WHISTLEBLOWING IN THE INTERNATIONAL CONTEXT

1
WHISTLEBLOWING IN THE INTERNATIONAL CONTEXT

• Meeting the requirements of inconsistent
  international norms
• Steven A. Lauer
• Nick Ciancio
• October 7, 2009

2
Lumen Legal Consulting

• Assists corporate law departments to maximize the
  value that they realize from their expenditures
  for outside legal service
• Works with law departments on all aspects of the
  management of corporate legal service, including
  counsel selection and management, strategic
  planning, use of technology, deployment of
  internal and external resources,
  compliance-program involvement

3
Steven A. Lauer

• Principal Value Consultant, Lumen Legal
  Consulting
• Over 16 years as in-house counsel
• Ten years as consultant to law departments on
  management and compliance issues
• Frequent speaker and author on law department
  management, relationships between in-house and
  outside counsel, compliance
• Vice Chair, ABA Section of Business Laws
  Corporate Counsel Committee
• Vice Chair, ABA Section of Business Laws
  Corporate Compliance Committee
• Subcommittee chair, ACC Compliance and Ethics
  Committee

4
GLOBAL COMPLIANCE OVERVIEW

• Global Compliance is a leading provider of
  integrated Governance, Risk Management, and
  Compliance (GRC) solutions with a significant
  base of blue-chip clients worldwide
• Our solutions include
• Expert advisory services
• Training and education
• Issue management and reporting solutions
• Insight (data) and benchmarking
• The industrys only comprehensive end-to-end
  compliance solution
• We are uniquely able to serve the compliance
  needs of every customer
• Providing mid-market and small clients with a
  one-stop, on-demand compliance solution with
  simple pricing and delivery
• Offering global clients our issue management
  software and other point solutions

5
GLOBAL COMPLIANCE OVERVIEW

• Expert and most experienced
• 4,000 customers currently serviced across diverse
  industries 50 of the Fortune 100
• 25 million end users supported and managed
  worldwide
• Global
• Over 200 countries represented by current client
  portfolio
• 150 language capability
• Nearly 25 of the Global 500 in long-standing
  customer relationships
• Fully compliant European data center
• Most comprehensive and integrated solutions
• Fully outsourced compliance program capability
• Best in class point solutions (continuously
  updated)
• Largest proprietary insight and benchmarking
  database
• 2 million Alertline hotline calls and web
  reports handled, tracked and trended
• Over 1,000 industry specific groups analyzed
• Hundreds of thousands of international business
  ethics surveys conducted and tabulated

6
Nick Ciancio

• Senior Vice President, Marketing and Business
  Development. Within the ethics and compliance
  industry, Nick serves on the Open Compliance and
  Ethics Groups (OCEGs) Hotline Working Group
  panel, and is an active participant with the
  Society of Corporate Compliance and Ethics (SCCE)
  as well as the Ethics and Compliance Officer
  Association (ECOA). He is a frequent speaker on
  U.S. and International corporate ethics and
  compliance conference agendas, and he served on
  the advisory committee for the Ethics Resource
  Centers 2007 National Business Ethics Survey.
• Nick possesses more than 20 years experience in
  senior marketing and business development
  positions in the telecommunications and
  technology industries. Nick holds a Master of Art
  in Statistics from Pennsylvania State University
  and a Bachelor of Science and Master of Science
  in Mathematics from the University of
  Massachusetts. Nick also earned a Certificate in
  Business Ethics from Colorado State University.

7
U.S. perspective

• Personal information prospectively protected by
  federal law only in certain contexts/industries
• Healthcare (HIPAA Privacy Rule)
• Consumer finance (Gramm-Leach-Bliley)
• Social security numbers
• State security-breach laws (after the fact)
• California the first
• Massachusetts recently adopted broader
  protections
• Civil suits to enforce common-law rights
  (invasion of privacy, etc.)

8
International perspective

• Personal information protected regardless of
  context
• European Union Directive 95/46/EC
• APEC principles
• Canadas Personal Information Protection and
  Electronic Documents Act (PIPEDA) (supplemented
  by provincial statutes)
• Concern over personal information transferred to
  jurisdictions (like the U.S.) that do not provide
  adequate protection
• Historical/social concerns

9
The EU legal structure -Directive 95/46/EC

• Implements the right of protection of personal
  data enshrined in the Charter of Fundamental
  Rights (see Art. 8)
• Established jurisdictional basis for EU member
  states to enact country-specific data-protection
  legislation
• Created Working Party on the Protection of
  Individuals to contribute to the uniform
  application of such national measures as
  adopted by member states
• As to data collection, the Directive requires
  legitimacy, data quality, and proportionality

10
Some relevant definitions

• Controller the natural or legal person,
  public authority, agency or any other body which
  alone or jointly with others determines the
  purposes and means of the processing of personal
  data
• Processor a natural or legal person, public
  authority, agency or any other body which
  processes personal data on behalf of the
  controller.
• Data subject an identified or identifiable
  natural person who can be identified, directly
  or indirectly, in particular by reference to an
  identification number or to one or more factors
  specific to his physical, physi9ological, mental,
  economic, cultural or social identity.

