Legal Issues

Report on Security Legislation: H.R. 639
(February 4, 2009)

by Michael A. Williams, Esq.

The House Bill referred to in a Federal Computer Week article concerning the security clearance process is H.R. 639, introduced January 22, 2009. The Bill’s author is Rep. Anna Eshoo (D-14, CA) and the co-sponsor is Rep. Darrell Issa (R-49, CA). Rep. Eshoo’s district is south and southwest of San Francisco and appears to include most of Palo Alto and some other parts of Silicon Valley. Rep. Issa’s district is north of San Diego and includes the cities of Oceanside and Vista.

The Bill’s emphasis is on obtaining reports of the number of individuals holding security clearances and on the efficiency of the clearance process. It requires annual reporting to Congress and an Executive Branch audit every four years.

H.R. 639 has been referred to both the Oversight and Government Reform Committee and the Select Committee on Intelligence. The Speaker of the House has named the members of the Committee on Oversight and Government Reform, and they may be posted on the Committee’s web site this week. Rep. Issa will be the Ranking Member, but Rep. Eshoo is not on the Committee. The Committee met on February 4 to organize itself and may, within about a week, post notices for its first hearings. The Speaker has not yet named the members of the Select Committee on Intelligence so it has not yet met during 111th Congress to organize or hold hearings. (Both Committees’ web sites are out of date).

Items in the Bill’s favor are that its bipartisan sponsors are last Session’s Chairman and Ranking Member of the Subcommittee on Intelligence Community Management (Select Intelligence) and Rep. Eshoo’s statement in the Congressional Record when she introduced the Bill that it was the result of past committee work.

I have not checked for the President’s response to the new burdens H.R. 639 would place on the Executive Branch and many agencies.

Guest Author: Michael A. Williams, a lawyer, practicing in Virginia and Washington, DC, contibutes to this blog. He has offices at the Stephens Law Firm, PLLC, McLean, Virginia. Telephone: (703) 821-8700, ext. 17. E-mail: stelawfirm@aol.com.

Report on Security Legislation:  H.R. 553, et al.
(February 6, 2009)

by Michael A. Williams, Esq.

A.  H.R. 553:

     The House passed the Bill, H.R. 553 (the “Reducing Over-Classification Act of 2009″), on February 3, 2009, under the suspension of the rules procedure, indicating it was not considered controversial. It passed on a voice vote. The Bill was designed to prevent the over-classification of security information by the Department of Homeland Security.

     The Senate sent the Bill to the Committee on Homeland Security and Governmental Affairs on February 4, 2009.

B.   Two other Bills related to Homeland Security also passed the House on February 3:

     H.R. 559, to amend the Homeland Security Act to establish an appeal and redress process for individuals wrongly delayed or prohibited from boarding a flight, etc. (413 to 3, Roll Call Vote No. 49); and

     H.R. 549, to amend the Homeland Security Act of 2002 to establish the Office for Bombing Prevention, to address terrorist explosive threats. Voice vote.

Guest Author: Michael A. Williams, a lawyer, practicing in Virginia and Washington, DC, contributes to this blog. He has offices at the Stephens Law Firm, PLLC, McLean, Virginia. Telephone: (703) 821-8700, ext. 17. E-mail: stelawfirm@aol.com.

ADMINISTRATIVE INVESTIGATIONS AND THE SEC

By:

AUGUST BEQUAI, ESQ.

     XYZ Corp.’s investors suffered a shock when their company’s shares plummeted after a bogus press release made its way through the Internet.  The release falsely stated that the U.S. Securities and Exchange Commission (”SEC”) had launched an investigation into the company’s accounting practices.  The bogus news had been distributed over a web-based news dissemination service and had quickly spread after being picked up by the wire services and a multitude of chat rooms. 

     An arrest by the FBI followed, and a college student with inside knowledge on on-line news services was indicted on 11 counts of securities and wire fraud.  The incident served to illustrate the ease with which frauds can be committed over the Internet, and the need for the SEC and other financial regulators to upgrade their policing efforts in the age of cyber-space.             

