Practical insights for compliance and ethics professionals and commentary on the intersection of compliance and culture.

Travel safety and regulation

Travel safety is one of the most important objectives of the overall supervisory agenda.  Consumer protection and public safety intersect in this topic.  Keeping travellers away from harm and maintaining safe and orderly routes and equipment should be the top priority of any commercial entity providing transportation to consumers.  At the same time, companies working in the transportation sector look to legal and regulatory requirements to set minimum standards for safety infrastructure and motivate investments in technology and human capital improvements.  Regulatory action, or inaction, can therefore have a huge impact on protective measures and responses to threats to safety taken by companies such as airlines, rail transit operators, and private transportation providers.


Round-up on USDA compliance

This is the fifth in a series of seven posts about regulatory compliance priorities and enforcement trends.  The first post was about the Commodity Futures Trading Commission (CFTC).  The second post was about the Federal Trade Commission (FTC).  The third post was about the Securities & Exchange Commission (SEC).  Last week’s post was about the Food & Drug Administration (FDA).  Today’s post will be about the U.S. Department of Agriculture (USDA).  Next week’s post, on Thursday January 25, will be about the Environmental Protection Agency (EPA).  Finally, on Thursday February 1, the post will be about the Federal Communications Commission (FCC).


Round-up on FDA compliance

This is the fourth in a series of seven posts about regulatory compliance priorities and enforcement trends.  The first post was about the Commodity Futures Trading Commission (CFTC).  The second post was about the Federal Trade Commission (FTC).  Last week’s post was about the Securities & Exchange Commission (SEC).  Today’s post will be about the Food & Drug Administration (FDA).  Next week, on Thursday January 18, the post will be about the U.S. Department of Agriculture (USDA).  On Thursday January 25, the post will be about the Environmental Protection Agency (EPA).  Finally, on Thursday February 1, the post will be about the Federal Communications Commission (FCC).

The Food & Drug Administration (FDA) is the US regulator charged with supervising and enforcing federal  laws concerning food, tobacco, dietary supplements, medications and medical treatments and devices, cosmetics, and animal and veterinary products, among other related products and devices related to public health and food safety concerns.  The FDA was created in 1938 by the Federal Food, Drug and Cosmetic Act, which gave the FDA oversight on food, drugs, and cosmetics and now constitutes of the major bodies of federal securities law it is responsible for enforcing.  Other significant statutes within the purview of the FDA – either wholly or partially, in collaboration with other federal supervisory and regulatory entities – include the Public Health Service Act (from 1944, concerning the prevention of foreign communicable diseases within the US) and the Controlled Substances Act (from 1971, creating federal US drug policy).

The food, medical, and veterinary products that fall under the regulatory purview of the FDA represent a significant proportion of the consumer goods imported into, purchased within and used in the United States, meaning that the FDA has broad reach into people’s everyday lives and therefore wide oversight duties to ensure adequate protections.  Food, drugs, cosmetics, and vitamin supplements are the largest categories of consumer products regulated by the FDA.  The FDA’s regulatory powers are broad in scope, including a huge array of business practices, from development, testing, and manufacturing to advertising, labeling, marketing, sales, and supply chain safety.  Enforcement of standards, oversight and monitoring of practices, approval of products, and handling of violations gives the FDA a heavy footprint in its covered industries.

