The Justice Department Criminal Division recently released guidance on what it considers when deciding how a corporation’s compliance program factors into its investigation and the ultimate decision as to whether to bring charges, negotiate pleas or enter into other agreements with corporations under investigation. The Evaluation of Corporate Compliance Programs, released on April 30, 2019, is an expansion of the 2017 guidance document issued by the Criminal Division Fraud Section.

Prosecutors Must Ask Three Fundamental Questions

Prosecutors will ask three fundamental questions to determine if a corporation’s compliance program was effective at the time of the offense and at the time of charging:

1. Is the compliance program well-designed?
2. Is the compliance program being implemented effectively?
3. Does the compliance program work in practice?

Is Your Compliance Program Well-Designed?

An Effective Compliance Program Identifies Specific Risks

An effective compliance program will be tailored to the specific risks affecting the company under investigation. Prosecutors will ask if the company identified its own “high-risk” areas, as well as the degree to which the program dedicates resources to monitor these areas. Even a well designed program might not catch every event. Therefore, another important factor is when an event is uncovered, are the lessons learned incorporated into the compliance program going forward?

Train Your Employees

Prosecutors will analyze how thoroughly and effectively a company has trained its employees on its compliance program. Companies should use real-life experiential training scenarios and case studies during employee training. Employees must know when, where and how to report suspected misconduct. Then, once an incident is reported, how does the company identify which complaints merit further investigation? What access is given to the individual investigating the complaint? Is this an employee or an independent outside agency? A well-designed compliance program will also make it clear that no employee retaliation will be tolerated.

Third-Party Risk

Just as you should be monitoring your employees, it is just as (if not more) important to take your third-party vendors into consideration when assessing high-level risks. Your company should be mitigating these risks by using appropriate contracts and agreements for outside work, and doing regular due diligence and compliance training for third-party vendors.

Is Your Compliance Program Being Implemented Effectively?

Prosecutors will analyse if your compliance program is being implemented effectively. A company can spend countless hours developing a compliance program that looks and sounds great, but if, after the initial introduction to employees, it gets forgotten or completely ignored, then prosecutors will not look favorably on your company’s efforts. A successful compliance program must be woven into the fabric of the day-to-day culture from the top down.

Does Your Compliance Program Work in Practice?

The final question prosecutors will ask is whether the compliance program actually works in practice. Prosecutors will look into : (1) Was investigation into the misconduct conducted in a timely manner? (2) Has the company completed a root cause analysis? (3) Can the program be tested in order to improve? Again, evolution is key here. Does your program have to be perfect? No, no risk will ever be 100% mitigated. However, a program that works in practice needs to have the ability to be updated built into its core.

Take Away

As you can see, the DOJ has shared valuable insight into what prosecutors look for when evaluating compliance programs. This is extremely valuable and companies should take advantage of this intel and honestly self-assess whether its program measures up. Companies that have well-thought-out and designed plans that are capable of evolving will fare better before the Criminal Division than those who do not. If you have any questions regarding your program or compliance in general, or any other aspect of your business, please feel free to contact us at Danziger Shapiro, P.C.
This entry is presented for informational purposes only and is not intended to constitute legal advice.

The General Data Protection Regulation, more commonly known as the GDPR, replaced an inconsistent country by country approach to how companies were required to handle the personal data of European Union (EU) residents. The EU Parliament approved the GDPR last month and all companies, including US companies, must be compliant by May 25, 2018 or face heavy fines that can be up to 20 million euros or 4% of a company’s prior year world-wide revenue, whichever is higher. This is not a typo. Now that I have your attention, let’s break the GDPR down to 2 important questions.

Does my US business offer goods or services to EU residents? If the answer is yes, you are subject to the GDPR.

First, what is a EU resident? A EU resident is any individual that resides in any of the 28 member states that form the EU. This applies to anyone who resides in the EU. Citizenship is NOT required. Second, there is no requirement that the company offering the goods or services be located in the EU. All that is required is that the individual resides in the EU. The GDPR focuses on the EU resident, known as the “data subject” and not the “data controller”. Consider the following, does your company have a website? If your website collects data from a EU resident you fall under the purview of the GDPR regardless whether you have a physical business location in the EU or any business transaction was consummated between your business and the EU resident. The mere surfing of a Pennsylvania business’s website by a EU resident makes your business subject to the GDPR.

Does my US business monitor the behavior of EU residents? If the answer is yes, you are subject to the GDPR.

Does your business engage in tracking or profiling the behavior of EU residents such that it uses such data to make business decisions or predict personal preferences of EU residents? Stated a bit clearer for the non tech savvy individual, have you ever wondered why or how ads seem to pop up that relate to items you had recently searched? This practice is covered under the GDPR.

Key Points of the GDPR

1. Consent

The GDPR requires that consent to the collection of data be given by a clear and affirmative act that is specific, informed and unambiguous. Silence or inactivity will not be considered consent. Consent can be shown by a “data user” clicking on a box that has not been prechecked that sets forth your consent in clear and unambiguous language.

2. Data Protection Officers

The GDPR requires data privacy officers be appointed at companies under certain circumstances. For example, if the company is involved in the public sector, has more than 250 employees or the company’s core business involves processing operations that require active monitoring. These data protection officers must be experts in the data protection field.

3. Data Breach Notification

As soon as your company becomes aware of a data breach, the EU supervisory authority must be notified within 72 hours of the breach. The EU resident affected by the breach must also be notified immediately if the breach involves the possibility of identity theft or fraud, physical harm, significant humiliation or damage to ones reputation.

4. Privacy Notices and Other Rights

The GDPR requires that certain disclosure are made in a privacy notice. While some disclosures such as the identity of the privacy officer, the purposes of data collection and the categories of the potential recipients of the collected data are not new, other rights are certainly new. For example, a EU resident now has the right to object, obtain the information collected about them, erasure and even correction and other rights not mentioned here.

Take Away – Compliance Deadline is Fast Approaching

The key takeaway here is that the May 25, 2018 compliance deadline is fast approaching. With unbelievably high fines available, affected EU residents are now empowered to go after US business that do not properly protect and/or collect their personal data. US companies will not be able to hide their heads in the sand merely because the affected individuals are across the pond. Meaningful enforcement penalties are available to EU residents. US companies need to take action now to understand how their business might be impacted by the GDPR and take corrective action now before GDPR compliance is required. For information in general on the GDPR click here. If you have any additional questions regarding this or any other aspect of your business, please feel free to contact us at Danziger Shapiro, P.C.

This entry is presented for informational purposes only and is not intended to constitute legal advice.