16 March 2013

Legal Risk: Over-The-Horizon Digital Radar...

Operational Risk Management is a primary responsibility with an organizations General Counsel. Why?
"The definition includes Legal risk, which is the risk of loss resulting from failure to comply with laws as well as prudent ethical standards and contractual obligations. It also includes the exposure to litigation from all aspects of an institution’s activities."
So if you are a General Counsel or the Chief Legal Officer, your radar is consistently tuned to the "Over -The-Horizon" (OTH) risks that may impact your company, right?  The fact is that managing risk from the General Counsels office may be significantly different than what managing risk means from the CIOs office.

Loss events associated with peoples workplace behavior are many times treated differently than those events associated with a computer "intrusion" or a data breach, that was also caused by human behavior.  The law is a battleground that continues to keep an entire industry busy with offensive and defensive activities and the transfer of risks from one party to another.

What is the legal risk difference between the diversion of company funds to pay bribes in a foreign country and the theft of company trade secrets?  You see, the laws associated with these loss events have different statutes, penalties and legal risk:
On December 17, 2012, Germany-based insurance and asset management company Allianz SE paid more than $12.4 million to settle with the SEC over violations of the books and records and internal control provisions of the FCPA. The activity in question concerned improper payments to government officials in Indonesia. Following common FCPA procedure, Allianz did not deny or admit the SEC’s inquiry. The company disgorged $5.3 million in profits, paid a penalty of $5.3 million, with $1.8 million in prejudgment interest. 
The SEC stated that it uncovered 295 insurance contracts on government projects that were obtained or kept by improper payments totaling $650,626. The payments were made by Allianz’s Indonesian subsidiary. 
The conduct occurred from 2001 to 2008, at which time Allianz was considered an “issuer” under the FCPA because of its activity on the New York Stock Exchange. Even though it was not listed on the exchange, the presence of its bonds and shares on the market made it an issuer and subjecting it to the jurisdiction of the FCPA. The investigation was initiated internally using outside counsel after a whistleblower complaint in 2009.
On December 28, 2012, President Obama signed the Theft of Trade Secrets Clarification Act. S. 3642 (112th). The Clarification Act is a direct response to the Second Circuit’s decision in U.S. v. Aleynikov, 676 F.3d 71 (2nd Cir. 2012). (See details below.) In Aleynikov, the Second Circuit overturned a criminal conviction under the Economic Espionage Act 18 U.S.C. § 1831, et seq., after the court determined that the stolen source code was only used internally for a high-frequency trading system and was not “related to or included in a product that is produced for or placed in interstate or foreign commerce.” The Clarification Act expands Section 1832(a) to cover internal trade secrets “related to a product or service used in or intended for use in” commerce. In addition to the source code at issue in Aleynikov, this expansion could include internal processes of doing business or gathering information that may not qualify for traditional patent protection. More broadly, the quick reaction shows the importance that Congress attaches to this area of the law and puts individuals and companies on notice that increased indictments may occur down the line.
The ethics, compliance and legal components of Operational Risk Management comes down to "Achieving a Defensible Standard of Care" in your organization.  The risk exposures that face your organization will also occur from a more immediate impact, due to a loss of reputation and potential loss of market value.  On all fronts, the stakes remain high.

The modern day legal enterprise is still reactive and slow to respond to the changing environment around it.  The daily battle with legal risk is slow, compared with other risk management fronts within the institution.  The speed of response and the focus on preventive, preemptive or proactive actions is what sets apart the mental states of all of your security risk professionals.  Some people have seconds or minutes to decide and act, others have the luxury of days, months and years.

Unfortunately, for most the costs associated with legal risk are high, no matter who prevails in an incident or case. This fact alone, is why the introduction of a new generation of automated tools and the memory of computer-based evidence is so important.  Decision Advantage.  The law and the law industry is quickly playing catch up.  Practitioners from the technology and legal industry are now even more integrated, while the courts interpret the implications of their rulings on an accelerating mobile digital global society.

You and your team have a tremendous amount of new knowledge to gain, or your enterprise will be consumed by the volume of new Operational Risks unfolding before it.  How complex could this be?

The 1983 movie "WarGames" led to an anti-hacking law with felony penalties aimed at deterring intrusions into NORAD. Over time, it became broad and vague enough to ensnare the late Aaron Swartz.