Bloomberg BNA’s Corporate Law & Accountability Report is available on the Corporate Law Resource Center. This news service keeps corporate practitioners informed of legal developments of...
By Yin Wilczek
May 19 — Assistant Attorney General Leslie Caldwell May 19 urged companies to report actual or suspected data breaches to law enforcement agencies, even those that may be caused by inadequate safeguards.
The Justice Department is not looking to investigate or prosecute hacking victims, assured Caldwell, who heads the DOJ's Criminal Division.
“Rather, we are seeking to partner with the private sector to prevent the breaches in the first place,” she said, adding that toward that end, companies should report the breaches and cooperate in both the investigation and prosecution of the guilty parties.
Addressing a compliance conference in Washington, Caldwell also warned companies against focusing on “the wrong type of risk” in implementing their compliance programs.
“We have repeatedly seen corporations target the risk of regulatory or law enforcement exposure of institutional and employee misconduct, rather than the risk of the misconduct itself,” she said. “The result: compliance programs are too often behind the curve, effectively guarding against yesterday’s corporate problem but failing to identify and prevent tomorrow’s scandals.”
In recent speeches, DOJ officials have urged greater cooperation between the government and private industry to combat hackers.
The DOJ's Cybersecurity Unit recently issued a “best practices” guide that encourages companies to establish ties with law enforcement authorities—including the FBI and U.S. Secret Service—even before an incident occurs.
The unit also has reached out to the private sector to forge better relationships, Caldwell said in her speech. The unit has engaged in “targeted cybersecurity consultations” with law firms, computer security specialists, industry groups and trade associations, and financial institutions and other organizations, she said.
As to regulatory risks, Caldwell told the audience that a strong compliance program aims to deter employee misconduct, whether that misconduct poses “obvious regulatory risk.”
“In designing compliance programs, companies would be wise to examine all of their lines of business—including those not subject to regulation—and determine where specific risks are and how best to control or mitigate them,” she said. “It is also critical that compliance programs take into account the operational realities and risks attendant to the particular company’s business, and are designed to prevent and detect particular types of misconduct likely to occur in a particular line of business.”
As an example, she said companies exposed to potential Foreign Corrupt Practices Act violations must use different internal controls than firms with less exposure.
Among other hallmarks, Caldwell said an effective compliance program includes:
• “strong, explicit and visible support” from senior management;
• adequate funding and resources;
• an effective process for investigating and documenting allegations of wrongdoing;
• an effective internal reporting system; and
• the willingness to act against noncompliant third parties with which the company interacts.
Caldwell also warned that in assessing the adequacy of a compliance program, the DOJ will look not only at the company's written policies and procedures, but also at “other messages conveyed to employees,” including through telephone calls, e-mails, in-person meetings and pay structures.
The DOJ's overall message is simple, Caldwell continued. We “expect corporate entities to take compliance risk as seriously as they take other business-related risks.”
To contact the reporter on this story: Yin Wilczek in Washington at firstname.lastname@example.org
To contact the editor responsible for this story: Ryan Tuck at email@example.com
The text of Caldwell's speech is available at http://www.justice.gov/opa/speech/assistant-attorney-general-leslie-r-caldwell-delivers-remarks-compliance-week-conference.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to firstname.lastname@example.org.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to email@example.com.
Put me on standing order
Notify me when new releases are available (no standing order will be created)