-year-old convicted sex offender John Henry Skillern with possessing child pornography.
Google works with the Internet Watch Foundation to help identify and remove child abuse images from its search engine and subsequently report them to authorities. The arrest, however, raised email privacy questions. While many know that Google automatically scans its users email accounts to produce targeted ads within Gmail, “Gmail users will certainly be interested to know what action Google proactively takes to monitor and analyze Gmail messages for illegal content,” said Emma Carr, acting director of privacy lobby group Big Brother Watch.
HP study cautions that many common IoT devices at risk
As the Internet of Things (IoT) proliferates, privacy issues will likely spread as well: A recent study conducted by Hewlett-Packard (HP) found that about 80% of IoT devices raise privacy concerns, and about 70% are vulnerable to getting hacked or compromised.
The study tested 10 of the most common smart devices, including TVs, webcams and home thermostats. Each device, the study claims, had approximately 25 vulnerabilities. Many of the study’s findings were related to insufficient password strength and poor data protection: 70% of the devices did not encrypt communications to the Internet and local network; 80% failed to require passwords of adequate length or complexity; 70% used unencrypted network services; and 80% put their users’ data at risk of being intercepted through cloud services.
“While these devices have made life easier, they’ve also created new attack vectors for hackers,” read the report regarding IoT devices. Gartner predicts that there will be 26 billion IoT devices by 2020, which HP warned will open even more avenues for hackers.
Organizations of all stripes are feeling the impact of mounting risk. In the past few weeks alone: Wall Street’s big banks reacted to a changing regulatory landscape; a new survey found that many companies do not have an adequate enterprise risk management strategy; and chief information security officers (CISOs) reported that their role is among the most challenging in their organization.
Banks cut assets, boost compliance efforts in response to Dodd-Frank
Pressure from federal regulations such as the Dodd-Frank Act and from the Federal Reserve’s yearly “stress tests” are driving Wall Street’s larger banks to pull away from short-term funding activities. This includes cutting back on certain types of trading, as well as selling profitable businesses and assets that could attract further regulatory scrutiny, The Wall Street Journal reported.
Morgan Stanley slashed its assets by one-third since 2008′s financial crisis and has downsized its fixed-income trading activities. Bank of America Corp. has cut more than $70 billion worth of businesses and assets since 2010, including private-equity investments and some credit-card businesses.
Large banks are also hiring more employees focused on regulatory and compliance efforts. J.P. Morgan Chase, for instance, will add 13,000 staffers dedicated to regulatory compliance by year’s end, while Citigroup plans to end 2014 with about 30,000 compliance-focused employees on its payroll — a 33% increase from 2011.
While these extra compliance efforts might appear promising to bank regulators, many lawmakers worry that more severe measures are necessary as some banks engage in perceived high-risk behavior to compensate for slow economic growth, the WSJ reports. Certain policymakers feel that harsher legislation is needed to counteract banks that are “too big to fail.” Current legislative proposals range from breaking up megabanks to imposing additional taxes on large financial companies.
Survey: Enterprises need stronger risk management strategy
A survey by nonprofit business research firm APQC polled almost 100 senior financial executives from large public and private companies and found that while the majority of these companies have strategic risk management processes in place, fewer than one in five effectively manage them. These “strategic risks” include regulatory and cybersecurity threats, supply chain interruption and failure to innovate.
Furthermore, two-thirds of these organizations reported lacking a method to ensure that their strategic plans account for these risks, and 43% said they don’t have a concrete process for reporting strategic risks to board members.
To avoid problems that could arise from strategic risks, APQC recommends teaching board members and executives a common risk language, as well as improving processes for monitoring, assessing and reporting business risks.
Many CISOs view their job ‘thankless’
The CISO role didn’t exist at many companies a decade ago, but it is becoming an increasingly common — and challenging — job at most organizations. These executives bear the blame in the event of a security breach and must also stay ahead of increasingly sophisticated cybercriminals from all over the globe, ensure compliance with mounting regulations, and manage BYOD, to name just a few responsibilities. On top of these hurdles, many new security products available to CISOs fail, making it tough to discern which tools to trust.