     Over the years, the SEC has been criticized for letting off criminals too lightly; as well as allowing them to continue working, while under investigation by its staff.  Whatever the merits of the criticisms, they should not obscure the SEC’s performance over the years; nor the fact that it labors under outdated and cumbersome procedures laid down in the ticker-tape era. 

     Experts in security and cyberspace have, over the years, criticized the in-house investigative procedures of the SEC, which some have compared to a Byzantine maze.  Highly centralized and controlled by a five-member Commission, with SEC staff investigations often dragging out for several years before finally making their way to the courts. Which in large part explains the Enron and related financial debacles.

     Consider what a typical SEC investigation entails.  It begins with an informal inquiry, after the staff has received information about a potential violation of the federal securities law.  If the staff determines that a serious violation exists, it then forwards to the Commission a written request for a Formal Order of Investigation.  Without such an Order, the staff lacks the legal authority to issue subpoenas and take sworn testimony from witnesses. 

     However, since the Commission has numerous other matters on its agenda, many of which are unrelated to its enforcement authority, the staff’s request for a formal investigation often takes several months to approve.  But in the process of conducting its inquiry and interviewing brokers, market analysts and others, the staff can hardly help but alert the target(s) of its interest.  Hence, the target(s) often has ample time to destroy damaging evidence - which has become much simpler in the age of cyber-space - and divert ill-gotten gains.

     Even after it is authorized to issue subpoenas, the staff faces additional bureaucratic hurdles.  If a witness refuses to comply with its subpoena, the staff must go back to the Commission and request subpoena enforcement authority.  This entails writing a memo to the Commission detailing the reasons why the subpoena was issued, and why it is necessary for the staff to obtain a court order directing the witness to comply.  Once again, the Commission may take several months to decide; after which time, the witness may make him or herself scarce and vital records may be destroyed.

     A potential SEC target can also hamstring the staff’s efforts by filing an internal motion with the Commission, requesting it to quash the staff’s subpoena.  Even if the Commission supports the staff, a witness or potential target may appeal that decision in federal court; once again tying up the staffs efforts in complex appeals that can span out for years. 

     Since the SEC, by law, must defer the prosecution of all criminal securities frauds to the U.S. Department of Justice, red tape and rivalry between their staffs can serve to hamper the criminal prosecution of securities offences. Thus, it can take several years for a criminal securities case to make its way to the courts; by which time, the culprits may have skipped the coop.

     The SEC gets little credit for bringing criminal cases to fruition.  That limelight goes to the U.S. Department of Justice.  The SEC defends its budget requests before the U.S. Congress on the basis of the number of civil cases that it brings.  All of this may explain why more than 90 percent of all SEC’s civil prosecutions culminate in consent decree settlements.  (A consent decree is a civil agreement in which the offender neither admits nor denies guilt, agreeing merely not to engage in any future illegal conduct).

     Under the SEC’s investigative procedures, it is a simple matter for attorneys versed in the agency’s workings to bottle up cases for many years; watering them down to consent degrees.  The threat of such tactics by wealthy targets frequently accounts for the SEC’s willingness to settle for cosmetic victories and light penalties.  In the age of cyber-space, these failings can prove costly.

     With the SEC stymied by its own internal inertia, the agency is not likely to reform itself.  Pressure for reform must come from outside.  The U.S. Congress can do a number of things to streamline the SEC’s enforcement procedures.  Among these:

•   Decentralize the decision-making process by taking some of the power away from the five-member Commission; thus, relieving the bottleneck and expediting the enforcement process. When federal prosecutors want to enforce a subpoena, they go directly to court and not to the Attorney General for permission. SEC attorneys should have similar powers and flexibility.

