Practical insights for compliance and ethics professionals and commentary on the intersection of compliance and culture.

Round-up on compliance issues with online platforms: Snapchat

This is the fifth in a series of six posts on compliance issues with various online platforms.  The first post was about YouTube.  The second post was about Facebook.  The fourth post discussed Instagram.  Last week’s post was about Twitter.  Today’s post will cover Snapchat.  The sixth and final post in the series, on April 12, will be about Reddit.

Snapchat is an app-based photo and video messaging service.  Upon its initial release in 2011, Snapchat grew quickly in popularity due to its novel feature which allowed users to share messages that then disappeared.  This concept evolved from a person-to-person design to then include a chronological timeline of stories and content sponsored by brands, media groups, and influencers.

READ MORE

Selected TED/TEDx talks on privacy and reputation

In an increasingly inter-connected and digital society, challenges to privacy and reputation are frequent.  Even before social media put everyone at constant pressure to “overshare,” when people’s very personal details were not always a quick Google search away, privacy was still under threat.  A person’s visibility and public representations are often judged and demanded for credibility and honesty evaluations performed by employers, potential partners, members of the community, and even complete strangers.  Giving up privacy in favor of radical openness may be the way some reality stars have attained their celebrity, but for many people this feels invasive and like a violation of security.

In a broader sense, people’s individual privacy settings in terms of what they wish to share or disclose, how, and to whom, have a direct bearing on reputation.  Cultural practices around privacy and information sharing can give rise to serious reputational risk that impacts individuals and communities and frays the social fabric in which transparency is desirable or even possible.  These norms and ethical expectations are intensified in the digital age, where an individual’s personal information can never truly be deleted or taken back once it is made public.

READ MORE

Round-up on compliance issues with GDPR implementation

GDPR – the General Data Protection Regulation – is intended to establish a stronger, unified system of protection of personal data for individuals and businesses within the European Union. GDPR was adopted directly by the European Parliament, the Council of the European Union, and the European Commission on April 27, 2016. Following a two-year transition period, GDPR will become directly binding and enforceable as of May 25, 2018.

GDPR is an improvement upon the 1995 Data Protection Directive, intended to enhance control by individuals over their own personal data and accountability for organizations in how they collect, handle, and maintain it. The Data Protection Directive was implemented by individual law in each of the EU nations and therefore created a patchwork of standards and practices varying between the member states.   GDPR therefore is intended to simplify and integrate requirements in a more cohesive and competent supervisory model.

READ MORE

Compliance and ethics in Groundhog Day

Groundhog Day is a classic comedy film from 1993.  The movie centers around Bill Murray’s character Phil Connors, who is a weatherman on-location in Punxsutawney, Pennsylvania covering the annual Groundhog Day event there.  The town’s festivities around the ritual of the groundhog coming out of his hole to check whether or not he sees his shadow are a huge media event and popular celebration which Connors, who is generally obnoxious and condescending, finds ridiculous.  On February 2, Connors has an unpleasant and miserable day in which he is annoyed by everyone around him, acts out, and totally fails to charm his producer Rita Hanson, played by Andie McDowell, with whom he is in unrequited love.  The next day he wakes up and is alarmed and confused to find that it is not a new day and February 3, but rather it is February 2 again and the prior day is repeating exactly as it happened before.

Connors winds up trapped in a time loop in which only he is lucid of it.  He experiences February 2 over and over, with his memory and knowledge retained but otherwise no evidence in the world or other people that the day has happened before and will happen again.  Connors goes through a complicated process of reckoning with this reality and ultimately makes an ambition of getting Hanson, who hates him, to fall in love with him.

READ MORE

Justice in Black Mirror

As previously discussed on this blog, the universe of the science fiction show Black Mirror is very interesting from a compliance and ethics perspective.  As discussed in this post about the first three series of the show and this post about the fourth series, the show often focuses on connections between humanity and technology.  The show frequently contemplates the negative impact of excessive or dangerous reliance on technology and warns of the disruptions to people and communities that could result from overly integrating advanced technology into life.