These challenges have made the CISO post more critical than ever, and companies are offering annual salaries that range from $188,000 to $1.2 million. Still, many view the job as a thankless one, The New York Times reported. According to a Ponemon Institute study conducted last year, many CISO respondents rated their job as “the most difficult” in their organization, and most said their job was a bad one or the worst they’ve ever had.
The post is so high-pressure that many CISOs end up leaving it after two years — either voluntarily or not, according to the study. High-profile examples of post-data breach resignations include the CISOs of the state of Utah and Yahoo.
To prepare themselves for the CISO position, candidates ought to accept that there is no cybersecurity cure-all and that their best bet for success is a combination of effective technologies, hiring the best talent and good luck, according to the Times. The CISO must also be ready to communicate to board executives the inevitability of breaches and the need to allocate an adequate percentage of the IT budget to security.
Data privacy continues to make waves, both in the U.S. and abroad, as recent tech headlines highlighted the Obama administration’s promise to extend data protection rights to European citizens and a Supreme Court cell phone privacy ruling. Also attracting attention in recent weeks: how increasing consumer data risks and compliance regulations are driving demand for GRC professionals.
U.S. pledges data protection for EU citizens as Microsoft pushes for user privacy
Last week, the Obama administration promised legislation to grant EU citizens the same data privacy rights that U.S. citizens enjoy under the Privacy Act. U.S. Attorney General Eric Holder said that under the proposed bill, European citizens would have the right to “seek judicial redress” from the U.S. government if their private information is intentionally released or misused. Holder made the announcement at last Wednesday’s EU-U.S. Ministerial Meeting on Justice and Home Affairs in Athens.
The bill would apply to EU citizens being transferred to the U.S. for law enforcement purposes. It would be part of a data protection agreement the EU and the U.S. have been negotiating since 2011 as part of their efforts to combat terrorism, including investigations into foreign fighters traveling to Syria.
The announcement was met with skepticism by both the EU and human rights groups, which considered it a welcome development, but deemed the promise vague and in need of more concrete legal action. “Words only matter if put into law,” EU Justice Commissioner Viviane Reding said in a statement. “We are waiting for the next legislative step.” Human rights and privacy groups said that the promise does little to address other issues created by the mass global surveillance conducted by the NSA and its partners.
Microsoft is among the many technology companies that have also been critical of U.S. data collection practices. The tech giant’s general counsel has been on a months-long public campaign calling for the U.S. government to take legal measures to preserve citizens’ information privacy rights. Microsoft’s Brad Smith said last Tuesday that the Obama administration must significantly reform U.S. surveillance practices so that people can feel comfortable using technology to store their information. Earlier this year, Smith used Microsoft’s blog to inform users that it will no longer examine private information in their email accounts, even if the company is examining its own intellectual property theft.
Supreme Court’s cell phone ruling could impact health industry
A U.S. Supreme Court unanimous ruling last Wednesday found warrantless cell phone searches for law enforcement purposes a violation of the Fourth Amendment, in part because of the devices’ potential to hold personal healthcare data. The court decided that cell phones are different from other physical evidence due to their large storage capacities and ability to access information stored in the cloud. “There is an element of pervasiveness that characterizes cell phones but not physical records. Prior to the digital age, people did not carry a cache of sensitive personal information with them as they went about their day,” the opinion stated.
The ruling covers sensitive, private health data that might be contained in cell phones, The Washington Post‘s Morning Mix blog pointed out. For example, warrantless cell phone searches could reveal an individual’s private browsing history that might include searches for “symptoms of a disease, coupled with frequent visits to WebMD,” the ruling noted. Mobile devices could also disclose certain drug addictions or a person’s pregnancy status.
The decision could affect the healthcare industry from a patient privacy standpoint, iHealthBeat commented. For example, the ruling could provide more guidance over who has access rights to patients’ data and medical records.
