CEPCOMPLIANCE & ETHICS PROFESSIONAL - Go ...

Page created by Veronica Chen
 
CONTINUE READING
CEPCOMPLIANCE & ETHICS PROFESSIONAL - Go ...
CEP
JANUARY 2021   COMPLIANCE & ETHICS PROFESSIONAL

                MAGAZINE
                a publication of the society of
                corporate compliance and ethics

                RENÉE WARDLAW
                SENIOR DIRECTOR OF CORPORATE COMPLIANCE AND
                ASSOCIATE GENERAL COUNSEL FOR BRISTOL BAY NATIVE
                CORPORATION, ANCHORAGE, ALASKA, USA

                       Enhancing processes
                       is just the tip of
                       the iceberg (p10)
                                 Returning to business travel:
                                            Mitigating risk for
                                       your employees (p16)
                               Protecting corporate data in the
                                    work-from-home era (p20)
                              Rethink your policy management
                                    system to strengthen your
                                    compliance program (p26)
                                Balancing effective compliance
                                policies against the ubiquity of
                                   ephemeral messaging (p32)
CEPCOMPLIANCE & ETHICS PROFESSIONAL - Go ...
We’ve moved!

             Effective January 1, 2021
             Society of Corporate Compliance and Ethics
             & Health Care Compliance Association’s
             new address is:
             6462 City West Parkway
             Eden Prairie, MN 55344
             While our address has changed, our member
             service contact information remains the same:
             Phone: +1 952.933.4977
             Toll-free: 1.888.277.4977
             Fax: +1 952.988.0146
             Email: helpteam@corporatecompliance.org

corporatecompliance.org
CEPCOMPLIANCE & ETHICS PROFESSIONAL - Go ...
Letter from the CEO

                                           New year, new address for SCCE
                                                                                              by Gerry Zack

T
        hink of this month’s letter      First, people will want to return
        as part two of the letter        to an office. We’ve learned that
        I started last month. As         remote working can be efficient,
we begin 2021, many of us are            so there will be greater use of
optimistic that better days lie ahead.   remote-working options. But
When the COVID-19 pandemic               there will be a desire and need for
became a serious threat last March,      working together in an office once
we did what many organizations           it becomes safe to do so.
did; we made a lot of quick decisions        And this leads me to the second,
to protect our employees and our         and more important, reason. When
members, resulting in a remote           our employees return, whenever
workforce, the cancellation of           that is, we want them to be in an
in-person conferences, and gradual       environment they enjoy, so they                             Gerry Zack
conversion to or development of          will be happy, productive, and                              CCEP, CFE, CIA
virtual events. I discussed many of      proud of their organization. Our       Please feel free to contact me anytime
these changes last month.                old office was overcrowded and
                                                                                                to share your thoughts:
    Along the way, SCCE faced            inefficient in every respect. The
another decision. We were already        new office will lead to improved                          +1 612.357.1544 (cell)
well along in the development            productivity and increased                             +1 952.567.6215 (direct)
of a new headquarters we had             capacity. In addition, we were able     gerry.zack @ corporatecompliance.org
purchased, having significantly          to incorporate several COVID-19
outgrown our old and very                considerations into the design,                                  @Gerry_Zack
outdated building. Should we             enabling greater capabilities for
                                                                                                          /in/gerryzack
have stopped immediately? The            social distancing and other health
alarmists were saying things like,       and safety measures.
“COVID-19 changes everything.                The pandemic has been a
People will never return to an office    setback for all of us. But rest
environment.” Should we have             assured that SCCE was well
followed that logic and abandoned        positioned to deal with it, and we
the build-out of the new office?         have continued to take action so
    We decided to move ahead and         that when the craziness subsides
finish the work, and the result is       and we gradually return to
the new office address you’ll see in     something resembling normal,
this magazine, on our website, and       this association will be stronger
on all of our materials beginning        than before and able to serve the
January 1. When people ask why,          profession better for many years
the answer is rather simple.             to come. CEP

                                                                                                                     CEP 1
CEPCOMPLIANCE & ETHICS PROFESSIONAL - Go ...
CEP
                                                                                                                                                                     COMPLIANCE & ETHICS PROFESSIONAL

                                                                  “          Our executive team
                                                                                understands that
                                                                           compliance is a crucial

                                                                                                                              ”
                                                                               component of any                                                                        MAGAZINE
                                                                             successful business.                                                                      a publication of the society of
                                                                                                                                                                       corporate compliance and ethics

                                                                                            See page 13
                                                                                                                                                                                       January 2021

                                                                                                                                                        Columns
                                                                                                                                                          1        Letter from the CEO
                                                                                                                                                                   by Gerry Zack

                                                                                                                                                        15 A view from abroad
                                                                                                                                                                   by Sally March

                                                                                                                                                        19 The other side of the story
                                                                                                                                                                   by Shin Jae Kim

                                                                                                                                                        25 EU compliance and regulation
                                                                                                                                                                   by Robert Bond
  Features
                                                                                                                                                        31 Culture is all of our business
  10 Meet Renée Wardlaw: Enhancing processes is                                                                                                                    by Nick Gallo and Gio Gallo
             just the tip of the iceberg
            an interview by Adam Turteltaub                                                                                                             37 Driven
                                                                                                                                                                   by Walter E. Johnson
  16 Returning to business travel:
             Mitigating risk for your employees                                                                                                         53	
                                                                                                                                                           How to be a wildly effective
            by Michael F. Savicki                                                                                                                                   compliance officer
            Prepare now for the return of business travel to mitigate risk for employees and                                                                       by Kristy Grant-Hart
            your organization.
                                                                                                                                                        66 The last word
  20 Protecting corporate data in the work-from-home era                                                                                                           by Joe Murphy
            by Melody Haase
            There is no one-size-fits-all solution to data loss, but there are key aspects to
            keep in mind.

  26 Rethink your policy management system to strengthen
             your compliance program
            by J. Veronica Xu
            Policy management is an important facet of creating a culture of compliance.

  32	
     [CEU] Balancing effective compliance policies against the

             ubiquity of ephemeral messaging
            by Daniel J. Polatsek
            Self-deleting message apps can be great for security — but also for concealing
            unlawful conduct.

  CEP Magazine (ISSN 1523-8466) is published by the Society of Corporate Compliance and Ethics (SCCE), 6462 City West Parkway, Eden Prairie, MN 55344. Subscriptions are free to members. Periodicals postage‑paid at Saint Paul, MN
  55112. Postmaster: Send address changes to CEP Magazine, 6462 City West Parkway, Eden Prairie, MN 55344. Copyright © 2021 Society of Corporate Compliance and Ethics. All rights reserved. Printed in the USA. Except where specifically
  encouraged, no part of this publication may be reproduced, in any form or by any means, without prior written consent from SCCE. For subscription information and advertising rates, call +1 952.933.4977 or 888.277.4977. Send press
  releases to SCCE CEP Press Releases, 6462 City West Parkway, Eden Prairie, MN 55344. Opinions expressed are those of the writers and not of this publication or SCCE. Mention of products and services does not constitute endorsement.
  Neither SCCE nor CEP is engaged in rendering legal or other professional services. If such assistance is needed, readers should consult professional counsel or other professional advisors for specific legal or ethical questions.