While the most common themes of Black Mirror indeed pertain to traditional risks of overuse of technology, such as data privacy, consent, artificial intelligence, and cybersecurity, there’s an additional layer of commentary on the show which focuses on broader social issues, such as power, community, and justice.  Indeed, the question of how a technologically-advanced society might define and handle justice uniquely is compelling.  Portrayals of justice throughout all four series of Black Mirror include the treatment of issues such as punishment, reparations, confessions, investigations, judgment, and surveillance. 

READ MORE

Compliance in Black Mirror

Black Mirror is a very popular US-UK television science fiction series. It originally aired on Channel 4 in the UK and is now released and broadcasted by the subscription video streaming service Netflix. The series is anthology-style, with short seasons of stand-alone episodes which are like mini films. Most of the episodes of the series touch upon the dominance of and overreach into human life by technology, such as social media, AI, and other advanced, immersive systems and devices. The take offered is quite dramatic, often delving deeply into adverse psychological and sociological effects on modern society, taking a dark and even dystopian perspective.

While all the episodes of Black Mirror do depict a future reality, it is an immediate and accessible reality impacted by technology exceeding that which is currently possible but not so much as to be unthinkable. Indeed, the title of the show, Black Mirror, refers to current technology which is increasingly ubiquitous and addictive – television screens, computer monitors, and smartphone displays. The show both entices with the idea that many of these technological advancements could be convenient or novel or life-enhancing, while also warning that the obsessive and addictive aspects of technology could cause great harm and disruption if not developed and managed thoughtfully and carefully with the risks well in mind.

  • “The Entire History of You” (Series 1, Episode 3): In this episode, a couple struggling with mistrust and insinuations of infidelity make disastrous use of a common biometric – a “grain” implant everyone has that records everything they see, hear, and do. The recordings on the implants can be replayed via “re-dos.” This is used for surveillance purposes by security and management, as the memories can be played to an external video monitor for third parties to watch. Individuals can also watch the re-dos from their implants directly in their eyes, which allows them to repeatedly watch re-dos, often leading them to question and analyse the sincerity and credibility of people with whom they interact. People can also erase the records from their implants, altering the truthfulness of the recordings. This troubles the status of trust and honesty in society which has already in contemporary life been eroded by the influence of the internet.

 

 

 

  • “Be Right Back” (Series 2, Episode 1): In this episode, Martha is mourning her boyfriend, Ash, who died in a car accident. As she struggles to deal with his loss, her friend who has lso lost a partner recommends an online service that allows people to stay in touch with dead loved ones. The service crawls the departed person’s e-mail and social media profiles to create a virtual version of the person. After the machine learning advances enough by consuming and trying enough communications, it can also digest videos and photos by graduating from chatting via instant message to replicating the deceased’s voice and talking on the phone. At its most advanced, the service even allows a user to create an android version of the deceased that resembles him or her in every physical aspect and imitates the elements of the dead person’s personality that can be discovered by the online record. However, in all this there is no consideration given to the data privacy of the deceased person or to his or her consent to be exposed to machine learning and replicated in this manner, including even the physical android form.

 

 

  • “Nosedive” (Series 3, Episode 1): This is one of the most popular, critically-acclaimed episodes of the series, and one of the obvious reasons for this is that it focuses on social media and how it impacts friendships and interactions. The addictive aspects of social media in current times are already a hot topic in design ethics, driving people to question whether social media networks like Facebook or Twitter are good for the people who use them, and where to locate the line between entertainment and a fun way to connect and share, versus a platform with a potentially dark and abusive impact on users. In this episode, everyone is on social media and is subject to receiving ratings from virtually everyone they encounter. These ratings determine people’s standing both on social media and in the real world as well – controlling access to jobs, customer service, housing, and much more. Anxieties and aspirations about ratings drive everything people do and all the choices they make. “Addictive” has been met and surpassed, with social media having an absolutely pervasive impact in everyone’s lives.

