Is an inability to come to an agreement on the definition of personally identifiable information (PII) a problem for the privacy profession? Click on the following link for a discussion: The Problem At the Heart of the Privacy Profession.

Another problem, I believe, is that from a liability perspective, in instances where a computer data breach is caused or accomplished by the intentional or negligent act of a third-party, what standard of care do you use to determine whether the entity’s whose computer system was hacked was legally negligent in safeguarding or protecting its system from being hacked? What is the applicable standard of care that should be applied? Do different standards of care apply for different industries, for different entities, in different geographic locations? And what if you are on a board, or a risk or audit committee, overseeing management’s integrity of the entity’s computer system, what standard of care do you use to satisfy that oversight or to at least negate possible red flags?  We have a lot of important questions to discuss in this area of law.

Dave Tate, Esq., San Francisco and California.

The following is to a link for an audit committee chapter that I wrote for the California Continuing Education of the Bar. The chapter was part of a larger binder of contributing authors – a really excellent unique resource for advising and defending officers and directors. Unfortunately, subsequently the entire binder was discontinued.

The chapter is seven years old at this point, but remains relevant and an excellent overview, although not updated at this point. Viewing the chapter broadly, in addition to updates, of course, I would add additional discussions about risk management and risk management evaluation and oversight; disclosures including management discussion and analysis; foreign corrupt practices act and oversight of foreign operations, contacts, customers and suppliers; compliance processes; investigations; internal audit; working and interacting with others; and practical considerations, actions and applications. To view the chapter click on the following, Chapter_5A_Audit_Committee_Functions_and_Responsibilities_Oct._2007_Advising_and_Defending_California_Directors_and_Officers

Enjoy. Dave Tate, Esq., San Francisco and California

Here is a good read: part nine of ten steps to a quality privacy program – create a written plan for addressing known issues, click here.  Are you a member of a board members, or on a risk committee or audit committee that is tasked with risk management?

Enjoy. Dave Tate, Esq., San Francisco and California.

Click on the following link for good comments from the NACD Blog about boards overseeing strategy and risk. NACD Blog.

The NACD comments aren’t particularly new and they don’t cross new ground. They do tend to confirm that generally there aren’t specific criteria to meet. When I refer to “specific criteria” I mean for example such as the point by point criteria that you might find in an audit program.  However, for some industries with respect to some strategy, governance and risk issues there can be specific requirements, or example in banking and financial services, and in oil and gas drilling and exploration about which I have previously written.

Enjoy, Dave Tate, Esq. San Francisco and California.

The following link is to a good summary of the state of disclosure reform, from the Harvard CorpGov Blog, including comments about the prospects or prognosis and the possible timing, click here.

The interest in new and different disclosures is ongoing, both naturally in the marketplace and by statute or regulation. Governance and risk management are two of the important areas on my list. And you should assume that changes will also include environmental and sustainability issues. Already for many years governance and tone-at-the-top have been areas that the outside auditors evaluate at least for the purpose of reliability and planning the scope of the audit. As a start in this area, look at the areas and procedures that the outside auditors consider, and then make changes and improvement if necessary. And it should also now be clear that risk management, top down and bottom up, is an executive and board level function of primary importance which potentially covers all areas of the organization. For example, ISO 31000 (risk management) and COSO ERM and internal control frameworks already have existed, and see also the Sustainable Accounting Standards Board site and materials at http://sasb.org.

Please feel free to provide your comments.

Enjoy. Good reading.
Dave Tate, Esq. (San Francisco and California)

It is long-established California law that it is the intent of the decedent as expressed in the instrument that controls the legal effect of his or her dispositions and whether or not the terms and provisions in an alleged will or trust document are in fact valid and enforceable including the interpretation of the terms and provisions, and that as an aid to the understanding of the alleged document and to the discovery of the decedent’s intent extrinsic evidence and evidence of the surrounding circumstances are admissible. Estate of Russell (1968) 69 Cal. 2d 200, 2006; Estate of Hollingsworth (1940) 37 Cal. App. 2d 432, 435; Cal. Probate Code §21102; see also Cal. Code Civ. Proc. §1860 (for the proper construction of an instrument, the circumstances under which it was made, including the situation of the subject of the instrument, and of the parties to it, may also be shown, so that the Judge is placed in the position of those whose language he or she is to interpret); and Cal. Probate Code §6111.5 (extrinsic evidence is admissible to determine whether a document constitutes a will, or to determine the meaning of a will or a portion of a will).

