This blog often deals with Compliance, both compliance with law and compliance with company policy. But another aspect of Compliance is the corporation’s compliance with its own contracts.
“Professor Wins College-Freedom Case in Wisconsin,” The Wall Street Journal, July 7, 2018 A3. Private university penalizes professor for posting a factual post online, despite academic freedom protections he had in his contract; professor wins back pay and reinstatement.
So, does your compliance program cover your organization’s compliance with its own contracts? Does your compliance training mention that point? Is contract compliance more or less important than ethics? Or is it part of ethics? How strong are your processes around contract compliance?
I just ask the questions.
Filed under Compliance, Compliance, Compliance (General), Controls, Corporation, Duty, Employees, Governance, Internal controls, Management, Third parties
This blog looks at the intersection of Information, Governance, and Compliance. Normally, when one hears “Compliance,” one assumes it means compliance with law. But Compliance also extends to compliance with policy.
“Barnes & Noble Cites Policy In Firing,” The Wall Street Journal, July 5, 2016 B1. B&N CEO and a member of the board fired after a little more than a year for violation of a so-far-undisclosed company policy.. No severance package. Ouch.
What sort of message does that send to the rank and file when the CEO gets punished for violating company policy? Does that extend beyond the policy the CEO is accused of violating? Is that why the specific policy wasn’t mentioned?
I assume this was for a violation more serious than failing to follow the company’s Records Retention Policy. But aren’t all violations of company policy by the CEO equally serious? Aren’t all violations of policy equal, or are there capital “P” policies, and small “p” policies? How does an employee tell the difference?
And the company chose to publicize at least the basic reason for the firing; does it do that in all firings for policy non-compliance? Does the CEO have more or less privacy rights than the lowest-paid employee?
Filed under Board, Communications, Compliance, Compliance, Compliance (General), Controls, Corporation, Directors, Duty, Employees, Governance, Internal controls, Policy, Privacy
“Amazon Delves Into Health Data,” The Wall Street Journal, July 2, 2018 B3. Amazon buys a company with a bunch of personal health information.
It’s not like Amazon doesn’t have to deal with a whole host of privacy regulations, including the EU and, more recently, California. But personal medical information is different, and subject to different controls.
How does a company that lives on finding relationships in large bodies of information deal with information that can’t be used freely?
Filed under Access, Analytics, Compliance, Compliance (General), Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Internal controls, Oversight, Policy, Privacy, Third parties
“Former Equifax Manager Is Charged,” The Wall Street Journal, June 29, 2018 B3. To respond to the huge privacy breach at Equifax last year, the company set up a website to help some of those affected. The former software manager setting up that website bought some options, betting that Equifax’s stock would go down once the breach was discovered. He faces criminal and civil charges.
Who would have thought a software engineer needed insider trading education?
Filed under Access, Compliance, Compliance (General), Controls, Culture, Duty, Duty of Care, Employees, Governance, Internal controls, Legal, Oversight, Policy, Protect assets, Requirements
“Emails Add to the Turmoil at WPP,” The Wall Street Journal, June 29, 2018 B2. A company technician recovered WhatsApp messages from the phone of a former employee; these messages were then sent by encrypted email to a few employees. Technician who recovered the messages has also left the company. [BTW, messages on WhatsApp are encrypted point-to-point, but are recoverable from a device that received them.]
What happens to messages on your company phone when you leave? Do you care? Do you use encryption to send messages anonymously? Why?
These messages were in an account used to coordinate the former CEO’s travel. And maybe for other stuff. The CEO already resigned.
Filed under Access, Communications, Controls, Corporation, Duty, Duty of Care, Employees, Governance, Information, Internal controls, IT, Policy, Privacy, Protect assets, Security
A simple compliance case. An employee shares confidential information with a few friends and they trade stocks based on that information. The employee (now suspended) and the two friends were arrested on criminal insider trading charges. The employer is cooperating with the SEC’s investigation. Civil charges pending, too.
“Analyst Arrested On Insider Charges,” The Wall Street Journal, June 27, 2018 B12. S&P Global Ratings employee allegedly disclosed information about acquisition of Valspar by Sherwin-Williams.
What separates this from the other run of the mill insider trading cases is the fact that the employee apparently denied knowing his two life-long friends.
Lying to the Feds is not a good strategy.
“Tesla Accuses Former Employee of ‘Sabotage,'” The Wall Street Journal, June 21, 2018 B3. Did a former employee hack Tesla’s manufacturing software and trade secrets and transfer information outside the company? Was this for convenience, or was it theft? Or to give to the press?
Do you have adequate controls to prevent this? Or to discover it? Who’s responsible if your controls fail?
Will the directors or senior officers be punished? Did they fail in their obligations to protect the corporation’s assets? Or is it just the shareholders who pay? And pay, and pay.
Filed under Access, Board, Compliance, Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Information, Internal controls, Management, Oversight, Oversight, Protect, Protect assets, Protect information assets, Third parties, Value