Data Security: Where there is data, there should be policy

Posted on 30, Mar | Posted by Russell W. Gilmore, CISSP, CISM, EnCE

locked computerThe recent report by the Wall Street Journal about the Morgan Stanley breach scares me as an employee. Reportedly Galen Marsh, a financial adviser for Morgan Stanley, was fired for allegedly stealing account information from about 350,000 wealth management clients and posting some of it online. The part that concerns me are the reports that federal law enforcement officials are focusing their probe on the possibility that Marsh’s computer was hacked. (Full story here.)

I have not reviewed the full report nor have I looked deeply into the incident. My attention was drawn to the consequences that befell Mr. Marsh and the slim possibility that he did nothing wrong. It seems that in this day of BYOD – Bring Your Own Device – and the use of laptops and mobile devices by employees, it is time for there to be a clear understanding about the company’s responsibilities and the individual employee’s responsibilities. This is not to suggest that an employee’s first question should be “Will I get fired if this laptop is hacked and company data is stolen?” when presented with a company laptop. There should be a clear understanding between the company and the employee what is expected of each as it relates to the security and control of any electronic device that contains company data.

The foundation of this understanding begins with a good company policy. A policy should be specific regarding the proper use of electronic devices. A policy should also indicate who is responsible for areas such as email security, data security, acceptable use, and physical security of the device. A policy should be a living document. An electronic device policy that covers laptops should be reviewed at a minimum once a year. Policies should be flexible. Some employees may take a laptop home and some may not.

Companies should give employees a chance to review policy before they sign it and allow them to ask questions. I suspect Morgan Stanley utilizes policies that cover the use of laptops by employees for work purposes. I doubt the employee thought he would get fired if the laptop was hacked and client data was exposed. What if the employee were a CFO or CEO?

There is most likely a lot more to this story than has been made public, but the heart of the matter is, as an employee, make sure you are fully aware of what the company expects as it relates to the use of company data and company provided electronic devices.

Continue reading

RMA Welcomes Michael Epperly as Director of Investigations

Posted on 30, Oct | Posted by RMA

Risk Management Associates, Inc. (RMA), recently reengaged Michael Epperly mre1.jpgto lead our investigations division. Michael previously served as RMA’s vice president and general counsel. Mike’s experience as a consultant, investigator and attorney make his addition a valuable asset to both RMA and its clients. Michael is a graduate of Campbell University and former law enforcement officer and will serve as our Director of Investigations, focusing on white collar crime, misappropriation, due diligence, compliance and ethics investigations and consulting.

Epperly, a native of Roanoke, Virginia, received his Juris Doctorate degree in 2002, and served in various investigative capacities in Virginia law enforcement before moving to North Carolina to begin his legal career. Prior to his hiring by RMA, Epperly worked for the NC Attorney General’s office and as the lead investigator for the NC Innocence Commission, where he investigated post-conviction claims of innocence by examining new evidence not presented at trial. Epperly also served as an intelligence officer in the US Navy.

“I am honored to once again be associated with RMA,” said Epperly. “RMA has a long history of superior investigative outcomes. Much of this success is directly attributable to the unrivaled skill and integrity of its people. RMA has a proud tradition of pairing each client with investigators and analysts who are uniquely qualified to deal with the issues at hand, and who also have the courage and integrity to report the truth – even when not favorable to the client. I intend to ensure that this tradition continues, and am both honored and humbled by this opportunity.”

Continue reading

Chris Peterson Guest Speaker on Radio Station WCOM 103.5

Posted on 2, Apr | Posted by RMA

On Tuesday, April 1, 2014, Chris Peterson was the guest speaker on the program “Focus on Business” hosted by Lea Strickland which aired on radio station WCOM 103.5. “Focus on Business” provides insights, information and perspective on building strong businesses, sustainable businesses that build sustainable communities. Guests include area business leaders, experts and professionals who share their experience. If you want to start, expand, grow or repair a business, tune in.

Chris and Lea had a discussion on fraud in the workplace and that a typical company loses 5% of their revenue each year. The discussion expanded to the vulnerability of employees bringing their own electronic devices including phones, tablets and computers into the workplace.