Companies hire more GRC officers in response to breaches, regulations
There is increasing demand for data governance and risk management professionals to protect organizations from serious legal implications or financial fallout in the event of a data breach. A contributing GRC factor is data protection legislation expected to be enacted sometime this year, according to the Data Protection Commissioner’s Statement of Strategy for 2014 to 2016, which outlines which organizations it will audit and the standards they must follow. These increasing pressures, as detailed in the Silicon Republic, have led to the corresponding rise in demand for GRC professionals, particularly IT auditors.
As regulatory pressure stemming from the 2008 financial crisis continues, financial institutions have responded by hiring more senior-level risk officers, increasing their compensation and arming them with more leverage in the business’ decision making, the Wall Street Journal reported. Senior risk officers earn 40% more than they did a few years ago, according to a report from the Office of the Comptroller of the Currency (OCC). Additionally, three times as many people passed a risk management exam from 2010 to 2013 than from 2004 to 2007, according to the Global Association of Risk Professionals. Such developments are very costly for financial organizations, given recent dips in trading revenue and slow loan growth. But they have little choice in the matter, given Dodd-Frank and other post-crisis regulations enacted to limit these institutions’ risk taking.
Regulations issued in February require that by 2016, the largest bank-holding institutions in the U.S. must appoint a chief risk officer and establish a risk committee within their board of directors. These rules also require large banks to produce detailed statements on the type and quantity of risk they’re willing to take to meet financial goals, and risk officers are encouraged to lead the charge on investigating large losses.
Big data was (unsurprisingly) in the spotlight in recent headlines, with a particular focus on consumer data privacy.
‘Privacy paradox,’ compliance costs challenge data-driven companies
The proliferation of smartphones and the convenience of such Internet services as online marketplaces have both consumers and data-driven businesses elated — but only to a point, says New York Times Bits blogger Steve Lohr, drawing from a recent study on global privacy survey. As consumers clamor for even more easy-to-use online services, 87% of respondents “strongly agree” that the government should step in and prohibit businesses from brokering data without their opt-in consent, according to the EMC-sponsored study. Additionally, 51% of this global pool of 15,000 consumers pointed to “businesses using, trading or selling my personal data for financial gain without my knowledge or benefit” as the leading threat to their online privacy (above “lone/crazy hackers” and “my government spying on me”).
This “privacy paradox” doesn’t bode too well for businesses that already struggle to allocate huge amounts of resources to ensure compliance with privacy regulations, perhaps at the expense of R&D. A recent report by the Competitive Enterprise Institute found that compliance with federal regulations cost businesses $1.86 trillion in 2013 — more than the GDP of Canada and Mexico. But while most companies oppose regulations that restrict data collection and usage, they must self-regulate data practices to cultivate the trust their customers prize.
Email privacy reform gains steam
Last week, the Email Privacy Act garnered majority support when it received its 218th co-sponsor in the U.S. House of Representatives. The bill would prohibit law enforcement officials from accessing stored emails without a warrant. The development has spurred tech companies such as Google and advocacy groups including the American Civil Liberties Union and the Center for Democracy — both of which have long lobbied for Electronics Communications Privacy Act (ECPA) reform — to push for Congress to pass the bill, The Hill reports.
Google’s Senior Privacy Counsel David Lieber wrote in a blog post that passing this legislation would “send a clear message about the limits of government surveillance by enacting legislation that would create a bright-line, warrant-for-content standard.” Other pro-ECPA-reform groups are also hailing the bill as a milestone in protecting electronic communications from government intrusion. As the 1986 law now stands, law enforcement is allowed to obtain emails that have been stored for more than 180 days without a warrant.
Federal Trade Commission calls for data broker transparency
As part of its efforts to educate the public on privacy among data brokers, the Federal Trade Commission issued a report last month calling for federal legislation that would increase transparency across the industry and make it easier for consumers to access information. The report, titled “Data Brokers: A Call for Transparency and Accountability,” recognizes data brokering’s value to companies and consumers while cautioning against consumer harm due to information misuse. To prevent the latter, the report provides legislative recommendations and industry best practices such as creating a centralized online portal to identify which data brokers maintain information on certain customers. Other recommendations include providing customers with “opt-out” tools, narrowing data brokers’ collection efforts and implementing data disposal guidelines.
