Federal Sentencing Guidelines: An Update On Important New Information Security Liabilities
Sanford Sherizen, Ph.D., CISSP

note: This analysis contains recommendations on management strategies. Those recommendations are not offered as representing legal advice.

SENIOR MANAGEMENT ALERT

November 1, 1991 will be remembered as a hallmark event for senior executives. On that date, the guidelines which govern the sentencing of organizations convicted of violating federal criminal law went into effect. As a result, the security rules for management changed dramatically.

Previously, senior executives often were able to assign security to someone in the organization and, if there were legal problems, attempt to mount a defense based on the notion that security was not part of their direct responsibility. That "ostrich defense" has been challenged, if not undercut, as a result of the Federal Sentencing Guidelines.

The Federal Sentencing Guidelines contain clear messages that senior management must prevent, detect, and report crimes. According to the Guidelines, "high level personnel" and "substantial authority personnel" now have to explicitly consider crime control as an important responsibility on which they will be judged. Unless an organization has instituted an effective crime control program which meets legal measurement, there could be serious financial and other liabilities affecting individuals as well as organizations.

Management has serious potential legal exposure where organizational misconduct or offenses are found. Punishments include high fines and even corporate probation. Recently, the U.S. Sentencing Commission proposed expanded coverage of the types of crimes covered under the Guidelines to include computer-related acts. This could dramatically increase the number of computer-related cases which already have been processed under the Guidelines.

The message to management is clear. With so much financial crime now computer-based, crime control programs, including computer crime prevention, are an absolute requirement today.

WHAT ARE THE FEDERAL SENTENCING GUIDELINES?

The Federal Sentencing Guidelines are rules for Federal judges on how to provide appropriate punishments for individuals and for organizations violating Federal statutes. The first set of Guidelines were developed by the U. S. Sentencing Commission to establish appropriate punishments for individuals.

After a five-year effort, the Guidelines directed toward organizations went into effect in 1991. The stated goals of these Chapter 8 organizational guidelines were to "provide just punishment, adequate deterrence, and incentives for organizations to maintain internal mechanisms for preventing, detecting, and reporting criminal conduct."

The Guidelines state that organizations have a responsibility to "maintain internal mechanisms for preventing, detecting, and reporting criminal conduct." These rules apply to corporations, government agencies, not-for-profits, unions, and other organizations. The Sentencing Commission has suggested that the Guidelines will apply to a majority of all organizations which are convicted of Federal violations.

The Guidelines make an organization potentially liable for all criminal acts of its employees and other agents. Agents of an organization include independent representatives, consultants, brokers and others who are in a position to carry out an organization's functions.

Thus, the Guidelines represent a legal challenge with wide applicability to a variety of organizations and their working personnel. The Guidelines also represent a management challenge on how to survive in an increasingly complex business environment.

WHY ARE THE GUIDELINES IMPORTANT?

The Guidelines clearly establish the Federal Government's growing concern with fighting white collar and other economic crimes. Government is now forcing businesses and other organizations to face the seriousness of these crimes. Ethics statements and policy announcements alone are no longer considered as sufficient. Specific actions and effective programs will be the measure by which an organization will be evaluated. Faulty judgement calls by management and/or an environment which allows such judgements to be made by agents of the organization have the potential to become considered as punishable events.

The Guidelines provide a model program which senior management needs to establish in order to show that crime prevention is an organizational concern. There are now carrots (incentives) and sticks (disincentives) to involve senior management in fighting crime. There are also new requirements which now necessitate organizations to report crime activities rather than to simply let someone go quietly, especially if they are a high executive or if they have committed what could be considered by outsiders as an embarrassing crime.

HOW ARE THE GUIDELINES IMPORTANT TO INFORMATION SECURITY?

Since so many workplace activities are now computer-related and since information is the key resource for many organizations, the computerization of many traditional crimes has become a major problem. In reality, many of the fraud crimes which the Guidelines cover are, in essence, computer crimes, even if they have not been so defined specifically under the law.

More recently, the Guidelines achieved a more direct relationship to information security issues. The Sentencing Commission addressed computer crimes by offering an amendment regarding computer-related crimes. The Commission sent to the Congress Amendment 7, Computer Related Offenses: Theft of Trade Secrets. The amendment has an effective date of November 1, 1997 unless modified or rejected by Congress. According to the Commission, this amendment provides

  1. "more effective punishment" of computer-related offenses;
  2. covers an offense of extortion by threats of damage to certain "protected computers";
  3. covers offenses involving economic espionage and theft of trade secrets; and,
  4. provides a minimum guideline sentence of six months' imprisonment for convictions under the Federal computer crime law.

The recognition of computer-related offenses can serve to increase the power of the Guidelines to meet this increasing threat.

Even prior to Amendment 7, however, minimum requirements of what the Guidelines define as an effective program to prevent and detect violations of the law also applied to the complexities of the computerized office. Consider, for example, the concept of care in delegating authority. An organization "must have used due care not to delegate substantial discretionary authority to individuals whom the organization knew, or should have known through the exercise of due diligence, had a propensity to engage in illegal activities." Management decisions on access controls, authorization levels, and other essential information security considerations affect who has discretionary authority as well as how organizations structure their control and supervisory mechanisms over employee activities. Given a do-more-with-less emphasis in today's downsized environment, these decisions are critical to keeping an organization from paying large legal as well as other negative business costs.

The Guidelines are only one of a number of legal changes which indicate that computer crime prevention is increasingly becoming a requirement rather than a choice. As computer crime becomes recognized as a dangerous crime, information security will become a focal point for many strategic, legal, and functional issues.