•   Lift the shroud of secrecy in SEC investigations. Secrecy does little to protect the victims of securities frauds. By keeping the enforcement process under tight veil, the investigative process lends itself to manipulation by powerful interests. The secrecy provisions also stymie SEC investigators form exchanging information with their counterparts in other government agencies, slowing their progress and leading to duplications in efforts.

•   Give the SEC authority to prosecute its own criminal securities fraud cases. There is no reason why SEC lawyers, well versed in securities law and frequently recruited from the top layers of the legal profession, should defer to local U.S. attorneys, who, while well versed in drug prosecutions, may not be familiar with the intricacies of securities frauds. At the very least, this step would end the counter-productive rivalry between the SEC and U.S. Department of Justice.

     In the fast-moving world of cyber-space, the SEC’s staff deserves better tools to enforce the Federal securities law.  Faced with the rapidly evolving world of the Internet, investors, more than ever, need an effective cop on the beat.  Sadly, the SEC and its sister regulatory agencies are not up to par in this regard. 

AUGUST BEQUAI, ESQ.

Introduction

While Wall Street continues to plummet, America’s romance with the Internet continues unabated. A growing number of businesses, large and small alike, continue to turn to the Internet as a viable vehicle for their daily operations. While IT consultants have come to play a crucial role in this revolution, they also need to take note of the quagmire that the Internet poses for them and their businesses.

IT Professionals Face Legal Exposure

A Fortune 100 Company paid some of its female employees several million dollars, when it was found that its male employees had used the Internet to sexually harass and intimidate their female counter-parts. In another case, a manager who had been monitoring a romantic Internet liaison between tow of his employees, and leaked his findings to their co-workers, prompted attorneys for the two cyber-lovers to file a lawsuit. Their employer was quick to settle. Management had failed to enact policies and procedures aimed at regulating use of the Internet by its workforce, in conformity with privacy laws.

In the current Internet environment, fraught with the potential for costly litigation, management needs to strike a balance between concerns over the privacy rights of its workforce, and the need to ensure that its workers do not misuse the Internet and expose the company to legal difficulties. Here are some guidelines that address these concerns.

Written In-House Guidelines: Since the modern workplace is the habitat of diverse classes of employees - i.e., at-will employees, contractors, temporaries, licensees, part-time workers, and so on - clearly-defined (and written) guidelines and policies are a necessity to ensure their proper use of the Internet.

Read the rest of this entry »

BALANCING EMPLOYEE SECURITY RIGHTS
AT THE WORKPLACE

By:

AUGUST BEQUAI, ESQ

I. INTRODUCTION

The Internet - an outgrowth of America’s Cold War efforts-is touted daily as an efficient and inexpensive vehicle for electronic commerce. One that both business and government can employ effectively to conduct their daily operations; with an army of vendors ready to assist.

But as U.S. businesses and individuals turn to the Internet in growing numbers, serious concerns over crime and security continue unabated. These are in need of serious long-term consideration. Businesses that fail to enact proper measures to address these concerns, invite both adverse publicity and costly litigation.

The euphoria and financial motives that have fueled the growth of the Internet, need also accommodate serious concerns over crime and security. For in the minds of a growing number of business and government officials in the U.S., there is a growing awareness that the Internet is not the fabled genie of Aladdin’s lamp.

II. DEALING WITH SECURITY CONCERNS

While many in business and government acknowledge the need for security in cyber-space, few agree on what constitutes adequate security to stave off legal exposure; or whether the impetus should be on technical as opposed to personnel side of security. In any case, there is a consensus in legal circles that to stave off litigation, a security program should address several basic security needs: Read the rest of this entry »

Association Policies Beneficial When Filing the New IRS Form 990

by Michael A. Williams, Esq.

December 2008

     Trade associations, foundations and other non-profit organizations will want to consider adopting several non-mandatory policies before the end of their current fiscal year as a result of new governance policy and other questions they will be required to answer when they file the new IRS Form 990.  Answers to the new questions indicating the association does not have the policies certainly will not automatically result in an audit, but answering “Yes” to the questions should decrease the chances of an audit.