2 CEP
CEPCOMPLIANCE & ETHICS PROFESSIONAL - Go ...
VOLUME 18, ISSUE 1
                                                                                                                                  EDITOR-IN-CHIEF
                                                                                                                                  Joe Murphy, Esq., CCEP, CCEP-I
                                                                                                                                  Senior Advisor, Compliance Strategists
                                                                                                                                  jemurphy5730 @ gmail.com

                                                                                                                                  EXECUTIVE EDITOR
                                                                                                                                  Gerard Zack, CCEP, CFE, CPA, CIA, CRMA
                                                                                                                                  Chief Executive Officer, SCCE & HCCA
                                                                                                                                  gerry.zack @ corporatecompliance.org

                                                                                                                                  PUBLISHER
+1 952.933.4977 or 888.277.4977 | corporatecompliance.org                                                                         YoGI Arumainayagam
                                                                                                                                  Vice President of Publications, SCCE & HCCA
                                                                                                                                  yogi.arumainayagam @ corporatecompliance.org

                                                                                                                                  ADVISORY BOARD

   Departments                                                                                                                    Mónica Ramírez Chimal, MBA
                                                                                                                                  Managing Director, Asserto RSC
                                                                                                                                  mramirez @ asserto.com.mx
   5    News                                                                                                                      Odell Guyton, Esq., CCEP, CCEP-I

   7    SCCE news                                                                                                                 VP Global Compliance, Klink & Company
                                                                                                                                  guytonlaw1 @ msn.com

   9    People on the move                                                                                                        Melody Haase,
                                                                                                                                  Project Manager, 4Discovery

   67   Takeaways                                                                                                                 melody @ 4discovery.com
                                                                                                                                  Miguel Rueda, MBA, CCEP
   68   SCCE upcoming events                                                                                                      Director, Audit & Compliance, Air Canada
                                                                                                                                  miguel.rueda @ aircanada.ca

   69   2020 CEP index                                                                                                            Terry Stechysin
                                                                                                                                  Compliance Director, Competition Bureau Canada
                                                                                                                                  terence.stechysin @ canada.ca

   Articles                                                                                                                       Greg Triguba, JD, CCEP, CCEP-I
                                                                                                                                  Principal, Compliance Integrity Solutions
                                                                                                                                  greg.triguba @ compliance-integrity.com
   38 Engage with your marketing team to avoid influencer                                                                         Ibrahim Yeku, BL, CCEP-I
        marketing risks                                                                                                           Barrister, Solola & Akpana
                                                                                                                                  yekuduke @ yahoo.com
        by Caroline Franco                                                                                                        Rebecca Walker, JD
        Influencer marketing predates social media, and as the practice evolves,                                                  Partner, Kaplan & Walker LLP
        so do the risks.                                                                                                          rwalker @ kaplanwalker.com

   44      Your organization has received a data access
        [CEU]                                                                                                                     STORY EDITOR
                                                                                                                                  Margaret Martyr
        request. What now?                                                                                                        +1 952.567.6225 or 888.277.4977
                                                                                                                                  margaret.martyr@corporatecompliance.org
        by Patrick O’Kane
        Is your company ready to handle a data access request under GDPR and the CCPA?                                            ADVERTISING
                                                                                                                                  Mary Ratzlaff

   48 New data reveal the growth of compliance                                                                                    +1 952.567.6221 or 888.277.4977
                                                                                                                                  mary.ratzlaff@corporatecompliance.org
        in Latin America                                                                                                          COPY EDITOR
                                                                                                                                  Bill Anholzer
        by Alejandra Montenegro Almonte and James Tillen                                                                          +1 952.405.7939 or 888.277.4977
        Explore the diverse and ever-changing compliance landscape in Latin America.                                              bill.anholzer @corporatecompliance.org

   54 Ensuring organizational justice for all                                                                                     PROOFREADER
                                                                                                                                  Marina Jyring
        by Emeka N. Nwankpah                                                                                                      +1 952.405.7924 or 888.277.4977
                                                                                                                                  marina.jyring@corporatecompliance.org
        Does your organization treat all investigations with fairness and consistency?
                                                                                                                                  DESIGN & LAYOUT
   58     Is your company’s job applicant-tracking system
        [CEU]                                                                                                                     Pete Swanson
                                                                                                                                  +1 952.405.7903 or 888.277.4977
        making compliant inquiries?                                                                                               pete.swanson@corporatecompliance.org

        by MaryEllen O’Neill                                                                                                      FRONT COVER AND PAGE 10:
        Examine your tracking system for job applicants. You may uncover some                                                     Photography by Michael Dinneen @ dinneenphoto.com
        inappropriate — or illegal — practices.
                                                                                                                                  STOCK PHOTOS BY STOCK.ADOBE.COM
                                                                                                                                  Page 7: © iana_kolesnikova; Page 16: © Pavlo Vakhrushev;
        CEP Magazine is printed with 100% soy-based, water-soluble inks on recycled paper, which includes 10% post-               Page 20: © methaphum; Page 26: © Pixel-Shot; Page 32: © Stanisic Vladimir;
        consumer waste. The remaining fiber comes from responsibly managed forests. The energy used to produce the
                                                                                                                                  Page 38: © oatawa; Page 40: © REDPIXEL; Page 44: © vectorhot;
        paper is generated with Green-e® certified renewable energy. Certifications for the paper include Forest Stewardship
        Council (FSC), Sustainable Forestry Initiative (SFI), and Programme for the Endorsement of Forest Certification (PEFC).   Page 48: © wirat; Page 50: © bakhtiarzein; Page 54: © Zern Liew;
                                                                                                                                  Page 58: © Rawpixel.com; Page 60: © pathdoc

                                                                                                                                                                                                       CEP 3
CEPCOMPLIANCE & ETHICS PROFESSIONAL - Go ...
Regional Compliance
& Ethics Conferences
Updates on the latest news in regulatory
requirements, compliance enforcement, and
strategies to develop effective compliance
programs. These one-day events include
general and specialty sessions, as well as
opportunities to network with industry peers.
Attendees will have the opportunity to earn
live Compliance Certification Board (CCB)®
continuing education units (CEUs).
Virtual and in-person conference formats vary.

January 8, 2021 • Asia     VIRTUAL                             May 14, 2021 • San Francisco, CA        VIRTUAL

January 22, 2021 • Southern California               VIRTUAL   June 18, 2021 • Nashville, TN    VIRTUAL

February 4, 2021 • South America               VIRTUAL         July 16, 2021 • Chicago, IL   VIRTUAL

February 11, 2021 • Middle East & Africa            VIRTUAL    August 13, 2021 • Atlanta, GA    VIRTUAL

February 26, 2021 • Alaska       VIRTUAL                       September 17, 2021 • Scottsdale, AZ        VIRTUAL

March 5, 2021 • Minneapolis, MN             VIRTUAL            October 8, 2021 • Washington, DC
March 26, 2021 • Boston, MA           VIRTUAL                  October 22, 2021 • Dallas, TX
April 8, 2021 • Asia   VIRTUAL                                 November 5, 2021 • Columbus, OH
April 23, 2021 • Tampa, FL        VIRTUAL                      November 12, 2021 • Seattle, WA
May 7, 2021 • Richmond, VA           VIRTUAL                   December 3, 2021 • Philadelphia, PA

 Visit the website for more information
 corporatecompliance.org/regionals
CEPCOMPLIANCE & ETHICS PROFESSIONAL - Go ...
News

