Scholarly Sharpshooters

College Students Fight to Carry Firearms

Students rally for their rights to carry firearms on campus. Picture Source

College students say they’ve had enough, and are ready to bear arms.

According to NPR, The recent fatal college injuries sustained in Illinois and Virginia, have prompted 12 states to consider legalizing handguns on college campuses. This and other related movements are being propelled in part, by the Students for Concealed Carry on Campus ( SCCC ). Stephen Feltoon, one of the organization’s directors says, “"The Illinois shooting made people realize college campuses aren't as safe as administrators would have them believe.”

Feltoon and company have a good case. They’re not asking for any special gun carrying privileges because they’re students. They would gladly follow all the normal state and federal laws that are required for wielding a firearm. In fact most of the members of the SCCC already have a license to carry a firearm. The restriction is with the college campuses – firearms are not allowed on the premises. Their argument is quite familiar. If you outlaw firearms on campus, then the only firearms on campus will be held by the outlaws.

• Do the colleges have a good control in prohibiting firearms on campus?
• Do the students have a good proposed control in allowing students to carry handguns on campus?
• Is there something better that should be considered?

Let’s analyze this using our familiar objective, risk, control framework, and see what we come with.

The objective in this case, is to have a safe, learning environment for our college students. This has always been the overriding goal of our institutions of higher education, and it seems until recently that the goal ( from a safety standpoint ) was relatively risk free. Until …

The risk of some nutcase student sneaking on campus with a firearm and opening fire suddenly appeared. If you’ll remember, risk equates to uncertainty, so actually this risk always existed. It seems recently however, that the probability that this risk event will occur has increased. Since the impact of this risk can be severe or fatal injuries, it needs more attention.

To parallel with an extreme, there is also a risk that a stray meteor will crash into the college. The impact will probably be even more devastating than our lunatic student mafia, however the probability is so remote, that the colleges probably have not invested in any equipment to monitor meteor impact, or organized any meteor collision evacuation procedures.

So to control this risk, the colleges have decided to prohibit firearms on campus. Also, the control proposed by the students, is to allow students to carry concealed firearms on campus.

When analyzing controls, it’s useful to use the dimensions of timing ( before and after the risk event occurs ), and cause / effect of the risk event. If we combine all the permutations, we can classify controls into four categories:

1. Corrective Control: A Corrective Control is a control that addresses the cause of the risk event, after the risk event occurs.
2. Adaptive Control: An Adaptive Control is a control that addresses the effect of the risk event, after the risk event occurs.
3. Preventative Control: A Preventative Control is a control that addresses the cause of the risk event, before the risk event occurs.
4. Contingent Control: A Contingent Control is a control that addresses the effect of the risk event, before the risk event occurs.

A useful example is that of a building on fire. Here are some options for controlling the risk that your building catches on fire:

1. Corrective Control: Fire Extinguisher. You are treating the cause ( fire ), and the risk event has already occurred.
2. Adaptive Control: Rebuild. The event ( fire ) has already occurred, and you are addressing the effect ( destroyed building ).
3. Preventative Control: Secure and Contain Combustible Materials. The event hasn’t occurred yet, and you are treating the cause ( the fire ).
4. Contingent Control: Buy Insurance. The event hasn’t occurred, and you are treating the effect ( destroyed building ).

As a rule of thumb, you want to shoot for Preventative Controls. These are the best types of control, because they’re put in place before the impact of the risk event is realized, and they address the root cause of the problem.

So, what about our college regulation of not allowing firearms on campus? Well, let’s back up a bit. The effect is severely or fatally injured students, and the cause is crazy kids with firearms. The timing is certainly before any risk event occurs ( it’s not reactive ), and the control is going after the cause ( firearms ) and not the effect ( injured students ). This would actually be an ideal Preventative Control except for one thing – it seems to be ineffective. Controls only matter if they are effective controls. The lesson here, is that you should always test your controls to make sure they’re effective.

Okay, what about the SCCC’s proposal to allow college students to carry concealed firearms on campus? Well, we’re still going after the cause ( crazy kids with guns ), however this time we’re treating the cause after the risk event has occurred. This is a Corrective Control which is not ideal, but if it’s effective, then it’s better than the ineffective control in place today.

For the sake of completeness, let’s take a look at some other types of controls for this situation. An Adaptive Control would be after the fact, and would address the effect ( severe or fatally injured students ). An example would be counseling for the families, or rushing the severely injured students to the hospital. A Contingent Control would also address the effect, however in anticipation of the shooting. An example Contingent Control would be establishing an on-campus emergency center that was outfitted to handle severe injuries including gunshot wounds.