 

 

  • “San Junipero” (Series 3, Episode 4): One of the most universally loved episodes of Black Mirror, San Junipero depicts the titular beach town which mysteriously appears to shift in time throughout the decades. Kelly and Yorkie both visit the town and have a romance. San Junipero turns out to be a simulated reality which exists only “on the cloud,” where people who are at the end of their lives or who have already died can visit to live in their prime again, forever if they so choose. In the real world, Kelly is elderly and in hospice care, while Yorkie is a comatose quadriplegic. Both eventually chose to be euthanized and uploaded to San Junipero to be together forever, after getting married first so that Kelly can give legal authorization to Yorkie to pass over. The bioethical considerations of such a reality are clear – in this society, assisted suicide is a legal normalcy, and part of patient care is planning one’s method of death and treatment path after death, which digitalization being a real option. All of the San Junipero simulations exist on huge servers, and judging by how many lights are flickering in the racks this seems to be a popular practice – but what about cybersecurity and information security of the simulations? What if the servers were hacked or damaged? This gives a new meaning to humanity and places an entirely different type of pressure on making sure that technology is used safely and the data stored on it is protected.

 

 

  • “Men Against Fire” (Series 3, Episode 5): This episode concerns the future of warfare in a post-apocalyptic world. Soldiers all have a biometric implant called MASS that augments reality, enhances their senses, and provides virtual reality experiences. One soldier’s implant begins to malfunction and he soon learns that the MASS is in fact altering his senses so that he will not see individuals he is told are enemy combatants as people. It turns out that the soldier is part of a eugenics program practicing worldwide genocide and the MASS is being used to deceive the solders and turn them into autonomous weapons who murder on command due to the augmentations and alterations to reality by the MASS. This storyline falls cannily close to many current concerns about the adoption of autonomous weapons that are not directed or monitored by humans, which are nearly within technological capability to be created and are the subject of international calls for appropriate supervision of and restraint in their development.

 

 

Black Mirror offers many interesting scenarios for analysis of and study by compliance and ethics professionals considering risk management related to the use of technology in organizations and society. As described above, surveillance, data privacy, consent, design ethics, autonomous weapons and other AI, bioethics, and cybersecurity are just a sampling of the issues invoked by episodes of the series.

READ MORE

Round-up on compliance issues with blockchain technology

One of the hottest topics of 2017 is blockchain. This advancing technology is seemingly the possible solution to every business problem conceivable. Companies across all industries – as diverse as banking to food production and seemingly everywhere in between – are experimenting with how they might be able to use blockchain to make their reporting and related processes more reliable or efficient. Many are even contemplating how they may take advantage of blockchain to market software applications to other companies, hoping to enter the profitable fintech (financial technology), regtech (regulatory technology), or suptech (supervisory technology) markets.

But what is blockchain? Most famously, it is the core technological component of the well-known cryptocurrencies, such as Bitcoin or Ethereum. Simply put, blockchain is an open list of records (which comprise the “blocks”) which are securely linked together with cryptography. As the blocks are all linked together and independently identified with references to their linked blocks, the data contained therein is extra safe from individual manipulation or alteration. This is a decentralized computing system which is incredibly useful for recordkeeping and records management activities, especially those where security is especially important such as identity management and medical records.

Due to the broad desirability of a secure and adaptable record maintenance technology, blockchain, which was initially developed only less than a decade ago, has been a disruptive influence in many industries already. Across all business areas, companies are looking to blockchain for possible benefits, all relevant to compliance, to their reporting processes.