  • Homeopathic drugs: The mandate of the FDA to regulate a variety of medicines and related treatments extends to addressing homeopathic drugs.  These products are widely available to consumers but previously have been lightly regulated.  Given burgeoning consumer protection concerns due to public harm from products that do not have any value as medical treatment and can in fact injure people or make them sick, the FDA is planning to take a more active role in the homeopathic drugs market.  Since the 1980s, the FDA has had a policy of not using the full weight of its enforcement authority with homeopathic drugs because their impacts were thought to be so minor that they could not be dangerous.  However, as more people have started using these homeopathic remedies, the risks and need for protection, especially for infants, children, and elderly people, have grown.  Last year children were sickened and even died from using homeopathic teething remedies sold at CVS due to poisoning from belladonna, which the medicines contained in dangerous proportions.  Testing, approval, oversight practices, or some combination of the above are apparently necessary for ensuring that these products do not hurt people, contain the ingredients they are supposed to in the amounts they should, and can provide medical benefit to support the health-related claims made by the manufacturers to consumers:  FDA to target ‘potentially harmful, unproven’ homeopathic drugs under new proposal
  • Cryotherapy: On a similar note, cryotherapy – immersion in a chamber cooled to as low as -132 degrees Celsius to treat inflammation and all kinds of other ailments and discomforts – has been spreading in popularity and caught the attention of the FDA.  Cryotherapy is often billed as a kind of spa treatment and has won the endorsement of athletes and celebrities for its health benefits.  However, the FDA has reacted skeptically to these claims, especially as people have been injured by unprofessional service providers or attempts to administer cryotherapy “treatments” to themselves.  If people continue to view cryotherapy and other popular science type activities and procedures as giving them some medical or curative benefit, which seems likely, then the need for the FDA to intervene by setting standards and providing oversight will grow alongside the popularity:  The spread of cryotherapy
  • Opioid epidemic: The FDA is well-positioned to contribute to efforts in containing the public health emergency of opioid drug abuse.  The FDA is responsible for overseeing both the number of prescriptions issued and the introduction of drugs to curb and treat addiction.  Overhaul of the system in which opioids are prescribed, and the rationale behind the length of prescriptions, is in the reform jurisdiction of the FDA.  This system would likely be funded by the pharmaceutical companies that make opioids, similar to what is already done to pay for other similar programs covered by the FDA’s enforcement authority.  Prescription intervention as well as the expedition of new versions of drugs to treat addiction will be priorities of the FDA on its upcoming regulatory agenda:  FDA plans to curb prescriptions to fight opioid epidemic
  • Gene therapy: Apart from approval of drugs, the FDA is also tasked with approving medical treatments.  Gene therapy has been a hot topic in bioethics for years, with questions about the use of stem or other cells from humans having dogged the technology’s development for years, but having promising treatments for genetic diseases now finally in its pipeline.  The FDA recently approved the first genetic therapy for an inherited disease, a rare form of childhood blindness.  The price of the approved treatment is currently astronomical, at almost $1 million, but the hope is that the FDA approval will open the door for further development that could lead to lower prices and improved benefits over a lifetime.  FDA openness and speed in considering and approving these technologies will certainly have an encouraging impact on the innovation within the field and the introduction of further treatments using gene therapy and improving upon knowledge and practices around it:  FDA approves first gene therapy for an inherited disease  
  • Food safety and recalls: Finally, the FDA’s food safety and recall programs may be an active area for reform and extended consumer protections going forward.  The FDA’s broad authority for food safety inspections has been critiqued in the past for culminating in uneven enforcement efforts.  Most recently, the Office of the Inspector General at the Department of Health and Human Services and the Government Accountability Office have both exposed shortcomings in the FDA’s enforcement of food safety policies.  Inspections, follow-up on food safety violations, and supervision of and collaboration with state-level regulatory personnel have all been found lacking:  Watchdog audits fire warning shots at the FDA’s food safety program

Addressing these deficiencies in the oversight process, and following with substantive improvement in the food recall process, has major implications for consumer safety.  The recall process in particular is crucial for ensuring that any gaps from the production and distribution processes oversight that are not filled, are caught before contaminated and dangerous food and supplements are sold to consumers.  However, audits have found that the recall process is not up to muster, indicating that they take way too long to kick off and that the FDA does not do enough to compel companies to cooperate with their warning letters and issue recalls:  The FDA Is Still Scary Slow at Food Recalls

Be sure to check back next week for a round-up on USDA regulatory compliance.


Regulatory and compliance omissions in the Volkswagen emissions scandal

The Volkswagen emissions scandal, also known as “Emissionsgate,” kicked off in 2015 when the US Environmental Protection Agency (EPA) notified the carmaker that it was in violation of the Clean Air Act.  With the altered engine emissions controls, the programming misrepresented nitrogen dioxide output so that it appeared to meet US market standards.  In reality, however, the real performance of the vehicles on the road without the altered programming for the testing environment resulted in output that exceeded the regulatory limit by up to 40 times.  For a basic overview of the Volkswagen emissions scandal as it unfolded since 2015, check out this primer from the BBC:  Volkswagen: The scandal explained.