WCOM 103.5 is listener-supported, volunteer-powered community radio station located in Carrboro, North Carolina. The mission of WCOM is to educate, inspire, and entertain the diverse populations of Carrboro, Chapel Hill and nearby areas. They cultivate local music and facilitate the exchange of cultural and intellectual ideas, with particular regard for those who are overlooked or under-represented by other media outlets. They provide a space for media access and education by providing equipment and training to our community. “Focus on Business” airs on Tuesdays from 12:00 – 1:00.

Continue reading

Bring Your Own Device

Posted on 9, Dec | Posted by Christine L. Peterson, CPP, ISP

iPad and iPhoneIn business, leaders are very often the conduit between an organization’s vision and the realization of that vision. They are charged with creating an environment that will support the team or teams within the organization to maximize innovation, productivity, and efficiencies and theoretically grow profits and market share – to live to fight another day. The focus on innovation, productivity, and efficiency has always been important, but as we recover from the 2008 recession, this focus is even more critical. Over the last five years, there has been an explosion of affordable, interactive “smart” wireless devices in the market at a price point and connectivity that provided mass appeal. Based on a recent research poll by Pew, 61% of Americans own a smartphone, and 91% of adults in the US own some form of cell phone.

The accessibility of smart devices in today’s world has greatly affected the business world on many levels. In the early days, technology such as computers, cell phones, and PDAs were the tools of business leaders who either could afford them or had the luxury of having them provided to them by their employer. Today, this is no longer the case. Not only are the devices widely available, they are inexpensive and play a critical role in how people communicate both professionally and personally. In the business world this translates into evolving expectations from customers, employers, co-workers, and vendors. These devices have become a critical business tool and in many cases with an eye toward the need for innovation, productivity, and efficiency, the use of personal devices has gained wide-spread acceptance in the workplace. On the surface this seems like a boon for business – especially small businesses – but can you afford the potential costs?

In business and in life, communication is everything. Cell phones, tablets, and computers are all communication devices, and they have become as important to the well-being of companies and employees as love, food, and – to some – the air we breathe. As important as these devices are to business, the most important asset in the technology age is the network backbone that supports all the devices. Businesses spend tens of millions of dollars to develop and protect the network backbone that is critical to the viability of the business. Risks to the network create the potential for disruption of general operations, disruption of transactional and payment operations, theft of sensitive data, legal liability, and damage to the company’s brand. Companies address those risks with protocols, software (such as antivirus, spam control, and others), and hardware to deny and detect breaches to the network. Every device connected to a network – including smartphones, tablets, and laptops – is a potential point of attack or vulnerability for a network. So why would companies allow employees to connect personal devices to the company network? Innovation, productivity, and efficiency – or better, faster, and smarter.

Since most employees already own and use smartphones, laptops, and tablets in their personal lives, they are already being brought into the workplace. This means that if allowed to connect to the business network, these employees have the ability to stay connected to the office and many times clients when they are out of the office or on vacation at no obvious additional cost to the company. More communication and collaboration with no additional cost appears to translate into higher efficiency and productivity. On the surface, most businesses are willing to accept the personal use of these devices in the workplace as a reasonable trade-off or as something unavoidable.

What is not always considered are the other, less obvious costs associated with personal devices connected to the business network:

  • The cost of providing technical support for non-company issues
  • The lack of security protocols activated on personal devices
  • The accessibility and use of personal devices by non-employees
  • The lack of control and ownership of personal devices
  • The lack of accountability for the loss of personal devices containing company information
  • The inability to preserve company data in a lawsuit, audit, or records request

Studies show that employees are less vigilant about their personal devices than company devices and many take more risks with “downloads” on a personal device, including games, apps, attachments, and links – all the places where malware hides. Does your company have security requirements for employees who connect their personal devices to the company network to include anti-virus software that is up-to-date, password protection that gets updated regularly, and protocols that protect company data? If an employee loses a company-owned device, are they required to report it in a certain amount of time? Most likely the answer to that question is yes. What about a personal device? Are employees required to report it at all? In the case of a lawsuit, audit, or records request, the elements of ownership and accessibility are in question. How would you address an employee who is reluctant to share data on a phone that has personal information including pictures, texts, and sensitive information?

