Our new weekly feature at Compliance Week puts a slightly snarky spotlight on those compliance- and ethics-related individuals, companies, and government entities that “Failed It” this week and hands out pats on the back to those that “Nailed It.” If we missed any or if you have any nominations for next week, let us know on Twitter (@ComplianceWeek) or in the comments section below. 

Nailed It


Disney: The powerful multimedia company is among the latest to pull advertising from Facebook as part of the #StopHateForProfit campaign. More than 1,000 companies have temporarily halted advertising in the hopes of persuading Facebook into tackling hate speech and harassment on the social media site with more force. Other companies involved in the effort, led by the NAACP and the Anti-Defamation League, include Coca-Cola, Microsoft, Target, Starbucks, Verizon, and more. — DeAnn Orie

Paypal and Western Union: The coronavirus pandemic has moved the masses to donate financially to various relief efforts, and cyber-criminals are at the ready to capitalize on any well-meaning gullibility. Compliance teams at these two payment companies are updating their investigative processes to focus on COVID-19-related scams. Both companies draw on internal and external sources of intel, like tips from law enforcement, internal investigations, and merchant reviews, to enhance transaction monitoring systems and identify suspicious transactions. Nice to see companies challenging the old saying “no good deed goes unpunished.” — Aly McDevitt

Germany: The General Data Protection Regulation extends throughout the European Union, but one gets the feeling it has a bit more teeth in Germany. The country’s Constitutional Court last Friday ruled law enforcement has too much leeway in accessing citizens’ personal data, ordering for current laws to be revised by 2021. The victory is the latest in a string of pro-privacy decisions in the country and gives Germany a greater leg to stand on when it calls out its GDPR peers. — Kyle Brasseur

IIA: The Institute of Internal Auditors’ new update to the “Three Lines of Defense” model seemed long overdue for many within the compliance community. The new “Three Lines Model,” as it is now referred to, looks past solely focusing on what department goes with which line to instead promote collaboration and fluidity between the risk management layers of an organization. Time has continued to tell compliance is rarely maintained when its parts are broken into silos, so this is a change we can get behind. — Kyle Brasseur

Ireland: Just eight days after introducing a national contact tracing app to battle the coronavirus, the country reports the app has been downloaded 1.3 million times (about 36 percent of the adult population). That impressive rate of adoption suggests it will be a critical tool for the Irish to keep their COVID-19 cases down as the world heads into the uncertain months ahead. The United States, meanwhile, doesn’t even have a plan to make available a national contact-tracing app, and few states are developing ones of their own. The guess here is that months from now angry Americans are going to be shaking their heads as COVID-19 continues to spread, while more progressive nations like Ireland enjoy the hard-earned freedoms that a disciplined, centralized, technology-powered contact-tracing strategy enables. — Dave Lefort


Failed It


Washington (NFL): Two weeks after Compliance Week credited FedEx with nailing it for pressuring the football team to launch a formal review of their controversial name and mascot, and one week after the team announced they’d retire the name and logo, the organization is in trouble again—this time for claims of sexual harassment of female staff. Fifteen women have come forward with allegations of verbal abuse, aggressive advances, and other inappropriate conduct. Two of the accused top executives have abruptly left the organization—one (semi-)voluntarily, the other not. When a surge of societal reckoning comes along, don’t expect it to apply to one form of discrimination. You don’t get a cookie for publicly combatting racism while privately condoning sexism. — Aly McDevitt

Apple: Victims of an iTunes gift card scam are suing Apple for allegedly refusing to help them reclaim their funds. The 11-count class-action lawsuit says Apple is lying by contending there is no way to trace or refund the value of the cards. The reason? According to reports, Apple owns a significant 100 percent chunk of the funds for four to six weeks after their purchase and before paying the developer, meaning that during this time it is completely capable of funding 100% of the value. In addition, it takes a 30 percent commission and, as such, would always be able to offer a refund. — DeAnn Orie

China’s supply chain: A New York Times investigation into the Chinese government’s practice of forcing Uigher minorities to work in factories for little or no pay uncovered this supply chain dilemma: Some masks and other personal protective equipment (PPE) manufactured using forced labor have been sold in the United States. On Monday, the U.S. Department of Commerce placed 11 more Chinese manufacturers on the Entity List for human rights abuses.  It’s another ethics headache for American companies attempting to procure high-quality, ethically sourced PPE in a marketplace already brimming with fraudsters and opportunists. — Aaron Nicodemus

PG&E: The hits keep coming for the natural gas company, though it is nothing compared to the devastation it has caused in California in recent years. PG&E late last week was found responsible for starting the 2019 Kincade Fire that ripped through nearly 80,000 acres of the state, and it is fortunate the blaze resulted in no fatalities—unlike the 2018 wildfire it caused. The governor of California last month approved legislation that would allow the state to take over PG&E, a backstop that seems increasingly necessary for the general safety of its residents. — Kyle Brasseur

Google: A New York Times story pulled back the veil on Google’s privacy promises regarding software it created to support a coronavirus app. In April, Google and Apple announced free software that would allow government apps to warn citizens if they came into contact with someone infected with coronavirus, without impinging on their privacy. Despite the company’s repeated assertions that the software protects the privacy of its users, turns out that Google can still collect a user’s location. It’s just too much to ask of Google to re-engineer its super successful business model (which monetizes data for profit) into something that protects users’ privacy. — Aaron Nicodemus