The altered emissions results were ultimately exposed due to re-testing.  The International Council on Clean Transportation accumulated research from a variety of sources which upon study showed additional emissions in road tests from those recorded in the regulatory testing environment.  Once these non-conforming results were provided to the California Air Resources Board in 2014, they were ultimately escalated to the EPA, resulting in the investigation and enforcement action which led to the Clean Air Act notice of violation.  The investigation conducted by the EPA demonstrated that from 2008 to 2015, Volkswagen had intentionally modified many diesel engines in its vehicles to fraudulently “pass” regulatory testing.

In the aftermath of the EPA notice, Volkswagen was subjected to investigations in various countries.  The fix for the emissions issues to bring them into true compliance with the regulatory standard may cost the company as much as $15 billion or more, with fines so far in the US alone of almost $3 billion and several executives facing personal criminal charges for their role in the fraud.

One of the striking aspects of this particular corporate scandal is that as the corporate misconduct was exposed, it showed that Volkswagen took advantage of the regulatory testing by exploiting design and engineering knowledge in making engine construction choices expressly in order to deceive it.  In many cases of consumer safety or standard violation recalls, the manufacturer merely fails to make required changes or delays doing so, resulting in unsafe conditions or violation of regulatory and legal requirements.  Similarly, defeat devices which “trick” regulatory testing systems (actually codes programmed into the vehicles’ computerized control panels) are nothing new in the automotive industry, as explained in this Ars Technica piece.

In the Volkswagen’s case, however, as explained in this Investor’s Business Daily article, the carmaker made redesign choices to its emissions system that were not practical for business purposes but directly enabled the testing manipulation.  Then, when faced with a need to demonstrate compliance in order to access the market, instead of altering planned performance or gas economy standards, the company opted to game the system with installing defeat devices on the very system it installed knowing it would need to be defeated and would enable doing so.

So why would a company make all of these conscious choices to dupe the system and spend money on deceptive systems instead of making the same amount of effort to establish real compliance and avoid the dishonesty?  At its root is most commonly what was referred to in lawsuits against Volkswagen by several states as a business culture of “corporate arrogance.”  As this NPR article explains in a nutshell, Volskwagen thought it could get away with the fraud because others in the industry did it too and because it was Volkswagen.  The company rigged its vehicles after going to great lengths to determine that it was definitely illegal to do so, against clear legal advice and in light of full knowledge of the consequences, and in a culture of non-compliance which rewarded cheating and did not take responsibility or model appropriate conduct.

Nowhere is this values deficiency in the Volkswagen corporate culture more evident than in the reaction by the CEO, Matthias Mueller, to the public outcry in response to the fraud.  This interview with NPR shows how problematic the tone and conduct at the top was in the public handling of the scandal.  Rather than modelling accountability and transparency, Mueller instead insisted that there were no ethical issues at Volkswagen and that rather the emissions fraud was due to a technical problem in the company’s interpretation of US law.  Mueller repeatedly asserted that the company did not lie or deceive but instead misunderstood US legal requirements, a disingenuous and unconvincing defense for a major global corporation which must contend with a complicated fabric of regulatory and legal frameworks all over the world to meet its duties in doing business.

The gap created by this purported legal misinterpretation could and should have been filled by a values-based approach, where taking corporate social responsibility for environmental impact and making business decisions based upon best collective outcome rather than ease and expediency, with some enablement of future cheating as a side benefit.  Demonstrating integrity is not as simple as apologizing once you get caught, and portraying violations as mistakes is not an example of ethical leadership or sustainable business values.

For more on EPA compliance, check back on Thursday, January 25, for a round-up on current rule-making and enforcement trends at the agency.


Compliance considerations in an active era of mergers and acquisitions

The term “mergers and acquisitions” describes transactions in which the ownership of organizations or business operations within organizations are combined or transferred between companies. Merger describes the combination of at least two organizational units, whereas acquisition describes the transfer of interests or assets from one organization to another.

