Regulator fines company $1M for poor HR record-keeping, despite absence of illegal hiring practices…

In late September of this year, the United States Immigration and Customs Enforcement office (“ICE”), a segment of the Department of Homeland Security, levied a $1 million fine against clothier Abercrombie & Fitch’s (“A&F”) record-keeping failures related to its obligations under the Immigration and Nationality Act.  Remarkably, this fine was imposed despite the fact that there was no evidence that A&F knowingly hired a single unauthorized worker.

In late 2008, ICE conducted an audit of A&F’s stores in Michigan and found a series of deficiencies in the company’s I-9 verification technology.  This fine flows directly from those audit findings.  Again, ICE was imposing a penalty strictly related to deficiencies in A&F’s ability to demonstrate that its I-9 verification protocols were sound; ICE did not allege that A&F had employed unauthorized workers.

Khaalid Walls, spokesman for ICE, indicated that the message here is that “we want employers to know that their employee documentation is just as important to the federal government as their financial records” [emphasis added].  The special agent in charge of ICE’s Michigan operations, Brian Moskowitz, elaborated on this point, stating that “employers are responsible, not only for the people they hire, but also for the internal systems they choose to utilize to manage their employment process and those systems must result in effective compliance.”

Moskowitz went on to say that the settlement “should serve as a warning to other companies that may not yet take the employment-verification process seriously or provide it the attention it warrants.”  What is truly remarkable here is that this appears to be a trend among federal regulatory agencies (q.v., FINRA Fines Firm $1.2 Million for Failure to Archive Email Properly and similar links below) to levy fines and focus enforcement on the manner of record-keeping, rather than discrete evidence of a violation.

Companies embrace electronic filing systems (and other automated records management solutions) to increase efficiency and to make compliance efforts easier and more reliable over time.  While this is certainly laudable, the government is sending a strong and unambiguous message that purchasing software does not a records management program make.  Put differently, for companies automating record-keeping, the system(s) selected need to contemplate the nuances of the regulations with which the company seeks to comply.  The failure to do so can be expensive—even in the absence of a bona fide violation that the regulation sets out to prevent.

A short list of notable regulatory fines related to record-keeping deficiencies:

• US Labor Department’s OSHA fines Lowe’s Home Center $182,000 for continual record-keeping violations
• Air conditioning company fined $1.2 million for record-keeping violations
• Inaccurate Asbestos Exposure Records Lead to OSHA Fines
• OSHA Proposes $720,700 in fines against New York company for grossly under-recording Worker Injuries And Illnesses
• Widespread Record-keeping Violations Lead to OSHA Fines for Automotive Parts Plant
• OSHA fines company for violations of Workplace Injury & Illness record-keeping requirements
• New York Manufacturer fined $160,000 for failing to Record Workplace Injuries and Illnesses
• OSHA cites Texas Manufacturer for record-keeping violations; proposes more than $500,000 in penalties
• Louisiana Manufacturing company fined over $80,000 for poor record-keeping
• OSHA Fines Paper Company $170,000 for failing to Record Injuries and Illnesses

Facebook privacy protections are neither private nor protected…

In addition to articles on this site about potential discovery issues related to social networking (q.v., Social Media Privacy = Wishful Thinking and Facebook Posts Deemed Discoverable), individuals and companies alike are now faced with another source of exposure for data housed by Facebook.  It now seems that Facebook is a gold mine for criminals intent on fraud and for online marketers intent upon building very detailed buying profiles of Facebook users without their knowledge or consent.

John Lawler, the chief executive of Australia’s Crime Commission, warned that elements of organized crime are taking personal information from Facebook in droves to obtain credit fraudulently.  These criminals are exploiting all manner of personal information (from family members to pet’s names) to establish credit and to circumvent the usual controls by which applicants legitimately authenticates themselves to financial institutions seeking to extend them credit.