  • Transparency for pension fund reporting is one major potential use of blockchain. Following the Madoff scandal and other highly-publicized frauds in the investment management industry, there has been more pressure than ever in expectations for investor protection and reporting disclosures. Many pension funds have balked at public and supervisory demands for increased transparency due to the cost concerns for implementing additional reporting mechanisms in balance with very low profit margins. This reaction does not help to enhance trust between investor clients and this fraud-vulnerable industry. Therefore the decentralized, secure nature of blockchain offers appealing opportunities for filling this confidence vacuum. Blockchain-based platforms can get investors access to their own pension information without fears of data manipulation or increased cost burden on firms: How Blockchain is revolutionizing fraud prone industries
  • On a related note, banks and other financial institutions have borne much of the competitive pressure blockchain has created with the advent of cryptocurrencies – but they also stand to benefit from this, if they can make the best of it. Cryptocurrencies such as Bitcoin are a compelling alternative to the centralized, traditional banking system for customers who desire extra security or anonymity. While cryptocurrencies have been traditionally depicted as a safe haven for illegitimate or even illegal payment activities, the mainstream attention on them has created a broader appeal and audience for them. As a response to the interest their customers have shown in cryptocurrencies, banks have started to delve into the potential for the blockchain technology. Some has invested in tech start-up companies concentrating on various blockchain applications while others have delved more deeply into relationships with fintech partners. At this point banks’ proprietary efforts have mostly been restricted to in-house research on potential use of blockchain, but inevitably competitive momentum will start to drive larger institutions toward developing their own projects in this space. These developments are likely to encourage efficiency, inspire leaner and more innovative business models, and serve the regtech and suptech goals of increasing cooperation with regulatory authorities. Ultimately this could help to modernize and improve the persistently staid and legacy-driven banking industry into a bolder and more transparent business model:  How banks and financial institutions are implementing blockchain technology
  • The advertising industry is newly subject to regulatory scrutiny with the upcoming EU privacy directive, the General Data Protection Regulation (GDPR). This law will apply to any organization doing business in, using technology in, or targeting the citizens of, any EU country, so it has a broad global reach. The GDPR will impose new requirements for handling and controlling private data, including protective and disclosure obligations. Therefore blockchain-based solutions, which can be both secure against manipulation or leakage, and distributed with open access so that users making disclosure requests can see the information directly for themselves. This will help to reduce the burden of this reporting as well as improve cost margins rather than coming up with expensive and vulnerable in-house solutions or outsourcing the reporting to third-parties with their own attendant risks: How Blockchains Can Help the Ad Industry Comply With the GDPR
  • Commercial aviation is another industry looking to blockchain systems to help with its risks – this time in cybersecurity management. Airlines and support companies rely a lot on IT systems to do everything from fly and direct aircraft to book and manage passenger travel. These systems are highly imperfect, as system outages and computer crashes that lead to flight cancellations and stranded passengers show in the news each year. They are also vulnerable to cybersecurity risks where intruders could breach personal data, disrupt airline operations, or corrupt and steal client and aircraft information. Storing and protecting this data within vulnerable or old/legacy systems poses many cybersecurity challenges. The concept of tamper-proof blockchain technology is therefore compelling to the aviation industry for these obvious reasons. Blockchain could help to keep operational data safe and protect companies from cyberattacks. More importantly, pressure to adopt it could drive aviation companies to make the difficult yet very important technological updates and improvements to their systems which will serve safety and regulatory concerns alike: How Blockchain, Cloud Can Reinforce Cybersecurity in Commercial Aviation
  • The pharmaceutical industry has long been vexed by inaccurate and unreliable supply chain tracking. It is especially vulnerable to stolen and counterfeit medication entering the supply chain untracked and finding its way to patients, putting their safety at risk. Tracking medicine with blockchain could change all this. A consortium of pharmaceutical companies, including major firms Genentech and Pfizer, are already collaborating together on a tool called the MediLedger Project, which seeks to manage the pharmaceutical supply chain and track medicines within it to ensure that drug deliveries are recorded accurately and transparently. This would take the current complicated and inefficient network of software management in the supply chain to the next level, securing the supply chain with an integrated and decentralized blockchain system. It could also enable sharing of essential information from companies to partners and customers without exposing sensitive business information, a challenge in the industry so far: Big Pharma Turns to Blockchain to Track Meds

There are many potential advantages from a compliance perspective to blockchain, which has the potential to enhance transparency, protect privacy, address various process-driven risks, and strengthen cybersecurity controls, among other benefits. As the technology advances time will tell how broad the applications of blockchain may be across these diverse industries with similar needs for compliance risk management.

READ MORE

Compliance lessons to learn from the 2017 Equifax cybersecurity breach

Equifax is one of the major US-based consumer credit reporting agencies. It operates globally and due to their nature of its business, maintains sensitive and personal information on more than 800 million individuals and more than 80 million organizations.