According to a recent survey of 1600 members of LinkedIn’s Information Security Group, the top security concerns for Bring Your Own Device (BYOD) were:

  1. Loss of company or client data (75%)
  2. Unauthorized access to company data and systems (65%)
  3. Malware infection (47%)

As a security consulting firm that works with attorneys every day to access and preserve evidence, we know that few companies have considered all the vulnerabilities that exist in an open bring your own device (BYOD) environment. Consider for a moment companies that have experienced a security breach. How easily could this happen at your organization because of a breach through a company-owned device with insufficient security controls in place? How easily could a breach occur through a device owned by an employee who does not think security is important or who has inadequate controls in place? The costs and recovery from of a security breach in time, resources, and reputation is significant.

The first criminal charges in connection with the 2010 BP oil spill were not related to any of the acts that led to the explosion. Rather the charges were related to the failure of a BP engineer to preserve text messages related to his observations following the explosion. The engineer was charged with criminal obstruction of justice. In a lawsuit or other action, how would your company know where data is located? How would you get access to the device(s)? How would you address reluctant employees? How would you collect the data? If the personal device was lost or stolen, are your employees required to notify the company? Can the employee or employer locate, lock, or “wipe” the device remotely? How will you deal with employees who object to security measures such as tracking, “wiping” etc? When an employee leaves the company or is terminated how will you protect the business data and how will you determine what company data is still on the employees device(s)?

There are no easy answers to the dilemma, but there are steps that companies can take to protect themselves while still encouraging collaboration, productivity, and efficiency. At the most basic level, companies should approach this as they would any security vulnerability. Know what the most valuable assets to the company are (what you want to protect) and protect them with concentric layers of security or guardianship. If the company is going to allow personal devices on the network, begin with policies and procedures that include:

  • Acceptable use
  • User responsibilities/corporate IT responsibilities
  • Network access requirements
  • Types and brands of devices that are supported as well as those that are not supported
  • Company’s right to monitor the appropriate use of the devices
  • User’s right to privacy
  • Device reset and data deletion
  • Policy enforcement and consequences of violation of the policy (up to and including termination)
  • Security configurations and security controls
  • Application restrictions
  • Acceptable use and treatment of corporate data

Encryption, management applications, and policies will make up the framework of the BYOD security protocols. Depending on the industry of the business, there may be regulatory requirements to be considered including but not limited to HIPAA, PII, FOIA, and others. There are sample BYOD policies that are available online. The federal government has provided A Toolkit to Support Federal Agencies Implementing Bring Your Own Device (BYOD) Programs, and additional information can be found at: Here you will find:

  • Policy and Guidelines for Government-Provided Mobile Device Usage
  • Bring Your Own Device – Policy and Rules of Behavior
  • Mobile Information Technology Device Policy
  • Wireless Communication Reimbursement Program
  • Portable Wireless Network Access Device Policy
Continue reading

Held Hostage by a Dishonest Employee

Posted on 16, Sep | Posted by Russell W. Gilmore, CISSP, CISM, EnCE

power shiftI recently was involved in a case in which a company employee was discovered using a company credit card for personal reasons. This happens occasionally, and one would think that immediately terminating the employee would resolve the issue. But what happens when the employee is the one and only IT person for the company?

Many companies have only one person to manage all of their IT needs. There is nothing wrong with this. Considering that 99.7 percent of U.S. employer firms are a small business (, having a sole IT person may be very common. The problem with this situation is the lack of oversight and management of the IT person by company executives and owners. What are the consequences caused by this scenario? How can companies and organizations prevent the backlash experienced when a single person has the “keys to the kingdom”?

This issue can occur in any business with a small IT staff. This particular case involved an employee who had been with the company for eight years. In that time, the employee came to be the only person who dealt with all IT issues. He managed the website, the phone system, the internet service, all servers, all workstation, the data connections for multiple facilities – you get the point. The employee could have brought the company to a standstill for several days if not several weeks, if he had wanted to do so. It was not until deciding that he needed to be fired that someone finally asked the question “What does he do and can we do it without him?” The answer was, “No.”

In this case, the employee was being terminated for cause. What if he had been hit by a bus? The company would still be in the same position. The only option left for the company was to hire someone to come in and inventory the network to help them prepare for the employee’s termination. This involved hundreds of man hours. Fortunately, the transition was successful and the company lost no production time.