     The IRS spent many months preparing the most substantial revisions to the Form 990 information tax return in over 15 years.  The new form covers calendar year 2008 and fiscal years that began during 2008.  The new 990 is an important event for Section 501(c)(3) and 501(c)(6) organizations and all others in the non-profit community. 

      The new form contains many more questions than before and has several new schedules.  The additional questions and revised schedules will allow the IRS, generally, to monitor some tax-exempt organization issues in much more detail than before.  Congress held hearings over the last few years related to abuses by a few high profile non-profits and in certain areas (compensation, hospitals, donated easements, etc.)

     Among the new Form 990 questions are whether a non-profit association has the following governance policies (2008 Form 990, Part VI, Lines 12, 13, 14, 15 and 16):

          1.  Conflict of Interest Policy;

          2.  Whistleblower Policy;

          3.  Document Retention and Destruction Policy;

          4.  Compensation Policy (for setting the compensation of the highest paid officers); and

          5.  Joint Venture Policy.

     In addition, the Form asks if the non-profit requires the Board and Board Committees to keep written minutes of their meetings, so I would add a sixth policy:

          6.  Policy requiring that the Board of Directors and Committees of the Board keep written Minutes of their meetings.

     These policies are not required, however, adoption of several or all of them should lessen an association’s odds of being audited.

     In order for the tax-exempt organization to answer yes to the questions, its Board must adopt the policies no later than the end of its first fiscal year that began during 2008 and ends during 2009.  Adoption after the end of the fiscal year will not allow the association to answer yes to the questions on the 2008 Form 990.

     I have developed documents suitable for each of the policies.  The format of each policy is fairly short and meets the minimum IRS requirements.  If your association wants a more elaborate policy on any of these issues, it can expand the policy now or adopt the policy and revise it later.

     I urge any exempt organization and its Board to consider these policies by or before the last Board meeting of the fiscal year ending during 2009 or use a unanimous written consent in lieu of a meeting to adopt them.

 Guest Author:  Michael A. Williams, a lawyer, concentrates a substantial portion of his practice on representation of trade associations, foundations and other tax-exempt organizations in Virginia and Washington, DC.  He has offices at the Stephens Law Firm, PLLC, McLean, Virginia. Telephone:  (703) 821-8700, ext. 17.  E-mail:  stelawfirm@aol.com.

By August Bequai 

The Internet has proven to be both a blessing and a problem for America’s current workplace. Management and employees alike-(both in government and the private sector)-more out of ignorance, rather than malice, find themselves afoul of the law and their workplace regulations.

 Here are some laws to take note of, and avoid legal entanglements. To cite a few of these:

1. Federal Computer Fraud & Abuse Act (18 U.S.C. 1030): provides tough penalties for individuals who employ computers to commit frauds, acts of sabotage, and other misconduct. Pranksters are no exception.

2. Electronic Funds Transfer Act (15 U.S.C. 1693): provides penalties for those individuals who tamper with electronic funds transfers in interstate or foreign commerce. Direct deposits are covered.

3. Credit Card Abuse Act (18 U.S.C. 1029): covers frauds and related activities which employ access devices.

4. Wiretaps (18 U.S.C. 2510-2258): makes it a crime for private individuals to tap into communications between otherparties. Electronic Communications Privacy Act (18 U.S.C. 2701): makes it a crime to access without proper authorization stored data belonging to others. Hackers should take note.

 5. Use of Computers to Make Threats (18 U.S.C. 875): threatening your ex-girlfriend or boyfriend via the Internet could get you in deep trouble.

Those with an avid interest in IT security issues should check out the following:

1. International Journal of Law & Information Technology  (Oxford University) at http://www3.oup.co.uk/inttec/hdb

2. Computer Law Review & Technology Journal at http://www.smu.edu/-csr/articlesd.html

3. Journal of Computers & Security (Oford, England) at www.elsevier.com/locate/cose

The above should keep your plate full for a while.