HOW CAN THE FEDERAL SENTENCING GUIDELINES AFFECT
ME AND MY ORGANIZATION?

The Federal Sentencing Guidelines, with its serious punishment potential, should create a major change in senior management views. Fines can range up to as much as $290 million as well as corporate probation, where the court supervises an effective compliance program for the organization.

The formula for determining a fine requires the judge to multiply the "base fine", which is generally determined by the seriousness of the offense, by a multiplier, which is determined by an organization's "culpability score." The "base fine" may consist of the greater of a company's gain, the victim's loss, or a dollar amount corresponding to an "offense level". The "culpability score" is used to determine the range within which the judge can increase or decrease the "base fine".

Federal judges can multiply fines as much as 400% or reduce them by up to 95%, depending upon specific factors, many of which partially depend upon how an organization has responded to the Guidelines prior to the violation. Thus, a company could be fined between $250,000 and many millions of additional dollars, depending upon whether it played an active role in promoting the crime and its degree of cooperation with the Government. In addition, there is a possibility for a shareholder suit alleging that the directors and officers were negligent in not taking the simple but important step of developing an effective compliance program that could have saved the company from these problems (and costs).

The "culpability score" starts with 5 points and may be increased based upon the judge's determination of the involvement of top officials, prior violations, and obstruction of justice. The score can be decreased based upon the judge's findings regarding the existence of an effective program to prevent and detect violation, voluntary disclosure to the appropriate authorities, cooperation with an investigation conducted by the appropriate authorities, and acceptance of responsibility by the organization. Further points are considered for the size of the organization and the management tolerance of crime activities.

One of the most effective ways to decrease "culpability scores" and therefore lower financial penalties is to have an effective program to detect and prevent violations of the law. The Guidelines indicate what is required for such a program.

STRUCTURING A PROGRAM TO MEET THE GUIDELINES

In order to fulfill the Guideline requirements, it is best to develop an effective program prior to a violation rather than after a violation has been found. Attorneys have indicated that a strong compliance program may avoid prosecution of the organization altogether, even if an employee does commit an offense. If there is prosecution, an effective program can lead to a reduction in mandatory fines. An effective program may also result in more favorable treatment in certain civil and criminal lawsuits. Finally, a pre-violation program can be structured to meet an organization's values and particular conditions. A post-violation program will have to meet stiff requirements set by the courts and be instituted rapidly as well as in a costly manner. The choice would seem to be evident.

An effective program requires, at a minimum, the following elements (summarized):

  1. Establish compliance standards and procedures for employees and other agents that are reasonably capable of reducing the prospect of criminal conduct.
  2. Assign a specific high level individual with overall responsibility to oversee compliance with such standards.
  3. Make efforts to avoid delegating substantial discretionary authority to those with propensities to commit crimes.
  4. Develop methods for communicating standards and procedures, such as training programs and publications.
  5. Establish methods for achieving compliance, such as monitoring and auditing programs and/or reporting systems designed so that employees and others can report wrongdoing without fear of retribution.
  6. Create a history of consistent enforcement of standards.
  7. Institute ongoing modifications and improvements to the program when problems appear.

In addition to these program elements, prominent attorneys who are advising on how to meet the Guidelines are suggesting that an inventory of possible legal risks be developed for each organization. While the inventory is not explicitly mentioned in the Guidelines, these attorneys suggest that it is strongly implied. Without getting into the details of this interpretation of the Guidelines, it is important for an organization to conduct an inventory of risks which it faces. Factors to be considered include risks due to the nature of the organization's activities, possible violations that a monitoring program should concentrate upon, and "industry practices" regarding exposure and best practices.

WHAT SHOULD AUDIT, INFORMATION SECURITY, AND MIS PROFESSIONALS DO NOW ABOUT THE GUIDELINES?

The Guidelines offer an opportunity as well as a challenge. The opportunity is that the suggested program is available to serve as a model to meet the requirements of the Guidelines. Information security and audit programs collect aspects of the information needed by those who will coordinate the work of complying with the Guidelines. Further, computer crime prevention must be a key aspect of any crime prevention program today.

On the other hand, the challenge of meeting the Guidelines is similar to the challenge of getting senior management to support information security. Even if it were mandated by law and in their own self-interest, it is often difficult to gain the resources and support from management necessary to make the program effective.

Avoid serious liabilities by reviewing whether your organization meets the Guideline requirements. The following are fundamental steps to be taken to determine whether and how your organization is in compliance:

Conduct a "liability inventory" to determine how your organization could be judged under the Federal Sentencing Guidelines and other legal/ regulatory approaches.

Analyze liability trends in order to determine what emerging problem areas could affect your organization, thus requiring compliance attention.

Determine the most appropriate management strategies which meet compliance requirements.

Evaluate the "implementability" of compliance guidelines, policies, and/or procedures within your organization.

Reinforce compliance and information security awareness messages throughout the organization by means of coordinated information security procedures, employee performance evaluations, management reviews, and other control mechanisms relevant to the Guidelines.

It is important for audit, information security, and MIS professionals to inform their management about the Federal Sentencing Guidelines and to assist as much as possible in establishing crime control efforts throughout the organization. Adequate prevention of crime today can result in substantial savings tomorrow. The assets you save may be your own.

The author would like to thank Jeffrey Kaplan, whose expert writings on the Guidelines are reflected in this analysis. Win Swenson, Deputy General Counsel of the Commission until his recent departure, as well as other Commission personnel were very helpful in providing information. Various information security, EDP audit, MIS and management experts have provided me with responses to an earlier version of this analysis. None of these parties are responsible for any conclusions or interpretations found in this document.

©Copyright 1997, Sanford Sherizen