So far 2017 has been a banner year for high-profile mergers and acquisitions across all industries. Businesses are generating attention, press, and perhaps even revenue for themselves by ambitiously entering into deals with one another. Some prominent competitors have decided to join forces, while other companies hope to make inroads into new markets or gain access to new technologies through mergers and acquisitions activity.

  • The Amazon/Whole Foods merger has been one of the hottest topics of late summer 2017. Already the deal has had a seismic effect on the market, causing competitors from European grocery retailers to ready-to-eat meal delivery companies to major retailers such as Wal-Mart to recalibrate their own corporate strategies and expansion plans. One of the focal points of the lively conversation around this transaction has been the speed with which the US Federal Trade Commission (FTC) gave its blessing. While some professional skepticism from lawmakers on this subject is certainly welcome, the proof will be the pudding as to whether the deal encourages innovation in the sector by challenging competitors to respond creatively to the merger. If this does indeed pan out, perhaps consumers will stand to benefit, not to be harmed, by this type of deal:  Consumers the big winners of Amazon-Whole Foods merger
  • In the UK, a different regulator is not in such a rush to approve the merger between 21st Century Fox, owned by Rupert Murdoch, and broadcaster Sky. The Competition and Markets Authority (CMA) will perform a six month review of that one on the referral of the Culture Minister Karen Bradley. The stated reasons for the review were concerns about media plurality, stemming from the material influence Rupert Murdoch would gain over news providers in the UK key market plaforms, and an inadequate compliance program at Fox, which already owns a 39 percent stake in Sky:  UK competition commission to review Fox-Sky merger
  • Mergers can complicate outstanding or future legal claims, as the union between chemical industry giants Dow Chemical and DuPont is indicating. The issue dates back to a major industrial accident in 1984 in India at a factory owned by Union Carbide India. The majority owner of this company was Union Carbide Corporation, which in turn was acquired by Dow in 2001. Victims of the gas leak accident, which killed as many as 22,000 people and left more than 500,000 others injured, have struggled in the last three decades to reach justice through the complicated system of corporate liability. This is a labyrinthine system of liability and procedural quagmires already for victims to make it through, and the acquisition of Union Carbide by Dow made defining liability, both in a legal sense and in a concrete moral sense to attach to an existing corporate entity, very complicated. Already complex enough when dealing with just Dow, now that DuPont will be in the mix, the corporate structures will become even more difficult to navigate legally:  Bhopal disaster victims may never get compensation following Dow-DuPont merger, fears UN official
  • Bayer AG and Monsanto Company are set to face a regulatory review by the EU over at least the next four months in the planned merger by the major agrochemical companies. In that same sector this year, Dow and DuPont as well as China National Chemical and Syngenta AG have faced similar regulatory hurdles and had to make serious sacrifices in order to settle with the EU For their consolidations to go ahead. As companies in one industry seek to merge with each other, the industry comes out reshaped entirely, and the regulator in charge of oversight must step up to ensure the consumers are protected and that innovation continues unchecked despite fewer competitors in the market:  Bayer-Monsanto merger faces in-depth EU probe
  • Similarly, EU regulators have also expressed concern about the merger between Italian eyewear-maker Luxxotica and French lens-maker Essilor. Together the two companies will form a $55.12 billion global eyewear retailer. The EU is concerned because the combined company will be so large, likely crowding out other, smaller retailers that cannot operate on the slim margins workable for major organizations. The regulator is particularly concerned about impact this merger could have on the supply chain, as Essilor will gain access to previously untapped markets in the Americas and Asia:  EU regulators have concerns over Luxottica-Essilor merger

One conclusion that may be drawn already so far from a survey of this year’s mergers and acquisitions activity is for some, that expediency is the name of the game. Companies entering into these agreements want to come together quickly to get on with business, before the advancements in technology outpace their own participation. In some markets, regulators seem basically happy to oblige them. This apparent trend stands somewhat in contrast with standard regulatory agenda for existing companies, and the current preference in other markets, which is to identify and investigate possible anti-trust business practices for possible enforcement action or remedial measures before allowing the deal to go through.