In September 2017, Equifax announced that it had experienced a cybersecurity intrusion in July 2017 which impacted the data of up to 200 million consumers from the US, Canada, and the UK. The handling of this breach by Equifax was widely criticized and questioned. Among the controversial aspects of it were the two month delay in publicizing it, the lack of specific information about the data compromised, the inadequate and possibly even unsafe system and support provided for impacted consumers, and the perception of possible insider trading by company executives in the days after the breach took place but before it was public.

As the problematic response to this cybersecurity incident unfolded, Equifax’s various blunders and missteps in the public handling of the situation formed a guide for worst practices in such a scenario. As the dialog around Equifax’s response has shown, poor crisis management in the public eye only compounds the consumer protection problems.

  • Companies do often have legitimate reasons for delaying notifying consumers, regulators, and the public at large about data breaches. Sometimes companies do not even know they have been breached right away. Even once they are aware, sometimes law enforcement will request that they do not disclose the breach. Different types of data may be subject to different disclosure requirements, so companies also sometimes have to take time to determine what data was involved. However, these delays still can be very problematic for consumers, who can be unknowingly at risk and make assumptions about the seriousness with which their data is stored and maintained which might be very far from reality.  Why it can take so long for companies to reveal their data breaches 
  • While Equifax was taking its time notifying consumers and regulators of the data breach, questions abound about when – and what – people on the inside knew about it. This is because only a few days after the July 29 cybersecurity intrusion, on August 1 and August 2, several executives at Equifax sold shares. These transactions were not part of scheduled trading plans, but they were not total liquidations of their positions, and the company says that the executives were unaware of the breach at the time of the trades. However, the perception of possible insider trading is hard to avoid once the timing of this activity is revealed. If they truly did not know about the cybersecurity problem, it would have been wise at least to inform key senior management of the breach and advise them to avoid trading in the stock while in possession of inside information.  Three Equifax Managers Sold Stock Before Cyber Hack Revealed
  • Despite how secret most people in the US see their financial data as being – especially social security numbers and bank account or credit card information – current privacy laws are lacking in many key areas when compared to those in other parts of the world such as the EU. Top of mind among privacy concerns, including the need for consumers to input personal data to check whether their other personal data has been compromised, is that over a month went by before Equifax notified the public of the cybersecurity incident at all. In the 40 days that went past, the data could have been used for many illicit purposes without consumers even being aware they were at risk. Laws in the US currently differ between states with regards to breach notification requirements. There is no unifying directive in the US for the standard where personal data is concerned, such as there will be next year in the US under the General Data Protection Regulation, which requires notification within a maximum of 72 hours. Perhaps a higher standard in the US such as this one would reinforce seriousness of these events to organizations and improve consumer protection and communication processes when they occur.  Equifax breach disclosure would have failed Europe’s tough new rules
  • While these data breaches are unfortunately becoming so common that the public is often less alarmed by them now than in the past, irresponsible or insufficient responses by organizations to these breach still provoke justifiable outrage and calls for change. Consumers being desensitized to the exposure of their personal data just shows how widespread the problem is and how insufficiently the interests of the consumers are guarded. However exhausted the public may seem to be with the ongoing leaks and hacks of their private data, this is no excuse for organizations affected by them to respond with the same passive, indifferent attitude. Equifax’s lack of detail and inadequate communication displayed to the public that they did not care about the invasion consumers were suffering, which is quite a different message than one of fatigue by victims who have had this experience too many times to excuse. The reputational risk suffered by such corporate carelessness is extreme, and hopefully will drive consumers to advocate for a higher standard of responsibility and responsiveness from keepers of consumer data.  The Banality of the Equifax Breach
  • As the public contends with the reality of the Equifax data breach – that subsequent hacking attempts stemming from this breach are inevitable and that companies like Equifax do not meet the standard of care for protecting this private information in their possession – what can anyone do in the future? Holding companies accountable for their poor service by taking their business elsewhere is often the only choice consumers have to voice their displeasure. In the current system individuals aren’t really able to avoid the consumer credit reporting agencies, but organizations could opt to create and use independent systems with more secure infrastructures. These corporate users could drive a technological shift that would also benefit individual consumers. Blockchain and related technologies could provide the solutions to these vexing and chronic security concerns that the existing system seems unable to address.  It’s time to build our own Equifax with blackjack and crypto