US sanctions Russian research            J&F, including Pilgrim’s Pride. The                             the acquisition. The Information
facility for alleged cybercrimes         DOJ fined the company $256 million,                             Commissioner’s Office stated that
   The United States Department          but half of the full penalty amount                             the fine was under GDPR and in
of the Treasury’s Office of Foreign      was credited to fines paid to                                   cooperation with European Union
Assets Control announced                 the Brazilian authorities.                                      data protection authorities.
sanctions against the State                 J&F now has extensive holdings
Research Center of the Russian           in the US, and as equity analyst                                UK Serious Fraud Office
Federation FGUP Central                  Marco Saravalle told The Wall Street                            releases DPA guidance
Scientific Research Institute of         Journal,4 “The important thing                                      The United Kingdom’s Serious
Chemistry and Mechanics, or              about the company is that they                                  Fraud Office published new
TsNIIKhM, on October 23.1                have good operational assets and                                guidance related to deferred
   The research center is accused        the executives are motivated to                                 prosecution agreements (DPAs).6
of using malware to target facilities    produce results for shareholders.”                              The guidance, nested in the
in the Middle East in 2017 and                                                                           office’s internal SFO Operational
again in the US in 2019. The attack      ICO fines Marriott 18.4 million                                 Handbook, offers insight into how
in the Middle East focused on a          pounds for data breach                                          the office will approach DPAs,
petrochemical facility, while the            After extended investigations                               what is required of companies
US attacks were probes to identify       and negotiations, the United                                    that seek to enter such an
security vulnerabilities in the          Kingdom’s Information                                           agreement, and some of the
domestic energy infrastructure.          Commissioner’s Office levied                                    standard requirements placed upon
   “‘The Russian Government              a fine of £18.4 million against                                 companies that do enter DPAs.
continues to engage in dangerous         Marriott International Inc. for                                     The guidance also clearly
cyber activities aimed at the            a data breach that occurred in                                  delineates the procedures
United States and our allies,’”          2014.5 The breach was one of the                                involved in securing a DPA; what
said Secretary Steven Mnuchin.2          largest leaks of personal data in                               information, if any, is released
“‘This Administration will               recent years, affecting more than                               to the public; how a DPA looks
continue to aggressively defend          300 million guests. The breach                                  when entered into the legal
the critical infrastructure of           affected Starwood Hotels and                                    record; and the criminal offenses
the United States from anyone            Resorts Worldwide Inc., which                                   to which DPAs can apply.
attempting to disrupt it.’”              Marriott acquired in 2016.                                          One of the most salient parts
                                             The investigation was                                       of the guidance, from a company’s
Brazilian meatpacking company            complicated by Brexit, the                                      point of view, describes the
settles multiple investigations          passage of the General Data                                     procedures prosecutors must go
by US authorities                        Protection Regulation (GDPR),                                   through in order to determine
   Brazil’s J&F Investimentos            and the fact that Marriott was                                  whether a company should be
and JBS SA agreed to pay fines           accepting responsibility for a                                  prosecuted in court or whether the
to the United States Department          breach that happened prior to                                   Crown should enter into a DPA. CEP
of Justice and the Securities
and Exchange Commission for
bribery and insider trading.3            Endnotes
J&F, owned by two Brazilian              1. Maggie Miller, “Treasury sanctions Russian group accused of targeting US critical facilities with destructive malware,”
                                            The Hill, October 23, 2020, https://bit.ly/2Jhofdf.
brothers, controls JBS, the largest      2. United States Department of the Treasury, “Treasury Sanctions Russian Government Research Institution Connected to
meatpacking company in the world.           the Triton Malware,” news release, October 23, 2020, https://bit.ly/3oDTAax
                                         3. Harry Cassin, “Brazil holding company agrees to pay $285 million to settle FCPA violations,”
   The brothers admitted to bribing         The FCPA Blog, October 14, 2020, https://bit.ly/3kItn8l.
Brazilian politicians in order to gain   4. Luciana Magalhaes, Samantha Pearson, and Jacob Bunge, “Meat Giant JBS’s Owner Settles U.S. Corruption Charges,”
                                            The Wall Street Journal, October 14, 2020, https://on.wsj.com/31WR0mf.
financing and other benefits for         5. Jonathan Armstrong and André Bywater, “Client Alert: ICO Fines Marriott £18.4m after
                                            Data Breach,” Cordery Compliance, November 3, 2020, https://bit.ly/3oSh5wC
the company. The bribery scheme          6. United Kingdom Serious Fraud Office, “Deferred Prosecution Agreements,” SFO Operational Handbook, accessed
involved multiple subsidiaries of           November 9, 2020, https://bit.ly/3eftBRY.

                                                                                                                                                                 CEP 5
CEPCOMPLIANCE & ETHICS PROFESSIONAL - Go ...
VIRTUAL

               Compliance & Ethics
               Essentials Workshop
 Be a more effective member of your             Topics include:
 compliance team. Attend our new virtual
                                                • Introduction and background to
 Compliance & Ethics Essentials Workshop          compliance and ethics programs
 for an introduction to compliance and ethics
 taught by industry leaders. The curriculum     • Standards and procedures
 focuses on the core elements of an             • Governance, oversights, and authority
 effective compliance program to help you
                                                • Risk assessment
 build a foundation for your career.
                                                • Due diligence in delegation of authority
 Workshops are limited to 150 participants.
                                                • Communication and training
 Register early to secure your spot!
                                                • Incentives and enforcement
 In addition to the valuable education          • Monitoring, auditing, and reporting systems
 this program provides, participants also
 will be able to earn all of the continuing     • Investigations
 education units (CEUs) required to sit         • Response to wrongdoing
 for the Certified Compliance & Ethics
                                                • Program improvement
 Professional (CCEP)® exam. Interested
 in elevating your career? To learn more        • Overview of FCPA, UK bribery, conflict of
 about eligibility and other Compliance           interest, and privacy and data security
 Certification Board (CCB)® exams, visit        • Key skills necessary for
 corporatecompliance.org/certification.           compliance professionals

 UPCOMING WORKSHOPS
 January 11–14, 2021 March 1–4, 2021
                             ■

 Learn more
 corporatecompliance.org/essentialsworkshops
CEPCOMPLIANCE & ETHICS PROFESSIONAL - Go ...
SCCE news

                                                            SCCE Association News
     SCCE Compliance & Ethics Essentials Workshops
                                                   corporatecompliance.org/essentialsworkshops

S
      CCE’s Compliance & Ethics       their compliance skills and            Upcoming workshops
      Essentials Workshops            become more effective members          ◆ January 11–14, 2021
      provide a comprehensive         of the compliance team.                ◆ March 1–4, 2021
introduction to the elements of a        Attendees will have the
compliance program. These virtual     opportunity to earn 21.6 live              Learn more:
programs are ideal for individuals    Compliance Certification               www.corporatecompliance.org/
with less than two years of           Board (CCB)® continuing                essentialsworkshops
experience in compliance, including   education units (CEUs) from               *To see all the requirements
those that have just entered          their desk, enough to sit for the      to sit for the certification exam,
compliance for the first time.        Certified Compliance & Ethics          including work experience, please
   The four days of training are      Professional (CCEP)® exam.*            visit www.corporatecompliance.org/
designed to help new compliance          Workshops are limited to just 150   certification. CEP
professionals develop and improve     participants. Don’t wait to enroll.