There are several steps that can be taken to prevent this from occurring in your business. The person responsible for a company’s IT needs should document everything and provide this documentation to management or ownership in a reviewable format on a regular basis. This document should be considered a living document, and any time there is a network change or system change, the document should be edited to reflect the change. The document should include but not be limited to:

  • A list of service providers and all information needed to contact this service provider for support or changes. This includes the Internet service provider, phone service provider, web hosting company, cell phone provider, cloud services, or any other service provider used by the company.
  • Administrator passwords. These can be sealed in an envelope and/or put in a safe.
  • Device passwords and configuration. Think about firewalls, switches, wireless routers, and other equipment.
  • Software passwords and configurations. The IT administrator may be the only person aware of specialized software used in the office that requires specialized configuration or passwords. Make sure this information is documented and available to company executives.
  • Procedures for backing up and restoring systems.
  • A “What if…” document. This document would include instructions on how to deal with and recover from system outages, power outages, or other unique IT failures.

Depending on your network, the information needed in this document will differ. The best way to determine what you may need to document is to sit back and think of the problems created if your IT person were gone. What questions would you have? The document should answer all of these questions. It is also important to make the person responsible aware that this document is a “Continuity of Operations” document. There are many reasons why an IT employee may not be able to come to work, but their absence should not disable any part of the IT infrastructure.

It is also critical to make sure there are two people on the point-of-contact list with all service providers. The second person on the list should be an owner or executive of the company. If the IT person should be unable to perform his or her duties for any reason, the executive or owner of the company can call the service provider and make necessary changes without jumping through a lot of hoops to gain ownership of the service.

Finally, have a third party review this information at least once a year. That third party could be an outside consultant or even a current employee with knowledge of the network and need for business continuity. An outside consultant has the advantage of being objective when looking at an environment and utilizing their experience to help direct and drive a “Continuity Plan” that will protect the company in the event of any number of unexpected events.

Continue reading

Employment Law: Can You Police Social Media?

Posted on 23, Oct | Posted by RMA

social mediaGuest blogger Mimi Soule specializes in employment law at the Soule Law Firm in Raleigh, North Carolina. This article was originally published on the website of Forrest Firm.

Lately, the National Labor Relations Board (NLRB) is taking a particularly active interest in employer polices regarding social media.

For those of us living and working in a Right-to-Work state like North Carolina (meaning that employees are not obligated to become members of a union organized in their workplace) where union activity may not be an everyday occurrence, the NLRB is not a familiar regulating administrative body. First and foremost, it is important for business owners to understand that, in general, the NLRB has the authority to regulate private-sector employers—with or without a union—with respect to matters directly or indirectly involving their employees’ right to form a union or discuss the formation of a union.

What does this have to do with an employer’s social media policy you ask? As you have likely read in the news, the NLRB recently issued several decisions citing employers for having overly-broad social media policies, which the NLRB feels restricted employees’ rights to discuss their working conditions—a right protected by federal law and which the NLRB feels unreasonably restricts employees’ ability to discuss the potential formation of a union.

Given these recent NLRB decisions, many employers felt that they were now prohibited from having a social media policy. This just isn’t accurate. Social media policies are indeed lawful; however, because of the recent NLRB decisions, the details of what an employer could regulate within its policy were anything, but clear.

So, what exactly can an employer regulate?

On May 30, 2012, the NLRB issued an Operations Management Memo that provided a summary of its recent decisions regarding social media policies, and, most importantly, at the end of the Memo, the NLRB provided a sample policy that it deemed lawful. A copy of the Operations Management Memo, dated May 30, 2012, is located on the NLRB website ( Although the NLRB sample policy does not clarify all substantive matters, it does provide some additional and helpful guidance for employers:

  • Employers can continue to prohibit employees from posting information regarding an employer’s private, confidential information and trade secrets as well as confidential internal communications, such as business reports, policies and procedures.
  • Employers can prohibit their employees from representing in a post that they speak on behalf of the company. Employees can only express their own personal opinions.
  • Employers can require that employees be respectful, fair and courteous and to avoid posting statements that “could be viewed as malicious, obscene, threatening or intimidating, that disparage customers, members, associates or suppliers, or that might constitute harassment or bullying.”
  • Employers can require that employees be honest and accurate in their posts, to correct any known mistakes quickly, and never to post any information or rumors that the employee knows to be false about the company, any associates, members, customers, suppliers or competitors.
  • Employers can prohibit employees from posting comments that constitute “discriminatory remarks, harassment, and threats of violence or similar inappropriate or unlawful conduct.”
  • Employers can prohibit employees from using social media while at work or with employer-owned equipment.