Given the ever-increasing risks surrounding cybersecurity, compliance professionals and individuals interested in cybersecurity risk management can take many cues from the above on what not to do in such a situation from Equifax. Hopefully as organizations continue to live with the risk of such intrusions, and improve their control frameworks to prevent and mitigate them, they also pay attention to the public responses in such situation, to make sure that the statements made and guidance provided are adequate and accurate.

READ MORE

Creating employee awareness for cybersecurity risk management

Cybersecurity is one of the major risk areas for businesses of all sizes and a frequent examination and enforcement priority for regulators. The challenges posed by cybersecurity are diverse and serious – data privacy, breaches of sensitive customer or employee information, business continuity, reputational risk due to information leaks or data loss, physical and financial damage to IT network or infrastructure, and more.

Addressing these threats posed by possible cyberattacks or security weaknesses is very important for organizations, but all protective measures rely upon engagement of employees in accomplishing this objective. Obtaining this engagement requires effective communication to employees to raise their awareness and encourage their understanding of the daily objective at hand.

  • Make relevant policies accessible, relatable, and easy to understand: In order for employees to understand their responsibilities in a cybersecurity program, the governing policies and procedures must be simple and straightforward. The policies should be easy to locate on the organization’s intranet or in the policies manual or employee handbook. They should be written in plain English and provide the essential information and guidance necessary for employees to understand what they must do to protect the company and themselves. Individual objectives and obligations should be highlighted and reinforced by line managers.
  • Connect cybersecurity program to stakeholder commitments: For all employees who are not IT professionals, the risks inherent to and controls necessary for cybersecurity may seem abstract. However, there are fundamental organizational values which can be concretely attached to the objectives of a cybersecurity program. Taking the privacy of customer and/or employee data seriously is not an esoteric concept; this is important to every employee on a personal level. Being trustworthy and transparent about this goal, likewise, is something everyone can support for the good of the organization. Establish a connection between the goals of the cybersecurity program and the company’s stakeholders such as customers, business partners, and regulators/supervisors. Emphasizing these duties will enable employees to see how important cybersecurity controls are to those relationships.
  • Set expectations for personal responsibility: As with all compliance risk topics, the tone at the top is critical to establishing the mood in the middle and the buzz at the bottom. Employees will not become prioritize a topic unless leadership clearly and sensibly advocates for its importance. Senior management should express that each person working in an organization has individual accountability for protecting the company from cybersecurity risks and attacks. An employee’s responsibilities may seem minor or not worth publicizing, but these practical measures are often the most fundamental in keeping the organization’s IT systems secure.
  • Emphasize conduct and basic good practices: Every compliance program begins at the beginning. The building blocks of security protections must be strong starting at the most fundamental measures. Advanced protocols and encryption methods are not the message to take to the general employee population. Rather, focus on their own individual conduct and best daily practices, such as caution with data handling to avoid human error like inadvertent e-mails or lost devices and files. It is imperative that the workforce understands and takes responsibility for managing these simple, widespread risks from their own behavior.
  • Publicize successes and take action on failures: The organizational message of open seriousness about cybersecurity risks should be consistent. When there are successes – such as proactive identification and remediation of a security weakness without a data breach, or improvement in employee conduct around reporting phishing emails – publicize them and discuss them. Positive reinforcement is key. However, when there are failures – such as the detection of an unauthorized intrusion or a string of employees losing laptops and flash drives – then these too should be communicated broadly and acted upon promptly. In this case it is not negative reinforcement but rather directed analysis to improve in the areas which current evidence shows need the most work.

With all the broad landscape of cybersecurity risks in view, and the methods and objectives of cyberattackers evolving continually, control frameworks for cybersecurity will remain an ongoing project in compliance programs.   Creating and maintaining basic employee awareness of and sensitivity to these risks is crucial to ensure that all other controls can be as effective as possible

READ MORE