My conclusion is that the colleges are going in the right direction with trying to prevent the risk from occurring. However, they need to figure out a better way to make their controls effective. Some ideas might include teaching teachers and students how to recognize aberrant behavior, and / or increasing their capacity for detecting students that are carrying firearms.

Feltoon, I admire your cause, but I think there’s a better way to handle the situation.

Adding Privacy to your Control Program

An Introduction to GAPP and How to Leverage In Privacy Control

Earlier this month, I wrote an article for Quest Software entitled, “Solving for Data Privacy”, which was a piece targeted at IT people that introduced some concepts around how to architect a solution for controlling data privacy. The article was inspired from a previous webcast that I saw on GAPP ( Generally Accepted Privacy Principles ). This is a new set of principles from the same people that brought us the more popular GAAP ( Generally Accepted Accounting Principles ), the American Institute of Certified Public Accountants (AICPA ) and its Canadian counterpart, the Canadian Institute of Chartered Accountants ( CICA ).

The new GAPP rules were created in response to the growing concern around data breaches in our country, and in the rest of the world. As I mentioned in my Quest article, an informal poll was taken while the webcast was going on, and nearly 50% of the respondents affirmed that their company had experienced a data breach in the last two years. This is astonishing. I assumed the number would be high, but to be honest, not this high. I think it’s important for companies to start taking data privacy a little more seriously.

The GAPP Framework contains 66 principles across 10 different categories. From the GAPP website, located at http://infotech.aicpa.org/Resources/Privacy/Generally+Accepted+Privacy+Principles/, here are the categories, and their intent.

1. Management -The first principle of the Generally Accepted Privacy Principles (GAPP) is Management. This principle requires that the entity define, document, communicate, and assign accountability for its privacy polices and procedures.
2. Notice - The second principle of the Generally Accepted Privacy Principles (GAPP) is Notice. This principle requires that the entity provide notice about its privacy policies and procedures and identify the purpose for which personal information is collected, used, retained, and disclosed.
3. Choice and Consent - The third principle of the Generally Accepted Privacy Principles (GAPP) is Choice and Consent. This principle requires that the entity describe the choices available to the individual and obtain implicit or explicit consent with respect to the collection, use, and disclosure of personal information.
4. Collection - The fourth principle of the Generally Accepted Privacy Principles (GAPP) is Collection. This principle requires that the entity collect personal information only for the purposes identified in the notice.
5. Use and Retention - The fifth principle of the Generally Accepted Privacy Principles (GAPP) is Use and Retention. This principle requires that the entity limit the use of personal information to the purpose identified in the notice and for which the individual has provided implicit or explicit consent.
6. Access - The sixth principle of the Generally Accepted Privacy Principles (GAPP) is Access. This principle requires that the entity provide individuals with access to their personal information for review and update.
7. Disclosure to 3rd Parties - The seventh principle of the Generally Accepted Privacy Principles (GAPP) is Disclosure to Third Parties. This principle requires that the entity disclose personal information to third parties only for the purposes identified in the notice and only with the implicit or explicit consent of the individual.
8. Security for Privacy - The eighth principle of the Generally Accepted Privacy Principles (GAPP) is Security for Privacy. This principle requires that the entity protect personal information against unauthorized access (both physical and logical).
9. Quality - The ninth principle of the Generally Accepted Privacy Principles (GAPP) is Quality. This principle requires that the entity maintain accurate, complete, and relevant personal information for the purposes identified in the notice.
10. Monitoring and Enforcement - The tenth principle of the Generally Accepted Privacy Principles (GAPP) is Monitoring and Enforcement. This principle requires that the entity monitor compliance with its privacy policies and procedures and have procedures to address privacy-related inquiries and disputes.

If you have any familiarity with compliance programs, these categories shouldn’t come as a big surprise. Your data privacy control program will be very similar to the rest of your compliance programs. In fact, when constructing your privacy program, think about how you can leverage it into the other compliance programs ( i.e. SOX ) that you have today.

Step # 1: Start by Reinforcing your Policies and Procedures

You probably have some policies and procedures already built to comply with other regulations. This is a great place to start. Go through your policies and procedures, to determine where sensitive data is collected. Then, fill in the gaps from a holistic point of view. Every place that sensitive data is collected should be documented.

Step # 2: Build in Notice, Consent, and Retention Guidelines

Next, fortify your data privacy practices. Now that all the entry points have been identified, ensure that proper notice is given, and consent is obtained, whenever sensitive personal information is collected. This can be a work in progress until the entire program is instantiated. For instance, you can start with just the framework of a notice, then flush things out as the program execution unfolds.