“Extrinsic evidence always may be introduced initially in order to show that under the circumstances of a particular case the seemingly clear language of an instrument describing either the subject of or the object of the gift actually embodies a latent ambiguity for it is only by the introduction of extrinsic evidence that the existence of such an ambiguity can be shown. Once shown, such ambiguity may be resolved by extrinsic evidence.” Estate of Russell (1968) 69 Cal. 2d 200, 207.  Extrinsic evidence is admissible not only to resolve a latent ambiguity but also to show that a latent ambiguity exists, as by showing that more than one person met the description of beneficiary, that more than one thing met the description of what appeared as a specific devise or bequest, or that certain language in the instrument was understood and intended by the testator to have a meaning different from what on its face it appeared to have. In re Flint’s Estate (1972) 25 Cal. App. 3d 945.

Dave Tate, Esq. (San Francisco and California)

Key Components of an Organizational Compliance Program Dave Tate Esq

Click on the above link. Enjoy. Dave Tate, Esq. (San Francisco and California)

Global mergers point to urgent need for law firm sales divisions | International Business Development.

Enjoy, Dave Tate, Esq. (San Francisco and California)

Brief thoughts – Rise of the Processes.  This is an important topic for executive officers, boards, management and employees of public companies, private companies, nonprofits and governmental entities.  It presents opportunities, and increased risks and exposure if it isn’t done right.  And this topic isn’t going away.

Processes aren’t new.  Processes are everywhere and sometimes nowhere.  Twenty years ago I was arguing processes in cases involving punitive damage claims.  Some processes are good or friendly, and some processes are harmful.  And then there are situations were there are no processes, or where there are processes but the processes are not followed.  Processes can be good for:

1. Helping organizations to run more productively and meet, satisfy or exceed strategies, goals and risk management;

2. Avoiding liability; and

3. In circumstances of possible liability or wrongdoing, reducing damages, fines and penalties, including punitive damages.

None of the above is really new. But what we are witnessing and experiencing is the ongoing acceleration and rise of the processes.  See below, for example, my posts dated February 6 (click here) and 12 (click here).

Dave Tate, Esq. (San Francisco and California)

If you are a director or a board committee or special committee member, and you are relying on an internal investigation, or you are involved in or exercising oversight of an internal investigation, have you thought about the desired qualifications and characteristics of the investigator or of the people who are involved in or helping with the investigation?

If you are a director or a board committee or special committee member pursuant to the business judgment doctrine and various statutes you may rely on other people including information provided by other people (1) only if you believe those people are reliable and competent in the matters that they are addressing, (2) only if your reliance is in good faith, after reasonable inquiry as warranted by the circumstances, and (3) you do not have knowledge that would cause reliance to be unwarranted.

So what are the qualifications and characteristics that you might look for in a person who is going to perform an internal investigation on which you are going to rely? I say, what qualifications and characteristics you might look for, because no legal bright line or mandatory list exists. And, of course, no two internal investigations are identical.

The following are the initial questions that I would be asking, and the initial qualifications and characteristics that I would be evaluating. What do you think?

1. What is being investigated? What issues and factual situation or situations?
2. Why is it being investigated? What has prompted or required the investigation?
3. Who will use or be relying on the investigation?
4. Should the investigation be legally confidential, such as protected by the attorney client and/or work product privileges?
5. Is it possible that you will want or be required to disclose the investigation to the public or outside sources, and its processes, results and report?
6. What is the investigation process? Is there a specific required investigation process. Is the proposed investigation process reliable? How will other people who are skeptical of the investigation view the process and its reliability?
7. Is the proposed investigator independent? Will the proposed investigator be viewed as having a conflict or bias?
8. Is the proposed investigator sufficiently experienced in the subject matter area such as employment, FCPA, accounting, internal controls, product liability, fraud, securities, and the product, service or occurrence at issue?
9. Is the proposed investigator sufficiently experienced in doing investigations and questioning people?
10. Does the proposed investigator have the appropriate demeanor and approach?
11. Can the investigator write well?
12. Is the investigator knowledgeable about the pertinent burdens of proof and standards of care for the occurrence being investigated?
13. Will the investigator be able to comment about additional facts or evidence that might be needed?
14. Presumably an end result or opinion will be required – is the investigator qualified to not only collect but also to analyze, evaluate and quantify the facts and evidence obtained and still unknown?

* * * * *