Sorry but I have to begin this blog post with a short prescript on the passing of Glenn Frey. The Eagles were such a huge part of my teenage and college years that I am compelled to write about Glenn Frey and the band he co-founded, which meant so much to me at that stage of my life. I missed the first incarnation of Crosby, Still, Nash & Young but The Eagles were there when I was at my most angst-filled years. Before you ask, my favorite album was Desperado, with a Texan’s image of a long, long gone wild west. There were two tracks off that album that have stuck with me since that time. The first was Outlaw Man with its “woman don’t try to love me, don’t try to understand”. The second was the title track Desperado, and what I still think is one of the all-time greats with “Don’t you draw the Queen of Diamonds boy; She’ll beat you when she’s able; you know the Queen of Hearts is always your best best.” It was all very powerful to one very confused boy. So good-bye to Glenn Frey, I hope you and David Bowie are partying to the end of time and rocking out in that great jam session in the hereafter.
Sometimes I get going on a topic and cannot seem to stop writing blog posts. Then there are times when I feel a roll coming on and just go with it. Today starts one of those rolls and it is around bribery and corruption in sports. Lord knows we have had enough of Fédération Internationale de Football Association (FIFA) and their ilk over the past 6 months or so. Then the world of international track and field waded into the fray, first in November with news that Russia has been running a state-sponsored doping regime (I am shocked, just shocked on that revelation) and even better, that the leadership of the International Amateur Athletics Federation (IAAF) was demanding extortion payments from Russian athletes, among others, to suppress positive doping tests.
We now have a guilty plea in Major League Baseball’s (MLB’s) bête noir, the computer hacking scandal involving the former director of scouting for the St. Louis Cardinals, Chris Correa, and those paragons of baseball, the Houston Astros. For those of you not familiar with this scandal, as reported by Michael S. Schmidt in the New York Times (NYT), in a piece entitled “Cardinals Face F.B.I. Inquiry in Hacking of Astros’ Network”, MLB asked the Federal Bureau of Investigation (FBI) and Department of Justice (DOJ) to investigate the hacking of the Astros after “some of the information was posted anonymously online. Among the details that were exposed were trade discussions that the Astros had with other teams. Believing that the Astros’ network had been compromised by a rogue hacker, Major League Baseball notified the F.B.I., and the authorities in Houston opened an investigation. Agents soon found that the Astros’ network had been entered from a computer at a home that some Cardinals officials had lived in. The agents then turned their attention to the team’s front office.”
Evan Drellich, writing in a Houston Chronicle article entitled “Guilty plea just the start in the hacking case”, reported that Correa is scheduled to be sentenced in April, in Federal Court in Houston. Correa has pled guilty to five counts of unauthorized access to computers belonging to the Houston Astros. Each of these counts carries a sentence of five years but the plea deal reached with prosecutors’ calls for concurrent sentencing. Correa also agreed to pay restitution of $279,038.65. There was also a damage amount set at $1.7MM as “the intended loss inflicted on the Astros. That figure was calculated by Assistant U.S. Attorney Michael Chu and was based in part on the team’s amateur scouting budget.”
At his plea hearing earlier this month Correa rather amazingly said “he found information the Astros had stolen from the Cardinals” although it was not clear if he found this alleged information before or after he hacked into the Astros computer system. Correa also said at the same hearing that he told others in the Cardinal organization of his discovery.
While at first blush this matter would not seem to have Foreign Corrupt Practices Act (FCPA) implications, there are some interesting lessons and analogies to be drawn from the case. The first is institutional liability of the Cardinals and how they may have used the information illegally obtained by Correa. The article quoted local Houston attorney, Joe Ahmad, for the following, “While I suspect that maybe there was some institutional responsibility, there’s no hard evidence of it.” If Correa told someone up the chain the Cardinals organization it would seem the scandal went further than his lowly station. A somewhat overlooked part of Assistant Attorney General Sally Yates’ speech announcing the Memo under her name, was that companies could not simply throw some low level employee under the bus. Yates made clear that both she and the DOJ want companies to give up senior executives involved in illegal conduct. She said “We’re not going to be accepting a company’s cooperation when they just offer up the vice president in charge of going to jail.” It remains to be seen if any higher ups in the Cardinals organization was involved in this hacking.
Yet another lesson is around cyber security. One of my colleagues recently asked me what would be the next big area in compliance and I immediately posed back to him, cyber. At Compliance Week 2014, there was a panel on the intersection of compliance and cyber security. At the time I did not grasp the convergence but now I do. While compliance may not have the ability to block a cyber attack from the Chinese military say or another department in another government, a corporate compliance function can and does have the wherewithal to design and implement a process, train on that process, incentivize employees to follow the process, monitor the effectiveness of the process and evolve the process as facts, circumstances and risks evolve.
Take the example of the Home Depot data breach from 2014. In an article in the NYT entitled “Warned of Risk, Home Depot Left Data Vulnerable”, Julie Creswell and Nicole Perlroth reported that the Home Depot data breach and theft was “The biggest data breach in retailing history” and it had “compromised 56 million of its customers credit cards.” How could such an event have happened even after the very public debacle endured by Target? We sell hammers.” That was the excuse given by Home Depot managers when their own cyber security department employees would try to obtain budget to update cyber security software or to even put on training about the dangers of a data breach. Home Depot had been warned by its own employees of data security issues as far back as 2008. Yet a series of missteps, or perhaps more appropriately non-steps, led to Home Depot’s current problems. The article also reported that many cyber security focused employees in the company had departed over the years. The reason was that it appeared no one was listening to their concerns. The company simply refused to believe that it was at risk for a data breach.
So what lessons can be drawn for the anti-corruption compliance specialist who must deal with laws such as the FCPA? Both Home Depot and the Houston Astros failed to adequately assess its risks for a data breach. For the compliance practitioner, I think the lesson here is to not only understand your company’s business sales model, products and services and foreign government touch-points but to reassess those risks on a regular basis.
For a YouTube video of The Eagles playing Desperado at a 1976 concert in Houston, which I attended, click here.