In a related story (and new episode in a long series of prominent embarrassments) for the online networking company, the Wall Street Journal (“WSJ”) reported earlier this week that its investigation yielded significant control gaps in the way personal information could be mined from Facebook without the end user’s knowledge or permission.  Unlike prior complaints about lax privacy controls or confusing settings for users to “lock down” their information, the WSJ investigation reveals that Facebook is literally broadcasting (or, more precisely, permitting the broadcasting of) personal information to online marketers, advertisers, and Internet tracking companies.

To be clear, this latest reputation hit for Facebook affects only those who use Facebook applications or “apps” (as opposed to the native “friending” and “wall” features).  Users must take a secondary step of confirming that an app has permission to attach itself to a user profile.  That said, the personal details being shared with these online companies affect tens of millions of Facebook app users—including those who have elected the most stringent privacy setting for their profiles.

Technically, the dissemination practice by app developers uncovered by the WSJ violates Facebook’s rules.  However, the sheer magnitude of personal information being disclosed has renewed concerns that Facebook does precious little to keep its users’ information private and secure.  The compromised data from Facebook users allows online marketers to compile and sell “detailed dossiers of their activities and interests.”

For individuals using these apps, there is serious thinking to do about the continued use of these online gateways to personal data.  For companies employing such individuals, new thinking is required to educate its employee base about proper communication protocols.  This education could require companies to revisit their data management policies, their public disclosure rules, their online monitoring of employees, and even their code of conduct policies to ensure that employees using these compromised applications either discontinue such use or adjust that use commensurate with the company risk that travels with it.  For everyone, this is yet another example of how technology is forcing us to re-think existing notions about information privacy and whether such a concept can be taken seriously for much longer.

Tread carefully in discovery requests of third-party email accounts…

A federal court in California has held that the consent of the account holder is required, under the Stored Communications Act, to obtain copies of emails in Google’s possession.  The case, Beluga Shipping GMBH & Co. KS Beluga Fantastic v. Suzlon Energy LTD. (N.D. Cal., Sept. 23, 2010), hinged upon a the plaintiff employer’s belief that a fraud was being committed by several of its former employees and furthered by those employees via email exchanges using Google-hosted email accounts.

Accordingly, plaintiff filed a discovery petition to request that Google provide all emails transmitted or received by its former employees.  The petition requested information from specific email accounts, and it further requested that Google help establish when these accounts were created and any information used in the creation of these accounts.

Google responded that it was unable to comply with the discovery petition without running afoul of the Stored Communications Act (q.v., 18 U.S.C. §§2701-2712).  Specifically, Google argued that only the individual account holders could consent to the turn-over of this information; without it, Google argued that its performance of the steps requested in the discovery petition would be unlawful.

The court agreed with the thrust of Google’s argument, denying plaintiff’s motion to compel production of specific emails.  That said, the court did grant part of the petition, directing Google to produce materials that established the chronology of when certain accounts were created as well as the user information provided to establish these accounts.  The court also directed Google to preserve any and all emails that were potentially related to this matter.

This decision is significant for any party seeking to explore discovery with third-party email service providers.  In addition to the fairly stringent requirement of obtaining the account holder’s consent, litigants should be cognizant of the applications of this precedent to other data that may be hosted similarly in other types of cloud services—from email to remote backup providers to hosted ERP vendors.  Regardless, Beluga seems like required reading for anyone seeking to delve into the hosted email archives of a responsive party.

ForensicUpdate Editor to join Foltz Martin Panel…

ForensicUpdate.com Editor, Johnny Lee, will join a panel discussion hosted by the good folks at law firm Foltz Martin LLC.  The panel, the last in the 2010 four-part series on Strategies for a Recovering Economy, will be held on November 16, 2010 in Atlanta at the  Conference Center (Buckhead).  The topic will be the efficiencies and cost-effective benefits of a solid data management infrastructure.

Today, over 95% of all content created is digital.  The cost to acquire digital storage continues to drop, but unregulated content presents significant risks for today’s organizations as they wrestle with a host of regulatory rules, compliance issues, industry standards, integration concerns, and litigation exposure.  How do organizations reconcile the low cost to acquire storage with the high cost of mismanaging it?  How can companies safely address this source of risk?  How does a company arrive at the solution that is right-sized for its particular business model?  How can you access and utilize your internal data to make more effective business decisions and increase profitability, decrease response time, and better take control of your operation?