If the US regulators continue to take the point of view that combined and strengthened competition from one market player drives the rest to be better and innovate, such as with Amazon, this will be a justification of relaxed regulatory scrutiny. It will be interesting then to observe whether regulators in the EU or other regions trend in the other direction, increasing the scope and standard of their oversight in order to reinforce their opposite protection that in these times of combination innovation may actually be more at risk than ever.

Only time will tell in this case which side has predicted the outcome correctly; one may find commerce stifled in name of caution, while the other may discover that imposing supervision after the union is more difficult than taking a measured approach from the beginning.


Round-up on counterfeiting of consumer goods

Counterfeiters have existed for time immemorial. Ever since the concept of value was introduced by exchange of money and the idea of authenticity or identity first became established, fraudsters have aimed to produce fake money and forged documentation. Following the counterfeit money were unauthorized copies of the products that the money could purchase, a trade which has become ubiquitous and sometimes even represents a larger market than that for the authentic item.

With the spread of globalization, a diverse range of counterfeit products are sold and bought all over the world. Sometimes this is without any attempt by the seller to deceive, with the fake product offered to a consumer who willingly buys a bootleg or replica copy. Others are to customers who think they are purchasing the real thing, often from a very expensive or luxury brand or of a very popular and desired item.

No matter the intent behind the transaction, commerce in counterfeit items is growing all the time and presents many dilemmas for corporate investigators and law enforcement in identifying the fraudulent practices and protecting both brands from this illicit trade while preventing consumers, wittingly or otherwise, from engaging in it.

  • Most of the world’s counterfeit items are produced and manufactured in China – enough so that the trade in these fraudulent goods is a $400 billion industry, by some accounts representing as much as 10% of China’s GDP. This is a striking paradox, as many authentic items such as Nike shoes and Apple iPhones are produced practically alongside knockoff versions of the same. While the traditional logic is that counterfeit goods are part of the assumed risk of doing manufacturing business in China, corporations are actively trying to take control via clever action against fraudsters. Brand protection efforts include hiring private investigators to find and seize fake goods and try to navigate the complicated, labyrinthine underground of the Chinese counterfeiting industry:  To Catch a Counterfeiter
  • South Korea has joined China as one of the major world centers for counterfeit activity. However, unlike many of the goods which come from China, which are low-quality replicas that make unconvincing fakes to the educated consumer, the market in South Korea is knowingly demanding for “copycat brands.” These consumer desire is driven by the prevalence of streetwear fashion which replicates items worn by celebrities and seen on the internet from brands which are not easily purchased or even available in South Korea. In order to answer customers’ requests to be up on these global trends, counterfeiters are making high-quality fakes to sell to the fashion savvy who might not even care whether their items are real, as long as they are able to access the desired style:  Why South Korea Is the Home of Counterfeit Culture
  • More than what’s in a name – what’s in a set of parentheses? For years Costco has sold rings advertised on their in-store signage as “Tiffany” rings. There is no affiliation between the rings sold by the wholesale giant and those available at the specialty jewellery retailer Tiffany & Co. While Costco made no claim that it was selling imitations of the Tiffany & Co. rings, Tiffany alleges that calling the rings “Tiffany” on the signage was a false identification, and that consumers could have been misinformed and mistakenly purchased the rings believing they were Tiffany & Co. A judge has ruled that Tiffany is entitled to almost $20 million in damages and interest from Costco for this marketing scheme, indicating that “Tiffany” is not to be used a generic term to describe the setting of a ring to consumers, as Costco alleged it was intending to do:  Costco owes Tiffany more than $19 million for selling counterfeit rings 
  • Counterfeit goods in the apparel market are well-known, everyone having seen before the ubiquitous fake Louis Vuitton and other designer bags that brands have been fighting against for years. Another area in fashion where fakes are becoming prevalent is makeup. The black market in the beauty industry is growing all the time, with counterfeiters making and selling popular products to satisfy demand when the real ones sell out quickly, aren’t available in certain markets, or are highly priced. The safe and hygienic production of makeup is a very complicated business, involving health standards, inspections, and scientific processes, which fraudsters do not typically invest time or money to replicate along with the products. Consumers having gotten sick and injured from using these fake makeup products which are often ordered online or bought in the discount shopping districts where knockoff handbags used to be the main fare. Especially concerning is that many people purchase these fake cosmetics in bulk, to fraudulently resell online as the real thing or to use on unsuspecting clients as makeup artists:  We Went Inside Beauty’s Black Market & It’s Worse Than You Think
  • Equally concerning to consumer protection and safety as fake cosmetics is the growing prevalence of knockoff wine. The Chinese market is participating in rising prices and demand in a hot retail wine market, for auction buyers, home drinkers, and restaurant suppliers alike. Along with these eager buyers, as always, come the sellers of counterfeit and contraband products. Fake imported wines abound in China. On high-ticket wines, empty bottles of the real thing are actually sold on the black market and then re-filled with fake wine to be sold to unaware purchasers. Aside from damaging the high-end market with a flood of counterfeit wines, there are also concerns for the average consumer. Sometimes dangerous ingredients and chemicals are added to cheap wine to change the color or taste in order to fool consumers, who can then get sick from the doctored alcohol:  China Is Facing An Epidemic Of Counterfeit And Contraband Wine