                                                                                                              CEP 7
CEPCOMPLIANCE & ETHICS PROFESSIONAL - Go ...
Stay informed
             The Compliance & Ethics Blog
             Read educational insights and compliance news from industry
             professionals or share your knowledge with the compliance and ethics
             community by submitting an article.

             Compliance Perspective Podcasts
             Listen to the insights of compliance and ethics experts as they discuss
             everything from assessing risk, understanding the latest regulations,
             reporting to the board & training your workforce.

                 Subscribe to Compliance Perspectives here:

                     iTunes                 Email           Android
                apple.co/1TCNS24     bit.ly/podcastsub   bit.ly/1Z3S2la

Learn more
complianceandethics.org
PEOPLE on
the MOVE
                                                     ◆ Aida M. Lebbos has joined the University
                                                       of Maryland Global Campus as associate
                                                       vice president, institutional compliance and
                                                       risk, in Adelphi, Maryland, USA.

                                                     ◆ In Purchase, New York, USA, Allison Kiene
                                                       has been appointed Argo Group’s new
                                                       group general counsel.

                                                     ◆ New York-based Gemini Trust Co.
                                                       LLC announced the appointment of
                                                       Andy Meehan as chief compliance officer
                                                       of Asia-Pacific region.

                                                     ◆ Ashley Carr is the new director of code
                                                       enforcement for the city of Clarksburg,
                                                       West Virginia, USA.

                                                     ◆ In Madison, Wisconsin, USA,
                                                       Katie Ignatowski has been promoted to
                                                       chief compliance officer for the University
                                                       of Wisconsin system.

   WHERE’S YOUR
 CAREER TAKING YOU?                                         CEP MAGAZINE
 If you’ve received a promotion or industry award,       is also available online on
   accepted a new position, or added a new staff
member to your compliance department, let us know!
             It’s a great way to keep the
         compliance community up to date.

  To submit your news, visit http://bit.ly/2snNxdJ      compliancecosmos.org
                    or email
 margaret.martyr@corporatecompliance.org

                                                                                                     CEP 9
Cover Feature

                    ENHANCING
                    PROCESSES
                    IS JUST THE
                     TIP OF THE
                        ICEBERG

                                  Meet
                         Renée Wardlaw
                          Senior Director of Corporate
                           Compliance and Associate
                           General Counsel for Bristol
                            Bay Native Corporation in
                             Anchorage, Alaska, USA

                                         an interview by
                                        Adam Turteltaub

                                Renée Wardlaw (rwardlaw@
                                bbnc.net) was interviewed by
                          Adam Turteltaub (adam.turteltaub@
                             corporatecompliance.org), Chief
                              Engagement & Strategy Officer
                                            at SCCE & HCCA.
10 CEP
Feature

AT: First, it would be good if          early 2000 and has been fortunate      matter, along with BBNC’s policies.
you could give an overview of the       to have minimal turnover in key        Because I have an MBA, I feel I
Bristol Bay Native Corporation’s        leadership. Those key leaders          can better appreciate the business
purpose and structure. It’s unique.     have in-depth technical and            perspective and efficiently resolve
                                        management experience to navigate      questions or concerns about a
RW: Unique is an understatement.        the regulations and complexities       proposed resolution. This augments
Bristol Bay Native Corporation          pertaining to government               my role as not only an issue spotter
(BBNC) was established by the           contracting. Applicable laws are       but also a problem solver.
Alaska Native Claims Settlement         routinely updated and strictly
Act of 1971 with the mission of         enforced with severe penalties
“Enriching Our Native Way of            for offenses. It is critical to have
Life.” Headquartered in Anchorage,
Alaska, BBNC works to protect the
                                        a compliance program that
                                        meets mandatory requirements:          I am sure that
land in Bristol Bay, celebrate the
legacy of its people, and enhance
                                        qualified personnel, processes
                                        and policies, mandated training,
                                                                               fellow compliance
the lives of its shareholders — the     internal controls, and reporting       professionals will
Native people of Southwest Alaska’s     obligations. Our code of ethics
Bristol Bay region. BBNC has five       provides an overarching                agree with me that
separate and distinct business
lines, which include industrial
                                        resource to all employees and
                                        includes a specific section on the     all prosecutors
services, government services,
construction, tourism, and seafood.
                                        importance of business ethics
                                        and integrity in government
                                                                               are compliance
Our businesses are diversified with     contracting. Additionally, we          champions,
successful operations that house        have a network of employees
subject matter expertise in specific    enterprise-wide who have               whether they
industries. While we are a for-profit
corporation, we are unique in that
                                        expertise in specialized areas of
                                        government contracting in the          realize it or not.
our shareholders receive dividends      SBA 8(a) program.
derived from business profits. We
are proud to work in partnership        AT: I want to focus for a bit
with our subsidiaries to ensure         on you and your experiences.           AT: You also had experience
that all employees are operating        Normally, graduate degrees don’t       working as a prosecutor, working
with integrity and fulfilling BBNC’s    come up in these interviews,           as an assistant attorney general
mission to enrich the lives of our      but you have both a JD and an          in Alaska. How well do you think
shareholders.                           MBA. There are lots of lawyers in      prosecutors at the state level
                                        compliance, but not as many MBAs       appreciate compliance programs?
AT: Like many other native              as there probably should be. How
organizations, you are also a           does the MBA inform the way you        RW: I am sure that fellow
government contractor. What kind        approach compliance issues?            compliance professionals will
of complexity does that add to the                                             agree with me that all prosecutors
compliance program?                     RW: Having multiple interests          are compliance champions,
                                        can be a gift and a curse. I           whether they realize it or not. As
RW: It is a bit complex, but I’ll       obtained my JD and MBA in a joint      an assistant attorney general, I
try to explain it simply. Alaska        program at American University in      represented the Alaska Division of
Native corporations are eligible to     Washington, DC. I have always been     Banking and Securities.
participate in the Small Business       interested in business. I believe         A civil or criminal matter would
Administration (SBA) 8(a) Business      that compliance professionals are      come to the division’s attention,
Development Program and, by             an essential resource for successful   and then we would investigate the
federal statute, are deemed socially    business operations. I first try to    issue and process the matter for
and economically disadvantaged.         approach any compliance issue by       resolution. From time to time, a
BBNC has been involved in               looking at the perspective of the      matter would push the division to
government contracting since            various stakeholders involved in the   draft new statutes or regulations

                                                                                                               CEP 11
Feature

  to accomplish a widespread fix        and are proud of our growth and         and board of directors, hosts an
  to an underlying issue. I gained a    commitment to integrity in the US       Annual Leadership & Compliance
  wealth of experience in statute and   and abroad. Because its employee        Conference. The conference brings
  regulation writing and internal       population spans the globe, BBNC        together BBNC leadership from
  investigations. This knowledge        uses technology as a tool to ensure     across the country to receive
  provided me with an excellent         its employees have the most             training in leadership, compliance,
  foundation for working in a           up-to-date resources available to       and ethics. The conference
  diversified corporate environment.    them. We maintain an electronic         attendees are charged with
     Prosecutors and compliance         policy library, including an            sharing the training with their
  professionals engage in a similar     interactive code of ethics, and use     employees. Sharing information
  loop of proactive measures focused    an electronic learning management       from the top ensures that the
  on reducing and resolving risks.      system to create and deploy             message of compliance and ethics
  I believe prosecutors appreciate      customized trainings in various         is spread to all employees. BBNC
  the importance of compliance          areas. At BBNC, we want to make         has never wavered from its
  programs and value their function     sure that employees not only know       commitment to operating with
  to reduce and resolve civil or        the rules for business but that they    integrity as it is continued on a
  criminal matters.                     also know how to make ethical and       trajectory of growth.
                                        compliant business decisions.               This year, we supplemented
                                            In alignment with the               our conference with our first
                                        most recent Department of               Spotlight on Compliance, which
  We want to make                       Justice guidance for corporate
                                        compliance programs,1 BBNC and
                                                                                was a weeklong series of events,
                                                                                release of tools and materials, and
  sure that employees                   its subsidiaries use a risk-based       outreach to each of our employees.