Step # 3: Reinforce your Data Systems

This is the Achilles heel of most privacy programs. You must be absolutely sure that there are no weaknesses in the protection of your private data. This involves physical data ( i.e. records in file cabinets ), however the biggest vulnerabilities lie in your logical data systems. Ensure access control is adequately addressed, and that preventive controls are in place to deny access to intruders. Although corrective controls (controls that are put in place after the incident has occurred) are good, preventive controls are a must. Once the data has been breached, most of the damage has already occurred. Also, keep in mind that 80% of your risk will come from inside your own company. Although protecting your data from hackers is important, focus most of your energy on avoiding inside jobs.

Step # 4; Update Your Compliance Control Plan

You do have a compliance control plan, right? Since you’re reading this, I’m going to give you the benefit of the doubt. Item 10 above, Monitoring and Enforcement, is absolutely critical. Once you baseline your compliance program, you need to monitor it to make sure it’s staying under control. Data privacy controls are no exception. These should be folded in with the rest of your continuous monitoring.

Data privacy is a serious issue these days. The FTC settled 14 cases with companies that have insufficient data privacy practices. In almost all cases, the result was a mandatory, bi-annual security audit for the next 10 to 20 years. Don’t let this be you. Start setting up your privacy control program today.

Anti-Corruption Compliance

What a Lovely Bribe

Anti-corruption policies like the Foreign Corrupt Practices Act (FCPA) are making big waves these days. Companies like AGA Medical Corp and Faro Technologies are getting hit with fines in the millions of dollars, because their business practices with foreign officials are coming into question.

The existence of an anti-corruption compliance program is unequivocal these days. Trying to operate a global business without one is like walking a tight-rope without a net. One wrong move, and you could see yourself facing a lot of trouble.

I’d like to show you how easy it can be to put together an FCPA compliance program, exploring some ideas that will bring into reality. As usual, I must disclose that I am not a lawyer, so this is not legal advice. Furthermore, if you know anything about me you know what I’m about to say, as FCPA is no different than any other type of compliance.

If you are having problems getting started or maintaining an FCPA compliance program, the law aspects of it are not your problem. Of course, you need a lawyer that understands the FCPA laws, but to be honest, that’s the easy part. The hard part is organizing a system that works. Hopefully, I can help you get a little traction on this.

Step # 1 : Find Good Legal Guidance

As I said, this is an easy first step. Your lawyer is going to drive the requirement, making sure that all your activities lead to an effective program. If you don’t have this in-house, you will need to outsource. Plan to spend a good amount of involvement with your legal guidance. If possible, find a lower-cost paralegal that understands the regulations well, and has the time and availability to work closely with your team. Avoid the situation where legal guidance has limited involvement at targeted periods of time. On the surface it may sound like a reasonable and inexpensive option, however this will backfire, causing the rest of your resources to spin unnecessary cycles in wasted work.

Step # 2 : Assemble a Good Project Team and Create a Project Charter

A good project team will include a project manager, your legal representative, and a number of good process analysts. If you will be using technology ( highly recommended ), you also need a number of good developers including application programmers and database specialists. Your project team should be Championed by an executive that has a stake in the outcome. If that is not you, make sure you assign somebody that will be willing to provide guidance, support, and clear obstacles in the organization.

As with any project, start off with a solid Project Charter. Your project charter should explain the business case, opportunity for increased compliance, the goal and scope of the project, a high-level timeline, and the team members.

Step # 3: Know the FCPA Basics

Make sure everybody on your team ( not just the lawyers ) knows the basics of FCPA compliance. It’s really not that hard. According to the DOJ, an FCPA violation is composed of five different parts:

• Who – The person benefiting from the corrupt act. That’s you – don’t overthink it.
• Corrupt Intent – Intent is a difficult thing to quantify, but any representative of the Who part of the equation, that has the intention of committing a corrupt act, is on their way to a violation. It’s important to understand that the act doesn’t need to succeed – just the mere intent is enough to qualify.
• Evidence of Payment – Of course for a violation to exist, there must be some sort of evidence of pay-off, however as stated above even a promise to pay, or evidence of an offering can constitute a violation.
• Recipient – The recipient must be a foreign official. This is where your legal guidance will come in handy. A “foreign official” can mean many things, and needs contextual interpretation based on the country in question. Don’t just arbitrarily assume it’s somebody in government office. In China for instance, any head of a government-controlled commercial enterprise would still be considered a “foreign official.”
• Business Purpose Test – For what reason is the payment? If it was a pay-off for obtaining or retaining business, or directing business toward the Who, bingo – violation. Like the Corrupt Intent component, this is a “smell test” component that you should not ride the fence with. Keep it real clean with no grey area, to stay out of trouble.

It’s also worthwhile to note, that trying to route bribes through a third party is a no-no as well, so this needs to be communicated, and acknowledged. As noted below, this will be a significant risk area that you will want to concentrate on. Even if a corrupt act is committed by a third party without your knowledge, you can still be held liable.

