- Email: [email protected]
Foreign Corrupt Practices Act impacts US DP
-8serving a term of imprisonment in the US Federal Penitentiary for bank robbery. In an interview for 'Security Management', Mr Gregg stated: Inside infomation for the asking
Paint to note
-
"Whatever system you, the reader, uses, probably at one time or another I have.requested and received all of the information necessary to defeat it. I was able to do this simply by writing to companies asking for the information and telling them I was a freelance writer who wanted to do an article on their products. My credentials were never checked. No effort was made to see if I really was who I said I was. Out of a test sample that I once made of 10 companies only one request was denied". It is clear that Mr Gregg knows what he is talking about. In some of his manuscripts he outlines the way that domestic tv, radio and other devices containing permanent magnetic speakers can be turned against their owners and become live bugs. He is strong on the use of conductive paint to link up telephone intercepts and to tap into computer systems before the data hits encryption modems. His knowledge of the international electricity grids is also impressive, and he suggests that the constraints that debugging experts take for granted are seldom present in practice. For example, as many readers will know, it is possible to use a simple bugging device that plugs into the 'ring main' of buildings. The main current is then modulated by the imposition of frequencies derived from the device.
Imaginary barriers
A simple listening device is then plugged remotely into the ring main and conversations can be overheard. Many believed these devices were of limited use simply because transformers placed by the supply companies in the lines blocked onwards transmission of voice (or data signals). Mr Gregg's homework shows this is not the case, and that modern transformers have a bypass mechanism that allows the modulations free passage. He points out that what works for voice interception and bugging also works for data transmissions... again with a strong emphasis on conductive paint. So if you were wondering why the skirting boards in your office building have been repainted a bright shade of green, this may be the answer. We are writing to Mr Gregg to see if he will contribute a regular column to the Bulletin. We think he might - if he has the time!
FOREIGN PRACTICES IMPACTS
CORRUPT ACT US DP
"The Foreign US data processing managers have a new concern. Corrupt Practices Act of 1977 could apply to your business even if you are not corrupt or operating outside the US", Fred M Greguras Greguras is a announced at a recent ACM meeting in the Mid-West. partner with the national law firm of Kutak, Rock and Huie based in Omaha, Nebraska, and specialises in computer law. A close reading of the Foreign Corrupt Practices Act has revealed Greguras important consequences for US data processing management. pointed out that the law applies to any publicly held corporation. He added, "A publicly held company is required to keep accurate records and to maintain internal control systems to safeguard a company's assets against unauthorised use or disposition. A problem resulting from a data processing performance failure might
CgEila Volume 3 Number 9
0
Elsewer Sequoia SA.
Lausanne,
Swlzerland
-
You may be breaking
the Zaw without knowing it
9 -
be evidence that your internal controls are weak, with the result that your business may be in violation of the law, even though no corrupt or fraudulent events have taken place". Mr Harold M Williams, Chairman of the Securities and Exchange Commission, has said that the internal controls system must be "reasonable under Mr Greguras said that this has several the circumstances". implications for data processing managers. The first is the failure to act, for example the failure to have any contingency plan. Should a computer failure cause, for example, a breach of contract which in turn resulted in a material loss, stockholders might decide to charge the officers and directors with negligent failure to act. Greguras believes that the presence of a feasibility study of alternative contingency plans would serve as a defence. "If the study were conducted by competent consultants, periodically updated and thoroughly reviewed by management, its conclusions as to which alternative to employ should have substantial evidentiary weight", he added.
kasons for a choice must be documented
"The important point to remember", Mr Greguras concluded, "is that it is not enough for decision-makers to feel comfortable in their choice of contingency planning alternatives; the decision and the In litigation, a business would rationale should be documented. have to prove that it acted reasonably. Reasonableness is an elusive standard, a cost-benefit analysis, which will be determined in most instances by an examination of specific circumstances In other words, a cost benefit rather than general principles". analysis conducted with due care can be used as a standard for reasonableness.
P~rsonaZ ZiabiZity
BEATING JARGON
THE
We believe that this means one cannot simply assert that the contingency plan is OK; one must be able to demonstrate that an analysis has been performed to determine which of all the available alternatives is the most cost-effective. Furthermore, one cannot simply do "what everyone else is doing" in lieu of an evaluation of specific local conditions. There is a final point. While a corporate director is not usually personally liable on a contract, he can be held personally liable for negligence or for violation of specific state and Federal laws. Mr Greguras pointed out that "Shareholders may bring a suit for economic injury to the corporation on its behalf against directors and officers and others when the corporation cannot or will not bring the suit itself". Depending on their position in the organisation, the DP or MIS directors might be included in the ranks of liable officers and directors, particularly in smaller firms.
At a recent conference, a number of audit delegates complained that they found it difficult to penetrate the veil (some would say shroud) of secrecy put up by some DP people around what they do. One recently appointed auditor complained that he had particular difficulty in a two hour discussion with data processing staff and had been so confused at the end that he had been unable to prepare the customary company file note. "I could just as easily have been talking to the Martians", he said. "After ten minutes I was completely lost". The auditor was particularly baffled by the DP jargon, but when asked why he had not stopped the discussion as soon as he lost the thread, replied "because I would have appeared ignorant". The
Volume 3 Number 9
@
Elsevler
Sequow
SA, Lausanne.