  not only know the
                                        approach to create and maintain         The Spotlight on Compliance
                                        right-sized compliance programs.        allowed BBNC to deliver the
  rules for business                    Where some of our businesses
                                        have more significant risks and
                                                                                message that each of us is the i in
                                                                                “integrity.” We are looking forward
  but that they                         regulatory oversight, it is important   to this being an annual event.

  also know how
                                        to rely on qualified personnel
                                        within the specific business to         AT: What comprises BBNC’s
  to make ethical                       develop and maintain appropriate
                                        compliance programs. We strive
                                                                                compliance department?

  and compliant                         to be in partnership with subject       RW: The compliance department
  business decisions.                   matter experts to ensure we are
                                        delivering the right amount of
                                                                                is overseen by the chief compliance
                                                                                officer (CCO), who reports to the
                                        compliance to reduce overall risks      general counsel. I, as the senior
                                        to operations.                          director of compliance, report
                                                                                to the CCO, and I am charged
  AT: Let’s go back to your day-to-     AT: BBNC headquarters are in            with carrying out the compliance
  day work. BBNC operates in            Anchorage, Alaska, which is a           program, including developing
  almost all 50 states and nearly       remote location. How does it ensure     and tracking training, policy
  16 countries. How does it stay        its leaders incorporate ethics and      management, investigations, and
  interconnected to ensure all          compliance into their business          compliance-driven incentives.
  its employees are operating           operations?                             Our compliance specialist
  with integrity?                                                               provides administrative support
                                        RW: Being in alignment with             to the team. Our records and
  RW: Connecting with others            leadership has proven to be a           information management team,
  is my favorite part about being       great asset to BBNC’s compliance        which manages the life cycle of
  a compliance professional for         and ethics initiatives. For the         records for the organization and
  BBNC. We have grown leaps and         past 11 years, BBNC, with the           its subsidiaries, is also a part of the
  bounds over the past 10 years,        support of the executive team           compliance department.

12 CEP
Feature

AT: How does BBNC’s leadership      highest standards. Their support                                becoming more integrated into the
support compliance within           of the compliance department                                    day-to-day business decisions of
the organization?                   and active participation in                                     a successful corporation. I believe
                                    the Annual Leadership &                                         that compliance professionals
RW: Leadership is not only          Compliance Conference is a true                                 can bring significant value to
about talking the talk but also     demonstration of talking the talk                               their business operations by
about walking the walk. The         and walking the walk.                                           promoting electronic collaboration
executive team is committed to an                                                                   tools. Ultimately, compliance is
ethical corporate culture. BBNC     AT: Finally, let’s look to the                                  grounded in genuine and authentic
promotes a servant-leadership       future. How do you see compliance                               relationships with others. So
philosophy, which focuses on the    evolving over the next few years?                               long as compliance professionals
development of good corporate                                                                       stay connected to the business
citizens who are empowered to       RW: The most exciting aspect of                                 operations they serve, they will be
make ethics and compliance a        being a compliance professional                                 valued members of a successful
part of their everyday life. Our    is the never-ending areas where                                 business team.
executive team understands that     compliance and ethics can enhance
compliance is a crucial component   existing processes. I see compliance                            AT: Thank you, Renée!                       CEP

of any successful business and
models supportive leadership
                                    Endnotes
throughout the organization,        1. U.S. Dep’t of Justice, Criminal Div., Evaluation of Corporate Compliance Programs (Updated June 2020),
holding themselves to the              http://bit.ly/2Z2Dp8R.

                                                                                                                                                         CEP 13
Save the Date

  2021 CEI
     September 19-22              Compliance &
                                  Ethics Institute

Learn more
corporatecompliance.org/2021CEI
A view from abroad

                                                                                         Personal impact statement
                                                                                                                               by Sally March

O
          n December 31, the UK’s                                  of companies that do have a clear
          Brexit transition period                                 purpose and whose leaders use that
          comes to an end. As I                                    to make tough decisions in tough
write this, the representatives of                                 times. Unilever, for example, has
the UK and EU are still talking                                    clear purpose, values, and principles,
about whether a trade deal can                                     and as part of its commitment to
be reached and, if so, what it will                                communities, it has been promoting
look like. With no clarity and only                                good hand-washing habits around
days left to prepare, on top of the                                the world for years. In 2020, they
fluid responses here and in other                                  brought their experience to schools
countries to COVID-19, we have                                     in the UK, helping teachers when
uncertainty squared. Also, though                                  schools reopened.
I am writing before the US election                                    Not all of us can have input on                               Sally March
has been certified, the count kept                                 our corporate purpose statement,                             (sjmarch10@gmail.com) is
us on the edge of our seats. In                                    but each of us can, and should, be
                                                                                                                        Director, Drummond March & Co,
uncertain times, psychologists                                     clear about our own purpose. It’s
advise us to focus on the things we                                probably not in a job description,                                     in London, UK.
can control.                                                       but understanding how our role
   Business pundits are advising                                   fits in with the organization’s
senior executives to focus on                                      objectives is a good start. Ask,
purpose. As one of these firms                                     “Where can I have a positive
puts it, “What is your company’s                                   impact?” At this stage, mine is
core reason for being, and where                                   to inspire the new generation
can you have a unique, positive                                    of ethics and compliance
impact on society?”1 Employees                                     professionals to think beyond
feel that purpose is important, yet                                boundaries. And for leaders,
most say that if their company                                     helping team members understand
has a purpose statement, it isn’t                                  their unique purpose will help
having an impact. We’ve seen some                                  them focus on things they can
good examples in the past year                                     control in these uncertain times. CEP

Endnotes
1. Arne Gast et al., “Purpose: Shifting from why to how,” McKinsey Quarterly, April 22, 2020, https://mck.co/3jY6pbO.