Companies and governments worldwide are doing their most to crackdown on the illegal production and manufacture of counterfeit goods, and to prevent the sale of these products to consumers. This is an effort which requires international cooperation and a constant pursuit to stay up to date in the counterfeiters’ methods in order to attack and prevent their attempts. Consumer protection and brand value to corporations are both at risk in the continued spread of these illicit practices and products.


Compliance lessons to learn from the 2017 Equifax cybersecurity breach

Equifax is one of the major US-based consumer credit reporting agencies. It operates globally and due to their nature of its business, maintains sensitive and personal information on more than 800 million individuals and more than 80 million organizations.

In September 2017, Equifax announced that it had experienced a cybersecurity intrusion in July 2017 which impacted the data of up to 200 million consumers from the US, Canada, and the UK. The handling of this breach by Equifax was widely criticized and questioned. Among the controversial aspects of it were the two month delay in publicizing it, the lack of specific information about the data compromised, the inadequate and possibly even unsafe system and support provided for impacted consumers, and the perception of possible insider trading by company executives in the days after the breach took place but before it was public.

As the problematic response to this cybersecurity incident unfolded, Equifax’s various blunders and missteps in the public handling of the situation formed a guide for worst practices in such a scenario. As the dialog around Equifax’s response has shown, poor crisis management in the public eye only compounds the consumer protection problems.

