Tips, strategies, and frustrations about how to manage compliance programs more effectively were the dominant theme at Compliance Week 2009, as corporate compliance officers everywhere voiced concerns about the increasing risks their departments must manage—with ever-tighter budgets.
The bad economy is a risk in its own right, according to Cynthia Jackson, a partner in the law firm Baker & McKenzie, since laid-off or otherwise unhappy employees are often tempted to report companies for alleged misconduct. They can also complain that they were wrongfully terminated, which means companies must be even more careful to run whistleblower hotlines and workforce reductions properly.
“Employees are the most common source of whistles being blown in an economic downturn,” Jackson told attendees at one conference session. “If you have to do reductions in force or other cost-cutting measures, ensure you’re doing them in a compliant manner.”
The key, she said, is a carefully crafted global Code of Conduct. To that end, companies must consider local laws in all of the countries in which they operate—and where their employees, directors, officers, and suppliers are based—before they roll any new or updated code out.
In the United States alone, companies face a host of whistleblower reporting and protection obligations under the Sarbanes-Oxley Act, the U.S. Sentencing Guidelines, stock exchange listing rules, and rules governing federal contractors. All could potentially conflict with companies’ obligations for data privacy overseas, which employees could use as grounds for a wrongful termination complaint.
Europe can be particularly tricky, since many nations there discourage anonymous reporting. Yes, a group known as the Article 29 Working Party issued guidance in 2007 to help companies address conflicts in Europe related to anonymous whistleblower hotlines required under SOX—but Jackson warned that those issues still endure, and various EU member states have adopted their own interpretations of the Working Party guidance, further complicating matters in some cases.
Cynthia Jackson of the law firm Baker McKenzie walks CCOs through the challenges of hotline compliance when cutting staff.
That’s all the more reason companies need to draft whistleblower and employee protection provisions in their global codes of conduct carefully, says Jackson. For instance, companies may have an obligation to consult with the local works councils in some countries, other countries require the Code to be incorporated into the company’s internal regulations in order to be effective, and others require personal data about citizens to be collected and processed according to specific requirements, which creates headaches when that data needs to be transmitted to the United States and elsewhere for any reason.
Non-compliance with European data privacy standards can result in fines or criminal sentences. So before any workforce reduction, Jackson said, companies must “get straightened up” on the precise rules applicable to them first, “because if [European regulators] find out you’re non-compliant because an employee has gone in to complain, they’re not going to be as forgiving.”
“Employees are the most common source of whistles being blown in an economic downturn.”
—Cynthia Jackson,
Partner,
Baker & McKenzie
Some employment provisions common in U.S. codes can create compliance headaches if applied overseas. For example, few countries beyond the United States recognize at-will employment. And provisions that allow corporate monitoring of employee communications via company-owned devices, such as e-mails sent on company computers, may be ubiquitous in the United States, but they carry a host of exceptions in Europe. Moreover, in some jurisdictions, companies may have to demonstrate the need for a layoff to the local government, and employee selection criteria and severance pay obligations may be dictated by local statute.
Companies may also face significant notice and consultation obligations with works councils or unions. For that reason, Jackson warned that U.S. companies announcing layoffs that affect overseas workers must carefully study how they should communicate those announcements. Wall Street may applaud news of job cuts, she said, but if those decisions are made in haste, “You’ve just globally publicized the fact that you flipped off the employees’ works councils and trade unions, who will take that unkindly when you try to have a consultation with them later.”
Privacy Proliferation
The growing web of privacy, security, and identity theft prevention laws are also creating a major challenge for compliance departments. Dean Forbes, senior director of global privacy at Schering-Plough Corp. and a former staff attorney for the Federal Trade Commission, said ID theft has been the FTC’s top complaint for more than five years running. Companies are struggling to comply with a patchwork of laws regulating information security and privacy, such as the Gramm-Leach-Bliley Act, the Health Insurance Privacy and Accountability Act, Sarbanes-Oxley, and the EU Data Protection Directive, to name a few.
Koenig
James Koenig, practice leader for privacy and compliance at PricewaterhouseCoopers, said 44 states now have breach and disclosure laws in place to report privacy or ID theft problems. Further, the HITECH Act included within the American Recovery and Reinvestment Act, created changes to HIPAA privacy and security that apply to protected health information that resides in the files of “virtually every human resource function,” he said.
Given the exploding number of privacy rules and statutes, companies should try to develop a global privacy policy to tackle the tangle of laws that apply to their organizations, rather than respond to each one individually, Forbes and Koenig said at one presentation.
“Make one long master list of the data elements your company is going to regulate in the jurisdictions you’re in and have a common set of controls around it,” Koenig said. “You already defined all of this stuff for financial reporting information, so SOX is a great place to leverage.”
Forbes noted that the FTC has taken the position that merchants can be held responsible for the actions or inactions of their vendors. He advised compliance departments to work with in-house procurement and legal departments to build privacy obligations and protections into vendor contracts.
Forbes also suggested companies establish a global approach to address data transfer issues. Once again, EU data privacy rules that restrict the transfer of personal data pose a compliance challenge for multinationals.
Schering-Plough, for example, relies on a Safe Harbor Certification from the Department of Commerce to address privacy issues that arise from data transfers (say, transfers that arise during acquisitions, when employee data from around the globe passes through U.S. headquarters). But, Forbes admitted, getting that certification was a “huge endeavor” that took more than a year.
No comments yet