Four years ago, the Securities and Exchange Commission announced an initiative that offered incentives for assisting with SEC investigations and enforcement. The goal was to help investigators gain first-hand evidence to build strong cases, and to act quickly on them. The initiative included “cooperation tools” including non-persecution agreements (NPA) under which the SEC would not pursue enforcement actions against those that report violations and provide assistance to the agency.
The SEC has entered NPAs with corporations since the initiative was enacted, but it took much longer for the agency to go the same route with people: At the end of April, the SEC entered its first NPA with an individual when a trader provided what the SEC called “extraordinary cooperation” during an insider trading investigation. Others that provided information during the SEC investigation received reduced penalties.
“The reduction in penalties for those tippees who assisted us, together with the non-prosecution agreement for one of the traders, demonstrate the benefits of cooperating with our investigations,” said Andrew J. Ceresney, director of the SEC’s Division of Enforcement, in a statement. “The increased penalties for others highlight the risks of impeding our work.”
Whether or not individuals or companies cooperate with investigations has become a much bigger part of SEC enforcement efforts since the 2008 financial crisis. By pushing transparency and a willingness to cooperate with investigations, the SEC focuses not only on what a company does to stay regulatory compliant, but also how they do it.
As a result, corporate culture has become part of the traits the SEC examines during investigations and enforcement. A company that shows good faith with proactive compliance processes and policies distributed to all employees is less likely to receive harsh punishments than one that blatantly circumvented compliance rules.
SEC Chairwoman Mary Jo White reiterated this standpoint during a speech this week at the New York City Bar Association’s White Collar Crime Institute. Assessing whether a corporation acted negligently involves comparing the corporation’s conduct — as carried out through its employees — to the actions of a more “reasonable” corporation in similar circumstances, White said.
“Holding the entity responsible for the misstatements is the right thing to do if the evidence demonstrates that the entity’s conduct fell below the standard of reasonable care,” White said during her speech.
In other words, corporate culture plays a huge role during SEC investigations. “Transparency” and “ethics” are other traits high on the SEC’s list when looking at infractions. This is not always easy, however, especially for companies with a corporate culture built around sales and financial gain rather than an emphasis on business ethics.
“The SEC is focusing on ‘did you do enough?’” said Tony Jordan, a partner in Fraud Investigation & Dispute Services at Ernst & Young, during an April Directors Roundtable Institute discussion in Boston on SEC enforcement.
“Doing enough” to stay compliant is particularly difficult in the global economy, where businesses operating in different cultures often have much different views on corruption and risk. There’s also no question that nefarious business activity is more common in some areas of the world than it is in others. This raises difficult questions during joint ventures and acquisitions about who should be in charge of ethical behaviors at international outposts.
When starting an investigation for potential compliance violations, Roundtable panelists encouraged attendees to seek maximum internal oversight and control. By getting a jump on disclosure and reporting, companies provide material to stakeholders to assist compliance with federal securities laws. Cooperating with regulators also could help avoid SEC enforcement actions — or at least mitigate penalties, Roundtable presenters said.
Public disclosure does have risks: Roundtable panelists cautioned that jumping the gun on disclosure could cause the organization to lose control of the investigative process, create delays when trying to close the investigation and initiate business disruptions. Disclosure could also result in parallel litigation that invites class action complaints and stakeholder derivative demand.
Despite these risks, the outcome from proactive compliance stance is likely much better than the alternative: huge fines and regulatory fallout stemming from SEC enforcement.
“You have to make sure you have a very clear audit trail so that when the government investigates the investigation, they don’t see that as a lost process,” said R. Todd Cronan, a partner at Goodwin Procter LLP, during the Roundtable. “You don’t want to pay twice: Once for the misconduct and again for the inadequate investigation.”