For more information on this topic, please feel free to contact Mimi at

Mimi Soule is an established management counselor at Soule Law Firm in Raleigh, NC. She focuses her practice on assisting businesses with federal and state employment law compliance in an effort to mitigate litigation risks. Through her partnership with the Forrest Firm, Mimi advises our corporate clients on a host of employment relationship matters, including wage and hour compliance, family and medical leave, independent contractor classifications, handbook policies, effective hiring, firing and disciplinary procedures, and employment, release and non-compete agreements.

Mimi earned a bachelor’s degree in business from Wake Forest University, followed by her juris doctor degree at the Boston University School of Law.

Continue reading

Massachusetts Lab Scandal

Posted on 12, Oct | Posted by Christine L. Peterson, CPP, ISP

HonestyOn Saturday, September 29, 2012, the News and Observer covered the story of Annie Dookhan, a chemist at a Massachusetts drug lab. This story underscores some of the devastation that can result when an organization doesn’t follow basic security principles which require both screening and guardianship. The lack of screening and guardianship at the Massachusetts state drug lab has already resulted in the arrest of Ms. Dookhan, the resignation of the state’s public health commissioner, the potential incarceration of innocent victims, and a political and law enforcement nightmare. As this case moves forward, Massachusetts will spend millions of dollars in investigative costs and reparations, and there is the potential for criminals to be freed due to the actions of Ms. Dookhan. Massachusetts Attorney General Martha Coakley said “Annie Dookhan’s alleged actions corrupted the integrity of the entire criminal justice system.” That is an understatement.

Now I understand that the information in the media is just the tip of the proverbial iceberg, but what can we learn from the surface details that might have prevented this disaster?

Lesson #1: The importance of thorough background screening cannot be overstated.

Two opportunities are often missed. First, was there a pre-employment system in place to verify information that was provided by the applicant and to look for omissions? It has been reported that the organization believed Ms. Dookhan had an advanced degree but she did not. Did anyone verify this information?

Second, did the agency have in place a system in place to verify information that would have a direct bearing on an employee’s position or fiduciary responsibilities post-employment? Life does not end when employment begins. People grow, they change, and circumstances change. Life happens. Employees being promoted or given a change in status should also have an updated background investigation.

Lesson #2: Remember the 10-10-80 rule for fraud.

The general rule of thumb in fraud investigations is that 10% of people would commit fraud at any opportunity, 10% of people would not commit fraud no matter the circumstances, and 80% of people can be swayed one way or the other based on circumstances and conditions. According to the News and Observer story, the only motive that authorities have found so far is the desire of Ms. Dookhan to be viewed as a good worker. Was she part of the 10% or 80%? She’s probably part of the 80% who make decisions based on outside forces which are relative to that person’s situation.

Protection of agency or company assets requires guardianship in the form of oversight. What kinds of protocols in the form of policies and procedures were in place to keep this from happening? Is the same kind of thing happening with other chemists at the agency? Did she work in a bubble with no protocols or collaboration? Did she have no supervision? Were there no quality controls in place?

This article should be an “a-ha moment” for all of us in business, public or private. This is a classic example of a motivated person seeing an opportunity to gain position and presteige within an organization by manipulating the facts. The result is fraudulent information, destroyed lives, damaged careers, sullied reputations, and millions of tax and insurance dollars.

Continue reading

Yahoo chief executive Scott Thompson steps down

Posted on 15, May | Posted by Tasha D. Dyson

Based on experience with some of our clients, there seems to be an assumption that applicants for C-level positions are somehow immune from falsifying information and are above reproach. The assumption seems to be that since an applicant has worked at “Alpha Company”, there is no need for “Beta Company” to do a thorough background investigation. The faulty logic is that Alpha would not have hired him unless his background was clean, so Beta can rest assured.

Did anyone do a background investigation before hiring Mr. Thompson? Probably not. Mr. Thompson had previously worked at the executive or upper management level at Paypal, Inovant (a subsidiary of Visa), and Barclays Global Investors. Although the reasons for his departure also included a company in transition and possible health reasons, the accusations of a falsified resume is what made headlines.

Trust, but verify. For the cost of one education verification search (about $10 to $30), Yahoo now needs a new CEO and four other executives who approved his hiring.