Swtzeriand
Paint to note
-
"Whatever system you, the reader, uses, probably at one time or another I have.requested and received all of the information necessary to defeat it. I was able to do this simply by writing to companies asking for the information and telling them I was a freelance writer who wanted to do an article on their products. My credentials were never checked. No effort was made to see if I really was who I said I was. Out of a test sample that I once made of 10 companies only one request was denied". It is clear that Mr Gregg knows what he is talking about. In some of his manuscripts he outlines the way that domestic tv, radio and other devices containing permanent magnetic speakers can be turned against their owners and become live bugs. He is strong on the use of conductive paint to link up telephone intercepts and to tap into computer systems before the data hits encryption modems. His knowledge of the international electricity grids is also impressive, and he suggests that the constraints that debugging experts take for granted are seldom present in practice. For example, as many readers will know, it is possible to use a simple bugging device that plugs into the 'ring main' of buildings. The main current is then modulated by the imposition of frequencies derived from the device.
Imaginary barriers
A simple listening device is then plugged remotely into the ring main and conversations can be overheard. Many believed these devices were of limited use simply because transformers placed by the supply companies in the lines blocked onwards transmission of voice (or data signals). Mr Gregg's homework shows this is not the case, and that modern transformers have a bypass mechanism that allows the modulations free passage. He points out that what works for voice interception and bugging also works for data transmissions... again with a strong emphasis on conductive paint. So if you were wondering why the skirting boards in your office building have been repainted a bright shade of green, this may be the answer. We are writing to Mr Gregg to see if he will contribute a regular column to the Bulletin. We think he might - if he has the time!
FOREIGN PRACTICES IMPACTS
CORRUPT ACT US DP
"The Foreign US data processing managers have a new concern. Corrupt Practices Act of 1977 could apply to your business even if you are not corrupt or operating outside the US", Fred M Greguras Greguras is a announced at a recent ACM meeting in the Mid-West. partner with the national law firm of Kutak, Rock and Huie based in Omaha, Nebraska, and specialises in computer law. A close reading of the Foreign Corrupt Practices Act has revealed Greguras important consequences for US data processing management. pointed out that the law applies to any publicly held corporation. He added, "A publicly held company is required to keep accurate records and to maintain internal control systems to safeguard a company's assets against unauthorised use or disposition. A problem resulting from a data processing performance failure might
CgEila Volume 3 Number 9
0
Elsewer Sequoia SA.
Lausanne,
Swlzerland
-
You may be breaking
the Zaw without knowing it
9 -
be evidence that your internal controls are weak, with the result that your business may be in violation of the law, even though no corrupt or fraudulent events have taken place". Mr Harold M Williams, Chairman of the Securities and Exchange Commission, has said that the internal controls system must be "reasonable under Mr Greguras said that this has several the circumstances". implications for data processing managers. The first is the failure to act, for example the failure to have any contingency plan. Should a computer failure cause, for example, a breach of contract which in turn resulted in a material loss, stockholders might decide to charge the officers and directors with negligent failure to act. Greguras believes that the presence of a feasibility study of alternative contingency plans would serve as a defence. "If the study were conducted by competent consultants, periodically updated and thoroughly reviewed by management, its conclusions as to which alternative to employ should have substantial evidentiary weight", he added.
kasons for a choice must be documented
"The important point to remember", Mr Greguras concluded, "is that it is not enough for decision-makers to feel comfortable in their choice of contingency planning alternatives; the decision and the In litigation, a business would rationale should be documented. have to prove that it acted reasonably. Reasonableness is an elusive standard, a cost-benefit analysis, which will be determined in most instances by an examination of specific circumstances In other words, a cost benefit rather than general principles". analysis conducted with due care can be used as a standard for reasonableness.
P~rsonaZ ZiabiZity
BEATING JARGON
THE
We believe that this means one cannot simply assert that the contingency plan is OK; one must be able to demonstrate that an analysis has been performed to determine which of all the available alternatives is the most cost-effective. Furthermore, one cannot simply do "what everyone else is doing" in lieu of an evaluation of specific local conditions. There is a final point. While a corporate director is not usually personally liable on a contract, he can be held personally liable for negligence or for violation of specific state and Federal laws. Mr Greguras pointed out that "Shareholders may bring a suit for economic injury to the corporation on its behalf against directors and officers and others when the corporation cannot or will not bring the suit itself". Depending on their position in the organisation, the DP or MIS directors might be included in the ranks of liable officers and directors, particularly in smaller firms.
At a recent conference, a number of audit delegates complained that they found it difficult to penetrate the veil (some would say shroud) of secrecy put up by some DP people around what they do. One recently appointed auditor complained that he had particular difficulty in a two hour discussion with data processing staff and had been so confused at the end that he had been unable to prepare the customary company file note. "I could just as easily have been talking to the Martians", he said. "After ten minutes I was completely lost". The auditor was particularly baffled by the DP jargon, but when asked why he had not stopped the discussion as soon as he lost the thread, replied "because I would have appeared ignorant". The
Volume 3 Number 9
@
Elsevler
Sequow
SA, Lausanne.
Swtzeriand