Please join us for a discussion of how to identify the risks and opportunities facing business today; what role policy, procedure, training, and technology play; and how best to tailor a program to address those risks and take advantage of opportunities.  Please click here for more details or to contact the event organizers.

FINRA Fines Firm $1.2 Million for Failure to Archive Email Properly…

In November of 2009, the Financial Industry Regulatory Authority (“FINRA”) reached a settlement with Metlife Securities Inc. and three related broker-dealers (referred to collectively as “MetLife” herein) for the failure to implement supervisory systems required to meet compliance obligations.  The “settlement,” known as a Letter of Acceptance, Waiver and Consent (“AWC”) is a mechanism provided under the FINRA Rule 9216 to permit the resolution of a controversy involving a member or associated person over a violation of of any rule, regulation, or statutory provision that FINRA has the jurisdiction to enforce.

What is remarkable about this AWC is that it imposed a fine of $1.2 million substantially because MetLife failed to meet their compliance obligations related to the review of electronic mail (“email”) correspondence.  Put differently, FINRA levied this fine because MetLife did not follow its own written policy on matters related to email archiving and the review of archived email.

In 2006, MetLife implemented a sophisticated email archiving solution, which sought to align  technology with existing business processes and written policy guidance (whereby management would monitor brokers’ email correspondence with the public as well as broker participation in outside business activities).  At issue in the AWC is the period before this technology acquisition (from March 1999 to December 2006), when “the firms did not have a system in place that enabled supervisors to directly monitor the email communications of brokers.”  Simply put, prior to 2007 the policy was bulletproof but the practice was lacking.

In the news release commenting on the FINRA ruling, Susan Merrill (FINRA Executive Vice President and Chief of Enforcement) was quoted as saying that although FINRA’s rules “afford firms the flexibility to tailor procedures that are appropriate for their particular business models, all firms must have the ability to flag emails that may evidence misconduct.”  She went on to comment that having a “system” that placed the primary reliance on “brokers to provide copies of their own emails to supervisors for review is hardly an effective means to detect such misconduct.”

Students of the evolving electronic discovery case law should see a familiar motif as it relates to the intolerance of form over function.  From Zubulake to Qualcomm to what eDiscovery guru Ralph Losey has aptly deemed “Victor Stanley II,” we see the judiciary adopting this same lack of patience for organizations that believe that a written policy alone is sufficient to meet its compliance burdens.  In both regulatory and litigation¹ arenas—whether monitoring email for misbehavior or preserving data in a defensible manner, daylight between policy and practice can be costly.

.

¹ For a very good example of a company receiving untoward attention from the courts for email retention practices that do not pass the straight-face test with regard to evidence preservation, please see Apple Inc. v. Psystar Corporation matter from the Summer of 2008.   In particular, please see the Case Management Statement (filing 28; page 7 therein) from this case filed by Apple in late 2008. This filing describes the evidence preservation practices at Apple that the court later found less than adequate—especially in light of Apple’s status as a purveyor of enterprise-class storage hardware and software.  Click here for other examples of companies fined for inadequate archiving / preservation practices.

ForensicUpdate Editor to speak at ARMA Event…

ForensicUpdate.com Editor, Johnny Lee, will present a luncheon session on Data Management, Investigations, and eDiscovery at the October session of Atlanta ARMA.

Electronic Discovery (“eDiscovery”) can be a time-consuming, burdensome, and costly undertaking for organizations.  Studies indicate that 87% of the organizations questioned feel that formal data retention policies are valuable, but only 46% actually have one in place.  Despite the prominent headlines, case law, and regulatory risks, the disconnects between in-house IT and legal departments are growing more pronounced every year.

Please join us for a case law update and a discussion of enabling technologies and leading practices that are helping companies: (a) to create and sustain unimpeachable data retention programs and (b) to manage records more effectively and defensibly.  I look forward to a lively discussion.