Yahoo chief executive Scott Thompson steps down
The chief executive of tech firm Yahoo has stepped down amid accusations he included a fake computer science degree on his CV.

Scott Thompson was replaced by Yahoo’s global media head Ross Levinsohn.

Yahoo shares rose 1.7% on Monday morning as news of the changes hit the trading floor.

The firm is also reportedly close to agreeing a truce with activist shareholder Daniel Loeb, who discovered Mr Thompson’s mistake.

Mr Loeb, a hedge fund manager who lobbied for Mr Thompson’s dismissal, is set to be appointed a company director.

He will also be able to appoint two other new directors, while Yahoo has named Fred Amoroso as the new chairman of its board.

On Monday the Wall Street Journal reported that Mr Thompson, 54, told Yahoo’s board late last week he had been diagnosed with thyroid cancer.

Mr Thompson was diagnosed in recent days and is due to begin treatment, the newspaper said, adding that discovery of the illness had influenced Mr Thompson’s decision to resign.

No confirmation of the report was available.


Yahoo has already acknowledged that Mr Thompson, who took up his post in January, does not have a computer science degree.

When the news emerged Yahoo initially defended its chief executive, calling the discrepancy on his resume an “inadvertent error”. But it then came under mounting pressure from shareholders, employees and corporate governance experts to investigate the matter.

Mr Thompson’s exit comes amid broader reorganisation within the troubled internet giant, which has seen four full-time chief executives over the last five years.

The chairman of the board, Roy Bostock, and four other directors are leaving the company immediately. All of them had approved the hiring of Mr Thompson.

In addition to the three seats allocated to Mr Loeb and his board appointees, Michael Wolf, a former executive at MTV Networks, and Harry Wilson, a restructuring expert, are to join the board.

Mr Levinsohn, who takes over as interim head of Yahoo, acknowledged the disruption in an internal letter to employees.

“This may seem like a great deal of news to digest, but as you are all keenly aware, Yahoo is a dynamic, global company in a dynamic, global industry, so change – sometimes unexpected and sometimes at lightning speed – is something we will continue to live with and something we should embrace,” he wrote.


Mr Levinsohn is expected to address Yahoo employees at a meeting on Monday afternoon.

In April the company announced plans to make 2,000 employees redundant, a cutback of about 14% of staff, in an effort to save $375m (£233m) a year.

Mr Thompson also had plans to shut down or sell off about 50 of Yahoo’s products and services.

Before joining Yahoo Mr Thompson served as president of online payments firm PayPal from 2008.

He took over as chief executive from Tim Morse, who had held the Yahoo role on an interim basis after Carol Bartz was sacked in September 2011.

Besides its search engine, Yahoo’s key products include Yahoo News, photo-sharing site Flickr and a webmail platform.

But the company has struggled to match the advertising revenue generated by rivals Google and Facebook.

Yahoo’s stock has languished since it passed up a $44bn takeover bid from Microsoft in 2008.

Continue reading

Government Files First Criminal Charges In BP Oil Spill

Posted on 25, Apr | Posted by Michael R. Epperly, Esq.

As businesses have evolved and grown, so have the ways we communicate. It is no longer as simple as a letter, meeting, or a phone call. We send emails, have video chats, communicate with instant messages, and send text messages at an exponential rate. Have you ever stopped to consider how your company would respond to a preservation letter or discovery request covering every communication device in the company? More importantly, have you ever considered how effective your response would be?

In April, the first criminal charges were handed down in connection with the 2010 BP oil spill. Interestingly, they are not related to any of the acts that led to the explosion. Rather, they relate to the failure of a BP engineer to preserve text messages related to his observations following the explosion. This engineer is now charged with criminal obstruction of justice. The facts that led to these charges are summarized here.

It is times like this where we have the opportunity to learn from others mistakes. Reevaluate how communications between employees, management, and customers takes place in you environment. Determine from your legal counsel if new policies need to be written for maintaining emails, text messages, and other forms of communication and for how long. Finally, identify a consultant who can help collect this data should the need arise.

Government Files First Criminal Charges In BP Oil Spill
By Eyder Peralta

“The first criminal charges in connection with the BP oil spill have been filed against a former BP engineer named Kurt Mix,” NPR’s Carrie Johnson reports exclusively.

Carrie just told our Newscast unit that Mix has been charged with obstruction of justice for allegedly deleting text messages after the spill. The texts were related to the amount of oil gushing into the Gulf. Mix will make his first appearance in court today.