  • Companies do often have legitimate reasons for delaying notifying consumers, regulators, and the public at large about data breaches. Sometimes companies do not even know they have been breached right away. Even once they are aware, sometimes law enforcement will request that they do not disclose the breach. Different types of data may be subject to different disclosure requirements, so companies also sometimes have to take time to determine what data was involved. However, these delays still can be very problematic for consumers, who can be unknowingly at risk and make assumptions about the seriousness with which their data is stored and maintained which might be very far from reality.  Why it can take so long for companies to reveal their data breaches 
  • While Equifax was taking its time notifying consumers and regulators of the data breach, questions abound about when – and what – people on the inside knew about it. This is because only a few days after the July 29 cybersecurity intrusion, on August 1 and August 2, several executives at Equifax sold shares. These transactions were not part of scheduled trading plans, but they were not total liquidations of their positions, and the company says that the executives were unaware of the breach at the time of the trades. However, the perception of possible insider trading is hard to avoid once the timing of this activity is revealed. If they truly did not know about the cybersecurity problem, it would have been wise at least to inform key senior management of the breach and advise them to avoid trading in the stock while in possession of inside information.  Three Equifax Managers Sold Stock Before Cyber Hack Revealed
  • Despite how secret most people in the US see their financial data as being – especially social security numbers and bank account or credit card information – current privacy laws are lacking in many key areas when compared to those in other parts of the world such as the EU. Top of mind among privacy concerns, including the need for consumers to input personal data to check whether their other personal data has been compromised, is that over a month went by before Equifax notified the public of the cybersecurity incident at all. In the 40 days that went past, the data could have been used for many illicit purposes without consumers even being aware they were at risk. Laws in the US currently differ between states with regards to breach notification requirements. There is no unifying directive in the US for the standard where personal data is concerned, such as there will be next year in the US under the General Data Protection Regulation, which requires notification within a maximum of 72 hours. Perhaps a higher standard in the US such as this one would reinforce seriousness of these events to organizations and improve consumer protection and communication processes when they occur.  Equifax breach disclosure would have failed Europe’s tough new rules
  • While these data breaches are unfortunately becoming so common that the public is often less alarmed by them now than in the past, irresponsible or insufficient responses by organizations to these breach still provoke justifiable outrage and calls for change. Consumers being desensitized to the exposure of their personal data just shows how widespread the problem is and how insufficiently the interests of the consumers are guarded. However exhausted the public may seem to be with the ongoing leaks and hacks of their private data, this is no excuse for organizations affected by them to respond with the same passive, indifferent attitude. Equifax’s lack of detail and inadequate communication displayed to the public that they did not care about the invasion consumers were suffering, which is quite a different message than one of fatigue by victims who have had this experience too many times to excuse. The reputational risk suffered by such corporate carelessness is extreme, and hopefully will drive consumers to advocate for a higher standard of responsibility and responsiveness from keepers of consumer data.  The Banality of the Equifax Breach
  • As the public contends with the reality of the Equifax data breach – that subsequent hacking attempts stemming from this breach are inevitable and that companies like Equifax do not meet the standard of care for protecting this private information in their possession – what can anyone do in the future? Holding companies accountable for their poor service by taking their business elsewhere is often the only choice consumers have to voice their displeasure. In the current system individuals aren’t really able to avoid the consumer credit reporting agencies, but organizations could opt to create and use independent systems with more secure infrastructures. These corporate users could drive a technological shift that would also benefit individual consumers. Blockchain and related technologies could provide the solutions to these vexing and chronic security concerns that the existing system seems unable to address.  It’s time to build our own Equifax with blackjack and crypto

Given the ever-increasing risks surrounding cybersecurity, compliance professionals and individuals interested in cybersecurity risk management can take many cues from the above on what not to do in such a situation from Equifax. Hopefully as organizations continue to live with the risk of such intrusions, and improve their control frameworks to prevent and mitigate them, they also pay attention to the public responses in such situation, to make sure that the statements made and guidance provided are adequate and accurate.


Creating employee awareness for cybersecurity risk management

Cybersecurity is one of the major risk areas for businesses of all sizes and a frequent examination and enforcement priority for regulators. The challenges posed by cybersecurity are diverse and serious – data privacy, breaches of sensitive customer or employee information, business continuity, reputational risk due to information leaks or data loss, physical and financial damage to IT network or infrastructure, and more.

Addressing these threats posed by possible cyberattacks or security weaknesses is very important for organizations, but all protective measures rely upon engagement of employees in accomplishing this objective. Obtaining this engagement requires effective communication to employees to raise their awareness and encourage their understanding of the daily objective at hand.