11
EU member states

• Within the general construct established by the
  Directive, member states can adopt data
  protection laws with some country-specific
  variation
• Member states data protection authorities (DPAs)
  enforce their laws
• Some DPAs are more enforcement oriented than
  others, utilizing audits and other investigative
  techniques
• Social concerns and historical perspective

12
Some variations among member states (regarding
hotlines)

• Permissible scope of allegations
• Anonymity of hotline callers
• Transfer of hotline reports to outside EU
• Deletion or retention of personal information

13
Permissible scope of allegations

• For most EU member states, limited to allegations
  relating to accounting, auditing and internal
  financial controls, with a catchall relating to
  serious acts (whatever that might mean)
• Spain allows allegations involving internal or
  external topics or rules, the violation of which
  could have an actual impact on the maintenance of
  the contractual relationship between the company
  and the person incriminated.

14
EU Allegations

• Antitrust or Fair Trading
• Destruction of Business records
• Espionage or Sabotage
• Falsification of Financial Records
• Falsification of Travel and Expense Reports
• Gifts, Bribes or Kickbacks
• Misrepresentation of Information
• Trading on Insider Information
• Other

15
Anonymity of callers

• EU member states dislike anonymous reports of
  violations of law or, even more, internal codes
  of conduct
• The Art. 29 Working Party negotiated with the SEC
  to permit a limited degree of anonymity to allow
  for compliance with SOx
• Spain stated that procedures guaranteeing the
  confidentiality processing of reports filed
  through the system must be established, so that
  the existence of anonymous reports is avoided.

16
EU concern regarding anonymity

• I am personally keen to underline that this
  assessment must be read in the specific European
  context. It is certainly useful at this stage to
  recall that anonymous reporting evokes some of
  the darkest times in recent history on the
  European continent, whether during World War II
  or during more recent dictatorships in Southern
  and Eastern Europe. This historical specificity
  makes up for a lot of the reluctance of EU Data
  Protection Authorities to allow anonymous schemes
  being advertised as such in companies as a normal
  mode of reporting concerns.

Letter dated July 3, 2006, from Peter Schaar,
Chair, Art. 29 Working Party, to Ethiopis Tafara,
Director, SECs Office of International Affairs
(page 3)
17
Transfer of reports outside EU

• Transfers outside the EU must satisfy the
  Directive, generally through one of three
  mechanisms
• To a data processor registered on Safe Harbor (in
  the U.S.)
• By means of an acceptable data transfer agreement
  (the EU has approved standard clauses)
• By means of binding corporate rules
• Austria ruled that personal information in
  reports can be transferred only if the reports
  relate (a) to decision makers and (b) to
  serious issues

18
Detention or retention of data

• The Directive states that data which permits
  identification of data subjects must be kept
  for no longer than is necessary for the purposes
  for which the data were collected or for which
  they are further processed.
• Art. 29 Working Party interprets this generally
  as a two-month limitation
• Can be kept for further proceedings in progress
  (e.g., discipline, litigation)

19
Satisfying the deletion requirements of EU data
protection law
20
Step 1 - Search
21
Step 2 Select Reports
22
Step 3 Select Fields
23
Step 4 Review and Sanitize
24
Results
25
Rights of data subjects

• Right of access to data (Art. 12)
• Confirmation of whether personal data have been
  or are being processed
• Rectification, erasure or blocking of
  noncompliant processing
• Notification of third parties to whom personal
  data have been disclosed
• Right to object (Art. 14) to processing of
  personal data on compelling legitimate grounds
  relating to his particular situation

26
Controller and processor

• The controller is responsible for compliance with
  the Directive and member states data protection
  statutes
• The controller may delegate data processing to
  another, but the processing must be governed by
  a contract or legal act binding the processor to
  the controller
• The processor shall act only on instructions
  from the controller

27
Problematic issues

• Personal information that is subject to discovery
  in the United States (either by government
  investigation or civil process) EU DPAs have
  expressed concern and data subjects have rights
  under the Directive
• Can information received via a hotline be
  privileged?
• Workers rights under EU labor laws (e.g., work
  councils)

28
Adapting Your Awareness and Education Program

• Code of Conduct
• Program Awareness (is active promotion
  allowed?)
• Allegation types
• Reporting mediums (hotline, web, internal
  channels, Works Councils)
• Anonymity
• Whistleblower protection
• Translations / local language
• Training and certification

29
Program Implementation

• Provisioning phone lines
• ITFS where available
• Country-specific, in-language greetings and
  prompts
• Websites
• Separate sites with country-specific text and
  instructions
• In-language
• Allegation Categories
• Broad versus narrowed financial-based
• Case Management
• Permission-based functionality
• Translation capabilities for case investigation
  and response to reporter
• Reporting
• Transactional or summary reporting
• Ability to segregate by country or enterprise-wide

30
Data Management

• Ability to block / restrict closed cases
• Ability to sanitize or delete specific
  information fields
• Permission-based access to specific information
  fields and to specific functionality within Case
  Management System

31
EU Countries with Data Protection Guidelines
United Kingdom France Germany Netherlands Belgium
Ireland Spain
32
Responsibilities of an Outsourced Service Provider

• Providing input and feedback to regulators on
  proposed guidelines and rulings
• Spanish Guidelines
• Communicating information about emerging
  guidelines/rulings to clients and assisting them
  in understanding how their programs will be
  impacted
• Assisting with Certification and Authorization
  processes when required
• Providing clear contractual terms as to how data
  is handled
• Safe Harbor versus Model Clauses
• Modifying existing client programs as new
  guidelines/laws are introduced
• Evolving products and services to facilitate and
  automate compliance with country-specific
  guidelines and requirements

33
Thank you.

• Questions?
• Steve Lauer 877-933-1330, ext. 520
  slauer_at_lumenlegal.com
• Nick Ciancio 866-434-7009 nick.ciancio_at_globalco
  mpliance.com