Carrie adds that there has been an expectation that criminal charges would be brought against individuals, but this is the first person charged since the spill happened two years ago.

These are preliminary charges and a law enforcement official says there are more charges to come, Carrie reports.

Update at 12:59 p.m. ET. Operation Top Kill:

The Justice Department has now made the arrest and charges public, issuing a press release on its website. Essentially the Justice Department claims that Mix, who at the time was “a drilling and completions project engineer for BP,” deleted hundreds of text messages even after he was notified that he was legally obligated to preserve them.

In one instance on Oct. 4, 2010, Justice claims that Mix allegedly deleted about 200 messages exchanged with a BP supervisor. In it, Mix admits that a maneuver called Top Kill, in which BP injected heavy fluids into the well to try to stop the flow of oil, was failing.

“Too much flowrate – over 15,000,” one of the text messages read, according to Justice, which also said some of those messages were recovered forensically.

At time, Justice adds, BP’s public estimate was 5,000 barrels of oil per day, “three times lower than the minimum flow rate indicated in Mix’s text.”

The Justice Department says if Mix is convicted of the charges he faces a maximum penalty of 20 yeas in jail and a $250,000 fine for each of the two counts of obstruction of justice.

Continue reading

FedEx Settles Charges of Causing, Aiding and Abetting Unlicensed Exports

Posted on 2, Mar | Posted by Christine L. Peterson, CPP, ISP

cargo planeIn 2010, Michael R. Epperly, Esq. who heads RMA’s Corporate Compliance consulting arm, wrote an insightful article that addressed the corporate compliance challenges that American companies face in the global marketplace. Through his experience as legal counsel, investigator, and consultant he is acutely aware of the importance of a solid corporate compliance program to an organization and the penalties that can result from not having an effective program. In today’s business environment, your company’s corporate compliance program also needs to include vendors and partners.

To read Mike’s original article, go to Corporate Compliance & Ethics.

FedEx Settles Charges of Causing, Aiding and Abetting Unlicensed Exports

WASHINGTON – The U.S. Department of Commerce’s Bureau of Industry and Security (BIS) announced today that FedEx Express (FedEx), Memphis, TN, has agreed to pay a $370,000 civil penalty to settle allegations that it committed six violations of the Export Administration Regulations (EAR) relating to FedEx’s provision of freight forwarding services to exporters.

BIS alleged that on two occasions in 2006, FedEx caused, aided and abetted acts prohibited by the regulations when it facilitated the attempted unlicensed export of electronic components from the United States to Mayrow in Dubai, United Arab Emirates. The exports to Mayrow were thwarted when delivery was halted at BIS’s direction. On June 5, 2006, BIS had issued a General Order imposing a license requirement with a presumption of denial for the export or reexport of any item subject to the EAR to Mayrow General Trading and related entities. The General Order was issued based on information that Mayrow and the related entities were acquiring electronic components and devices that were being used in Improvised Explosive Devices deployed against Coalition forces in Iraq and Afghanistan.

BIS also alleged that in December 2005, FedEx caused, aided and abetted acts prohibited by the regulations when it facilitated the unlicensed export of flight simulation software to Beijing University of Aeronautics and Astronautics, a/k/a Beihang University, an organization listed on the U.S. Department of Commerce’s Entity List and located in the People’s Republic of China. The Commerce Department’s Entity List contains a list of names of foreign persons – including businesses, research institutions, government and private organizations, and individuals – that have been determined through an interagency review process to have engaged in activities contrary to U.S. national security and/or foreign policy interests. These persons are restricted from receiving items subject to U.S. jurisdiction.

Lastly, BIS alleged that on three occasions in 2004, FedEx caused, aided and abetted acts prohibited by the regulations when it facilitated the unlicensed export of printer components from the United States to end users in Syria. Facilitating the export of commodities to Syria without the required U.S. Department of Commerce export license was prohibited under General Order No. 2 as set forth in Supplement 1 to part 736 of the EAR.

The Commerce Department Assistant Secretary for Export Enforcement David W. Mills said, “It is vital that every stakeholder in the U.S. exporting chain remain vigilant in its efforts to prevent prohibited transactions that may be detrimental to our national security, and each will be held accountable if it fails to do so.”

Continue reading