  • Make relevant policies accessible, relatable, and easy to understand: In order for employees to understand their responsibilities in a cybersecurity program, the governing policies and procedures must be simple and straightforward. The policies should be easy to locate on the organization’s intranet or in the policies manual or employee handbook. They should be written in plain English and provide the essential information and guidance necessary for employees to understand what they must do to protect the company and themselves. Individual objectives and obligations should be highlighted and reinforced by line managers.
  • Connect cybersecurity program to stakeholder commitments: For all employees who are not IT professionals, the risks inherent to and controls necessary for cybersecurity may seem abstract. However, there are fundamental organizational values which can be concretely attached to the objectives of a cybersecurity program. Taking the privacy of customer and/or employee data seriously is not an esoteric concept; this is important to every employee on a personal level. Being trustworthy and transparent about this goal, likewise, is something everyone can support for the good of the organization. Establish a connection between the goals of the cybersecurity program and the company’s stakeholders such as customers, business partners, and regulators/supervisors. Emphasizing these duties will enable employees to see how important cybersecurity controls are to those relationships.
  • Set expectations for personal responsibility: As with all compliance risk topics, the tone at the top is critical to establishing the mood in the middle and the buzz at the bottom. Employees will not become prioritize a topic unless leadership clearly and sensibly advocates for its importance. Senior management should express that each person working in an organization has individual accountability for protecting the company from cybersecurity risks and attacks. An employee’s responsibilities may seem minor or not worth publicizing, but these practical measures are often the most fundamental in keeping the organization’s IT systems secure.
  • Emphasize conduct and basic good practices: Every compliance program begins at the beginning. The building blocks of security protections must be strong starting at the most fundamental measures. Advanced protocols and encryption methods are not the message to take to the general employee population. Rather, focus on their own individual conduct and best daily practices, such as caution with data handling to avoid human error like inadvertent e-mails or lost devices and files. It is imperative that the workforce understands and takes responsibility for managing these simple, widespread risks from their own behavior.
  • Publicize successes and take action on failures: The organizational message of open seriousness about cybersecurity risks should be consistent. When there are successes – such as proactive identification and remediation of a security weakness without a data breach, or improvement in employee conduct around reporting phishing emails – publicize them and discuss them. Positive reinforcement is key. However, when there are failures – such as the detection of an unauthorized intrusion or a string of employees losing laptops and flash drives – then these too should be communicated broadly and acted upon promptly. In this case it is not negative reinforcement but rather directed analysis to improve in the areas which current evidence shows need the most work.

With all the broad landscape of cybersecurity risks in view, and the methods and objectives of cyberattackers evolving continually, control frameworks for cybersecurity will remain an ongoing project in compliance programs.   Creating and maintaining basic employee awareness of and sensitivity to these risks is crucial to ensure that all other controls can be as effective as possible


Ford Pinto and organizational integrity

The Ford Pinto debacle of the 1970s demonstrates vividly that focusing on commercial pursuits at the expense of integrity considerations can have a disastrous effect on consumer safety.  No historical survey of organizational ethics and decision-making is complete without a study of the controversial production of this vehicle.

The Ford Pinto was a subcompact car made and sold by Ford Motor Company from 1970-1980. The design of the car left it vulnerable to fire in the event of a rear-end collision due to the location of the fuel system between the rear axle and rear bumper. Though crash testing indicated heightened risk, and safety was questioned by some engineers, Ford proceeded with manufacturing the vehicle as designed. As early as 1973, Ford began receiving reports of catastrophic injuries in fires after rear-end collisions at low speeds in Pintos. Relying on standard review routines, Ford found no justification for a recall. Issues with the Pinto’s safety and continued non-action on the part of Ford continued until Ford finally recalled the Pinto in 1978, while claiming it was only doing so due to public outcry and still not acknowledging any design defect in the car. Subsequently over 100 lawsuits were brought against Ford in connection to the Pinto.

This is perhaps the seminal case of business choices to value commercial interests over consumer protection. Individual designers and engineers at Ford realized that the Pinto could have safety issues, but they worked under immense time pressures and in a structured, hierarchical project management system where people made decisions that were disconnected from the ultimate outcome of the product. The production of the Pinto was a process dominated by routines that emphasized expediency and profit. Relaxed regulations due to political pressures on the marketplace meant that companies like Ford Motor Company could choose whether it was economical or expedient to meet certain standards rather than making these decisions based on regulatory requirement or safety concerns alone.

The Ford Pinto case also lays bare the “bad apples” theory of ethics, in which corporate scandals that harm the public are often blamed on a bad person doing bad things. In reality, most people involved in these situations are good people who do not intend to do bad things, but make choices in isolation or under duress, as part of routines, which have a knock-off effect and can lead to disastrous results later.

For a very complete and powerful contemporary analysis of the Ford Pinto case, Mark Dowie’s 1977 Pinto Madness article in Mother Jones is a must-read.