                                                                                                                                                   CEP 15
RETURNING TO BUSINESS
                                            TRAVEL: MITIGATING RISK
                                              FOR YOUR EMPLOYEES
                                                                                         by Michael F. Savicki

                                          T
                                                   he disruption of recent         Companies, therefore, would be well
                                                   months has forced companies     advised to start preparing.
                                                   around the world to rewrite
                                          business plans and alter operations.     Update your travel policy
                                          Perhaps most significant has been        In the past, travel policy reviews
                                          the unprecedented migration of           commonly took place once a quarter,
                                          workers to virtual, work-from-home       or even once a year. Today, employers
                                          environments, necessitated by travel     need processes that enable a regular
                                          restrictions and the widespread          review and update of their travel
                                          lockdown of citizens. But as the rules   policy. While doing so, companies
                                          curtailing people’s movement are         must understand the need to protect
                                          eased, much has been written and         both the well-being of employees
  Michael F. Savicki                      said about the best way to get people    and their own corporate reputation.
  (michael.savicki@amexgbt.com) is        back to their offices.                   For example, employers may insist
                                              One topic not discussed as           all employees use masks or facial
  Vice President for Risk, Compliance &
                                          much as it should be is the return       coverings for air and rail travel
  ESG—The Americas, and Global Head       of business travel. While the            regardless of whether it is mandated
  of Privacy & Commercial Compliance      number of flight bookings remain         by the operator or relevant authority.
  at American Express Global              generally low, there has been a          At the same time, a company could
  Business Travel.                        recent uptick in some locations. In      allow a business traveler to book an
                                          October 2020, for example, more          airline that employs an open middle
                                          than a million passengers passed         seat policy even if it’s not the lowest
                                          through the Transportation Security      fare available on a particular route.
                                          Administration checkpoints for the       In the policy update, employers could
                                          first time since the lockdown began.1    also stress the need to follow the

16 CEP
Feature

Centers for Disease Control and        approval process in place prior to     to contact their travelers and will
Prevention (CDC) best practice         booking. Because these regulatory      need immediate access to this
guidance for overnight hotel stays     developments are constantly            information. Finally, if an employee
and dining out while traveling.        evolving, global travel management     falls ill during a trip, employers
                                       companies (TMCs) are uniquely          will need the right insurance and
Monitor government mandates            placed to help travel managers         a way to efficiently repatriate
prior to booking                       keep travel policies current while     the individual.
Federal, state, and local              making sure travelers stay well
governments have responded             informed prior to and during their     Communicate with employees
to COVID-19 with restrictions          business trip.                         following the trip
designed to stop the spread. These                                            After a traveler returns
requirements continue to change        Monitor travelers while traveling      home, employers should have
on a regular basis. For example,       Employers should be particularly       a documented process for
certain states in the northeast of     mindful of their duty of care          employees to report any illness
the United States have enacted         obligations for their travelers, as    prior to returning to the office.
mandatory two-week quarantine          there are many areas to address.       If an employee returns from the
requirements for travelers from        For starters, employers should         trip feeling ill or with potential
the majority of other states, and      strongly encourage travelers to        symptoms, employers should
all nonessential travel remains        book travel within the company’s       encourage them to seek medical
prohibited between the US, Canada,     existing tools and policies and        assistance and/or quarantine.
and Mexico. The CDC, on the other      provide personal protective
hand, recently announced a more        equipment or ensure that the
nuanced approach by indicating         selected supplier will do so for
that it will no longer require all     the journey. Employers should          After a traveler
flights carrying airline passengers    also, either directly or via their
arriving from, or those who recently   TMC, ensure their travelers are        returns home,
had a presence in, mainland China,
Iran, the Schengen region of Europe,
                                       fully aware of all risk-mitigation
                                       best practices while traveling.        employers should
the UK/Ireland, and Brazil to land
at one of 15 designated US airports
                                       For example, the US government,
                                       via the departments of
                                                                              have a documented
and will halt enhanced entry health    Transportation, Homeland               process for
screening for these passengers.2       Security, and Health & Human
Instead, the CDC indicated that        Services, issued nonbinding            employees to
                                                                              report any illness
it would be implementing a new         guidance that highlighted best
enhanced risk-mitigation strategy      practices and key mitigation
to reduce the risk of travel-related
disease transmission by prioritizing
                                       strategies for travelers, airlines,
                                       and airports.3 The guidance
                                                                              prior to returning
other public health measures,          stressed the need for individual       to the office.
including (i) increased education      traveler education, face masks
and outreach, (ii) contact tracing,    or facial covering throughout
(iii) increased testing, and (iv)      the journey, and use of apps to
post-arrival recommendations           facilitate contactless travel to the   Stay on top of the requirements
for monitoring and potential           greatest extent possible.              At its core, business travel is a
quarantine, among other activities.       In addition, an employer’s global   force for good. The restart of
     Accordingly, employers must       security team or TMC should            travel will accelerate the economic
make sure travelers can access         have tools that locate employees       recovery needed to get the world
up-to-date information about travel    traveling on business, such as         moving again. Employers should
restrictions, including border         tracing corporate card swipe data      be aware and mindful of the
closures, entry requirements, and      or geo-tracking via a mobile app       various government and supplier
quarantine measures, in addition       on a company device. Should an         requirements, develop internal
to having a documented internal        event occur, employers will want       policies and procedures, and

                                                                                                                   CEP 17
Feature

  partner with an experienced global
  TMC to support the end-to-end
  business travel experience for          If an employee returns from the trip
  their travelers. CEP
                                          feeling ill or with potential symptoms,
  About the author
  Prior to joining American Express
                                          employers should encourage them to seek
  GBT, Michael F. Savicki was senior      medical assistance and/or quarantine.
  attorney – compliance & corporate
  governance at Sikorsky Aircraft
  Corporation; secondee counsel at
  Deutsche Bank’s Litigation and          and a member of the Connecticut,                               state bars. This article reflects his
  Regulatory Enforcement Group; and       Massachusetts, and New York                                    personal views.
  senior litigation associate at Fried,
  Frank, Harris, Shriver & Jacobson
                                          Endnotes
  LLP. He began his legal career as       1. Transportation Security Administration, “TSA screens over 1M passengers on a single day for the first time since March,”
  a law clerk at the United States           news release, October 19, 2020, https://bit.ly/3lkWQVV.
                                          2. Centers for Disease Control and Prevention, “Federal Government Adjusts COVID-19 Entry Strategy for International
  Second Circuit Court of Appeals.           Air Passengers,” news release, September 9, 2020, https://bit.ly/3lcQbxe.
                                          3. U.S. departments of Transportation, Homeland Security, and Health & Human Services, Runway to Recovery:
  He is a graduate of Tulane Law             The United States Framework for Airlines and Airports to Mitigate the Public Health Risks of Coronavirus, July 2020,
  School and Connecticut College             https://bit.ly/36j2gdV.

  Takeaways
  ◆ Governments have responded to COVID-19 with various restrictions designed to stop the spread. These
    requirements continue to evolve.
  ◆ Considering the increase of air travelers passing through security checkpoints, companies should develop
    the end-to-end business travel experience for their travelers.
  ◆ Organizations’ travel policies need to be regularly reviewed and updated to protect both the well-being of
    employees and their own corporate reputations.
  ◆ A documented internal approval process should be in place prior to booking and provide employees with up-
    to-date travel requirements, including border closures and quarantine measures.
  ◆ Employers should be mindful of their duty of care obligations and require travelers to book using the
    company’s tools and policies for oversight purposes.