Step # 4 : Build and Execute Your Plan

As noted above, third parties will be a key risk, so take extra care to control it. Ensure that your channel partners and distributors are not in violation of FCPA regulations by making it part of your project plan to inspect their FCPA compliance program. Also, consider building a third party control monitoring program to ensure continued compliance.

Also, plan to create a policy that addresses FCPA concerns. Spell out in detail what your compliance guidelines are, and why they are important to the company. Include project milestones that include training and education of all employees that will be dealing with foreign officials.

Since foreign officials is a vague and risky area, consider maintaining a database of known officials. Business that is conducted with these entities should be flagged as high-risk, and appropriate controls should be exercised to limit exposure. As business with a new entity is encountered, a screening process should be in place to identify potential risks with the recipient. These screens must be extremely proactive, as the mere intent of a corrupt act can put you in violation.

FCPA, and other anti-corruption policies are serious business. By getting good legal advice, assembling a good project team, and communicating the basics, you can effectively construct a solid compliance program. Finding legal counsel is a good starting place, and can be done immediately. Don’t waste time with this one.

Criminal Crime-Fighter Gets Crucified

A Superhero's Demise

New York State Gov. Eliot Spitzer is joined by his wife Silda as he makes a statement to reporters during a news conference Monday, March 10, 2008 in New York. (AP Photo/Mary Altaffer)

Oh, Eliot, what have you gotten yourself into now.

Mr. Spitzer is definitely in the soup. The 48-year old Batman of Wall Street seems to have fumbled fatally flirting with a femme fatal.

Will the Guilty Governor Get-off, ... again?

Can the Past Public Prosecutor Prevent Pandemonium?

You don't have to tune in next week to figure this one out.

Client # 9 is done. His case is closed.

For those of you living under a rock, Governor Eliot Spitzer was just nabbed for his involvement in a prostitution ring. He allegedly gave some Jane named "Kristen" $4300 to settle up his account, and put a down payment on future services.

I guess the subprime mess is overflowing into the prostitution business, as pimps are tightening up their credit terms. Collecting their money up front is a smart move that will surely improve their DSO ( Days Sales Outstanding ). I digress...

The call-girl business, known as the Emperors Club VIP, was obviously a very high-end joint, with fees as high as $5,500 an hour for the "7-Diamond" girls. Wow!

There's a very important compliance lesson we can extract here, so pay attention. Eliot spent his time as Attorney General crusading against this very type of situation, making it his personal mission to send the wrong-doers away, and restore justice to the American public. In doing so, he got very intimate with these types of operations.

As you explore risks in your quest for total compliance, you too will become very familiar with the system -- more familiar than most. It can become very tempting to flip your morals around, and exploit a set of risks instead of trying to control them. I hope these thoughts never enter you head, but if they do, I hope the story of Eliot Spitzer comes to mind.

If I'm Eliot, I'm not worried about the New York villagers coming after me with torches lit. I'm not even worried about the Wicked Witch of the Democrats hexing me with the Clinton Spell of Doom.

If I'm Eliot, I'm more worried about falling asleep next to Silda. As if things weren't bad enough, all this "Kristen" business happened the day before Valentine's day!

Can you imagine?

If I show up with the wrong Valentine's Day card, I'm in the soup. This guy gets caught handing a prostitute $4300 cash!

The picture above tells all. I can just see Silda's wheels turning on the perfect way to inflict the most amount of pain over the most amount of time.

"Holy Wiretap, Batman. Looks like jig is up!"

Frozen Grand Central

What to Do When Things Don't Make Sense

Life unscripted is so much more entertaining than scripted comedy, and here's a great example given to us by Improv Everywhere, a New York based prank collective. Their latest stunt? Have about 200 people just freeze in the middle of Grand Central Station. It's hilarious to see real life in action; people trying to process something that doesn't make any sense. Take a look at this 2 minute clip of the prank:

On your compliance projects, be prepared for situations when things just don't make sense. It's called a cognitive dissonance when what you are observing doesn't add up to what you know of the situation. Let's hope this doesn't happen within your project team, but it very well can happen with stakeholders, especially those on the periphery of your effort.

In almost all cases, the root cause here is communication. You are missing an important piece of information. In the example above, the unknowing people at Grand Central Station were not in on the prank, so things didn't make sense. The whole industry of magic and illusion is based on this principle -- they just don't give you all the information. If the secret is revealed, everything makes sense again.

If you notice a cognitive dissonance with a person or group that can be influential to the success of your project ( like the board of directors ), you've got to act immediately. Confront the issue right away with a platform of honesty and transparency, explaining that your project cannot succeed unless all the information relevant to the project be made available. Be assertive if necessary.

And if your stakeholders go into catatonic shock, don't worry. The joke might be on you!