18 CEP
The other side of the story

                                                                                           Operation Car Wash affects
                                                                                                compliance programs
                                                                                                                                                by Shin Jae Kim

P
       etrobras was under the                                         or Grau de Risco de Integridade (GRI)
       spotlight of Operation Car                                     and attributes low, medium, and
       Wash — an unprecedented                                        high GRIs to potential suppliers.
corruption scandal in Brazil. Once                                    The result of this GRI assessment is
a beloved Brazilian company,                                          used by Petrobras to select or ban
Petrobras suffered a big hit, and its                                 third parties to participate in public
market value reduced dramatically.                                    tenders conducted by Petrobras. If a
Failures and weaknesses of its                                        company is attributed with a high GRI
internal controls to prevent and                                      score, the company is automatically
detect ethical deviations became                                      blacklisted from participating in
evident. To rebuild its reputation                                    public tenders and cannot be selected
and market trust, Petrobras went                                      as a Petrobras supplier. If this is the
through a transition phase and has                                    case, however, the company may still                                              Shin Jae Kim
been investing in the implementation                                  choose to present further information                                                  CCEP, CCEP-I
of an effective corporate governance                                  and evidence of its compliance                                  (skim@tozzinifreire.com.br) is the head
system and improvement of its                                         program and/or remediation of red
compliance program.                                                                                                                        of the Compliance & Investigation
                                                                      flags identified during the integrity
   Marcelo Zenkner, chief governance                                  due diligence to have its GRI                                      practice at TozziniFreire Advogados
and compliance officer of Petrobras,                                  score reviewed.                                                                     in São Paulo, Brazil.
told me that, in response to the facts                                    Recently, many companies have
disclosed in Operation Car Wash,                                      been seeking judicial measures
Petrobras had to work fast to mitigate                                against Petrobras’ blacklisting as a
risks by creating a robust compliance                                 result of a high GRI.1 Courts (both
system, which included new controls                                   judicial and administrative bodies)2
and procedures. This phase generated                                  have ruled both in favor of and
the perception by some of increased                                   against the GRI system adopted by
bureaucracy and loss of agility. In a                                 Petrobras, but the matter has not been
second phase, the company moved to                                    faced by Brazilian high courts, and
an effective integrity system, where                                  it is too early to predict what will be
compliance became instilled in every                                  the majority position in this regard.
employee in the company.                                              Certainly, this new procedure adopted
   Another initiative adopted by                                      by Petrobras will have a domino
Petrobras is the third-party due                                      effect on its supply chain, particularly
diligence. This procedure scores                                      on the implementation of strong
third parties based on integrity risk                                 compliance programs. CEP

Endnotes
1. Robson Bonin, “Petrobras rejects contractors for ‘high integrity risk,’” Veja, updated October 17, 2020, https://bit.ly/38D4gAn.
2. Valor Econômico, “Justice puts Petrobras Compliance in check,” Meritum, October 24, 2018, https://bit.ly/3pjWG3A.

                                                                                                                                                                         CEP 19
PROTECTING CORPORATE DATA
                               IN THE WORK-FROM-HOME ERA
                                                                                                  by Melody Haase

                                             W
                                                         ork restrictions created    stories of businesses shutting
                                                         by COVID-19 forced          their doors because of a security
                                                         companies worldwide         incident. Rather than focusing on
                                             to quickly adopt technologies and       scary statistics and costly solutions,
                                             fundamentally change the way            this article will focus on general
                                             they do business. In October 2020,      security concepts and some common
                                             McKinsey & Company released the         things companies can do to enhance
                                             results of a survey that showed         corporate data privacy during the
                                             companies exponentially adopted         work-from-home era. By the end of
                                             digital technologies to do business,    this article, readers will be better
                                             and these same companies do not         informed and more prepared to
                                             expect that to change.1 However, in     take the next steps to protect
  Melody Haase                               a rush to adopt new technologies        corporate data.
  (melody@4discovery.com) is the Head        during a crisis, companies were often
                                             focused on business continuity rather   Understanding the threat landscape
  of Client Success at 4Discovery, a
                                             than security.                          Security threats can largely be
  digital forensics firm based in Chicago.      Security companies around the        placed into two categories: internal
                                             globe have reported increases in        threats and external threats.
    /in/melodyannhaase                       ransomware, data breaches via           Internal threats typically arise
                                             email, and unauthorized access of       because of some sort of employee
                                             systems. Data breaches of all shapes    behavior, whether intentional or
                                             and sizes can fundamentally impact      not. This can take many forms,
                                             a company’s ability to do business      such as an employee who becomes
                                             and/or its reputation. Many articles    the victim of a phishing attack, a
                                             about data security are focused on      rogue employee who steals data, or
                                             outrageous statistics and horror        an employee who carelessly leaves

20 CEP
Feature

sensitive files in an unsecured        system access to its customers        Security requires a shift in mindset
location. External threats are         and employees.                        In order for companies to transition
actors outside of the organization                                           traditional security practices to
that are aimed at gaining access       Physical security has                 work from home, more emphasis
to corporate systems and data.         drastically changed                   must be placed on giving employees
Typically, they gain access to         Before COVID-19, companies were       tools to be successful with their
systems by leveraging poor             accustomed to all of the physical     personal security, including
security practices, malware, or        and environmental security in         training them on basic security
exploits. Luckily, many of the tools   their facilities. Security cameras    practices. Many corporate security
used to thwart bad actors can be       were online to monitor physical       exercises contain information about
used to mitigate both internal and     activities inside of locations.       and examples explaining what to do
external threats.                      Badge access was required to          inside of an office and the corporate
    Additionally, every company has    enter buildings. Shredding boxes      environment. However, this
different clients, employee bases,     were placed around locations to       training typically does not include
and thresholds for risk tolerance.     ensure sensitive data was disposed    information on keeping data secure
This can affect how each company       of properly. Printers asked for       in an unsecured environment like a
views security. There is an age-old    passwords before printing to          typical home setting.
debate in the security industry        prevent the wrong person from            Training should be changed
about security vs. convenience. For    picking up sensitive documents.       to focus on the employee’s home
those promoting security, there        Locked file cabinets were housed      security practices and how they
is a push for more protections         in offices to prevent access to       relate to corporate data security.
and steps to access systems. For       sensitive files. Doors were placed    Some items employees should be
those who promote convenience,         on offices and conference rooms       educated on are:
there is a push for less security to   to prevent people from hearing        ◆ Changing standard settings on
make systems easier to access for      confidential phone calls.                routers and modems;
the sake of business convenience.          Work from home has                ◆ Checking and strengthening
However, there are always              completely upended the physical          security settings on their
implications to these decisions        security environment. When               operating systems, web
that may require companies to          COVID-19 hit, many individuals           browsers, and other applications;
change the way they do business.       were not prepared to work             ◆ Limiting the number of
    A great example of how             from home. Many people did               applications they install to
to think about security vs.            not even have workstations or            prevent application-level
convenience is using the practice      desks. Many homes do not have            security issues;
of blacklisting IP addresses           security cameras or require           ◆ Creating unique usernames
by country. Blacklisting is the        badge access. Shredding, printers        and passwords for devices
process of blocking items. In this     with password access, and                and accounts that house
context of IP addresses, it means      locked file cabinets are likely not      corporate data;
that you can choose to block all       available. Spouses often share        ◆ Spotting phishing and malware
IP addresses coming into your          workspaces and hear each other’s         attack threats that they may
systems from hacking hotspots          conversations. If the company            encounter;
like Russia or China. If a company     is allowing Bring Your Own            ◆ Protecting physical access
only does business inside of           Device (BYOD), it also means             to devices containing
the United States and only has         that the computer being used             corporate data;
employees inside of the United         for work may or may not have          ◆ Disposing of documents in line
States, it may be a feasible option    shared access between numerous           with corporate policies; and
to turn off the rest of the world’s    individuals in the house. While       ◆ Reporting security incidents to
IP address range. However, it          companies may not be able to             the appropriate parties.
may be more complicated and            control this environment, they
less feasible for a global business    can, at a minimum, provide               Employees should be reminded
to employ these same policies          training to employees, as well as     of security often. They must be
to reduce risk because it may          provide them with more secure         reminded that they are constantly
affect its ability to provide          ways to access systems.               interacting with confidential

                                                                                                             CEP 21
Feature

  corporate data and should act          protecting data for litigation holds      are followed. How do you create a
  accordingly. If the company            and retrieving data for internal          culture of security?
  has a corporate newsletter or          investigations. Similarly, employees         Start by conducting an
  bulletin, dedicating a portion         control security patches and have         assessment of your policies
  of it to security practices can        the ability to install whatever           and procedures. Each of them
  be extremely beneficial. It            software they want. This can              needs to be updated to adjust for
  can help reinforce the items           allow insecure devices to connect         employees who are now potentially
  learned during training as well        to corporate infrastructure and           working in unsecured areas using
  as provide employees updates           create additional security incidents.     unauthorized equipment and
  about changes in the corporate         Most importantly, employees               accounts. Simultaneously, the
  security environment.                  can commingle personal and                incident response playbook should
                                         professional data on any of their         be reviewed and updated to ensure
  A primer on BYOD                       devices and accounts.                     parties still have a streamlined
  At the beginning of COVID-19,              Often, BYOD policies, processes,      way to respond to incidents.
  many employees that typically          and procedures do not require             Once updated, these policies and
  worked in secure corporate             employees to sign a declaration           procedures should be redistributed
  environments were sent home to         certifying they have deleted              to employees for review.
  work on home computers, personal       corporate data from the device               This should all be pushed
  cell phones, and home networks.        and/or their personal accounts            out with an enhanced work-
  From a security standpoint,            upon the termination of their             from-home training program
  BYOD is not recommended. It is         employment. This declaration is           as described above. Provide
  a great area of risk, and policies     beneficial to collect in the event        employees with common
  and practices related to BYOD          litigation for theft of corporate data    examples of security mistakes,
  are riddled with issues. There are     needs to occur. At a minimum,             how they affect the business,
  simply too many variations on          every company should stop                 and how they could have been
  BYOD for an in-depth analysis in       and consider its current BYOD             prevented with stronger security
  this article. However, because of      practices, conduct a risk assessment      practices. These exercises do not
  BYOD’s risk, it is necessary to stop   regarding the safety and security         need to be extravagant. Simply
  and consider it as part of a general   of the data accessed by BYOD              focus on the most important
  security plan.                         users, check if its policy is currently   areas of data security for your
     These personal devices              updated for COVID-19-related              organization.
  often have no form of mobile           activities, and ensure the policy
  device management or data loss         addresses how to retrieve and/or          A cycle of continuous
  prevention software installed          certify the destruction of corporate      security improvement
  on them, both of which provide         data at the end of the work-from-         A security assessment of
  an extra layer of protection to        home period or upon termination of        the organization’s current
  corporate data and accounts by         employment.                               technology environment needs
  allowing corporate information                                                   to be conducted. Network
  technology (IT) to have some           Security starts at the top                infrastructure, individual devices,
  administrative oversight of the        While the first part of this article      and online accounts all have
  device and the data contained on       focused on employees and the              potential security issues that need
  the device. When companies allow       home environment, the major               to be checked. At 4Discovery, most
  individuals to use their own devices   component of corporate security           of the security incident response
  for work without any protections,      comes from within. Corporate              cases we have worked on thus
  the company ultimately loses           security is best implemented,             far had a simple root cause, such
  control of that device and the data    practiced, and enforced when              as a security setting that was
  stored on it.                          it comes from the highest                 never changed when a system
     Because the employee owns the       leadership levels. Communication          was implemented, a system that
  device and controls access to the      about security and buy-in needs           was unpatched, or reusing an
  device, it becomes complicated and     to happen at all levels of the            administrator username and
  can even become a legal battle to      organization to ensure that all           password throughout an entire
  perform basic functions such as        security policies and practices           infrastructure.

22 CEP
Feature

   IT should constantly be in          immensely when strengthening            as ensuring the firewall is not
a cycle of continuous security         systems. POLP simply means that         speaking to the entire internet,
improvement as a common course         individual users only need, and thus    making applications ask for camera
of practice. Below are some helpful    should only have access to, the least   and microphone permission, and
practices to combat common             amount of system access necessary       turning on logging and monitoring.
weaknesses used by attackers to        to perform a task. Reducing people’s    The goal is to prevent bad actors
gain access to systems.                access to systems and data limits       from having easy access and
                                       the ability of bad actors to move       provide IT with the tools they need
Take password                          throughout corporate systems            to monitor attacks.
protection seriously                   using their accounts. It also hinders
One of the most common methods         rogue employees who may
used in data breaches is password      attempt to access and exfiltrate
compromise. Ensure all default
administrator usernames and
                                       confidential data.
                                                                               Individual users
passwords have been changed for
off-the-shelf devices. Create unique
                                       Control all programs
                                       and settings
                                                                               only need, and
administrative usernames and
passwords for individual pieces
                                       Use gold images and control
                                       the device from the start. Gold
                                                                               thus should only
of infrastructure. All accounts
must require strong passwords
                                       images are the standard settings
                                       and programs that are deployed
                                                                               have access to,
that are long and use a variety
of characters. Along those same
                                       on corporate assets. By using a
                                       gold image, IT can more quickly
                                                                               the least amount
lines, password changes should
be mandatory on a routine basis
                                       set up new machines while
                                       customizing settings to least
                                                                               of system access
to prevent any user credentials        privileges before deployment.           necessary to
that may have appeared in past         When creating a standard, think
data breaches to be used to            about how much of the internet          perform a task.
access systems.                        employees need to access. Do
                                       they need the ability to install
Use multifactor authentication         software, and are they going
everywhere possible                    to need to plug in USB devices?         Continuously update systems
Multifactor authentication (MFA)       These are all common ways people        Setting a routine software update
should be required for all accounts    exfiltrate data and attempt to cover    schedule every week is crucial.
that have the option. MFA is the       their tracks. You can also combine      As an example, WannaCry and
process by which a user needs at       this practice with POLP role-           other ransomware forms were able
least two things to enter a system.    based permissions, common data          to spread throughout the globe
Some commonly used forms of MFA        loss prevention software, and/or        because systems went without
are two-factor authentication text     device management solutions to          patches for over two months. Years
message codes, and hardware- or        maintain more control over the          later, many systems still had not
software-based tokens. While           devices and data.                       applied the patch Microsoft issued
two-factor authentication text                                                 in March of 2017.2 If companies
codes are not recommended as           Interrogate and harden all              would have taken the proactive
a best practice for MFA, simply        default settings                        steps to fix their systems, the
having them in lieu of nothing         Many systems and applications           vulnerability would have been
adds an additional layer to            come with minimal security              patched, and system access never
account security.                      settings for the sake of convenience    would have occurred.
                                       for the average user while
Employ the POLP                        sacrificing some security. This         Encrypt traffic with a VPN
Simply looking at all of the           is done with the expectation            While an organization may not
account settings in systems and        that the user or administrator          be able to control an employee’s
evaluating them using the principle    will strengthen the settings as         home router settings, it can
of least privilege (POLP) can help     necessary. This can be as simple        provide a safe way for its

                                                                                                                  CEP 23
You can also read