Tag Archives: compliance

Interviews with experts, , , , , , , , , , , , , ,
Katherine Lemire, Partner, StoneTurn

The #MeToo movement has sparked a national conversation about sexual harassment. We asked Katherine Lemire about the investigations used by organizations in response to harassment and criminal behavior.

A Partner at StoneTurn, former Federal prosecutor and previously Counsel to New York City Police Commissioner Raymond W. Kelly, Katherine and her team of experts assist businesses, government agencies, nonprofit organizations, and individuals in compliance, investigations, due diligence, risk mitigation, and dispute resolution.

You have overseen investigations into allegations of employee harassment. How common are they and at what point in the situation are you brought in?

It is difficult to say how common such investigations are because a proper investigation should be conducted in a confidential manner to the extent possible.  If the facts uncovered in the course of an investigation do not support the allegations, it is of critical importance that the reputation of the accused employee remain untarnished.  Even in those cases which result in findings supporting harassment allegations, the accuser also may voice concerns that he or she is not identified as the basis for the investigation.

In the best case scenario we are brought in soon after the allegations surface.  Federal law requires a prompt, thorough, and impartial investigation into allegations in the workplace.  Statutory requirements aside, prompt investigations serve as a bulwark against the inevitable erosion of witnesses’ memories.  Acting in a rapid, thorough, and unbiased manner when responding to allegations can also serve to boost the morale of employees who might otherwise believe that management does not view these workplace issues in a serious manner.

You have said that organizations are becoming more proactive about weeding out potentially illegal and unethical conduct before and after the commencement of a criminal investigation. Is harassment considered “criminal?” If not, does it signal potential criminal behavior?

Harassment can be considered criminal if it rises to the level of conduct violating law.  In New York State, for example, repeated unwanted contact, including repeated phone calls, can result in criminal charges.

Many corporations as well as government and non-profit organizations know they have harassment issues in the workplace. How could they have avoided that before making an important new hire?

Due diligence may reveal aspects of a prospective hire’s history which could serve as warning signs.  A solid due diligence investigation might include, for example, a review of the candidate’s social media postings, litigation history, and complaints filed with regulatory authorities.

What type of internal investigations does StoneTurn recommend for organizations to minimize and prevent harassment and similar issues?

The key focus should be on a prompt and thorough investigation conducted in an impartial manner.  Stalling in response to complaints and failing to interview particular witnesses could expose an organization to liability.  Likewise, to insulate itself from charges of bias and failing to conduct the investigation in a thorough manner, organizations should engage a firm specializing in this work to conduct the investigation.

A Partner with StoneTurn, Katherine Lemire is a former federal prosecutor in the Southern District of New York, where she investigated complex federal crimes. She also served as a prosecutor in the Manhattan District Attorney’s Office where she investigated and prosecuted a broad array of criminal cases from grand jury proceedings through trial. As Counsel to Police Commissioner Raymond W. Kelly, she provided advice and counsel on a wide range of sensitive matters affecting the NYPD, while overseeing management initiatives. Katherine and her team joined StoneTurn in 2018 after successfully operating Lemire LLC, a New York-based certified woman-owned business enterprise (WBE) specializing in compliance, risk and investigative matters, which she founded in 2013. 

This is the seventeenth in a series of interviews with experts whose work relates to online reputation management.

 
 
Interviews with experts, , , , , , , , , ,
Kenneth Citarella

Cyber risk protection is a key aspect of reputation management for corporate leaders, high net worth individuals and their organizations. We interviewed Kenneth Citarella, Senior Managing Director, Investigations and Cyber Forensics at Guidepost Solutions to gain insight into the most common (and often surprising) threats they face. Guidepost Solutions LLC is a multinational investigations firm specializing in monitoring, compliance, international investigations, and risk management solutions. Mr. Citarella’s areas of expertise at the firm include computer crime and fraud.

What are some examples of cybercrimes you have seen that could have been prevented with better due diligence and proactive risk assessment?

We were retained to investigate problems at a firm after it had hired a new CFO to oversee the design and implementation of a new computer network. The new CFO hired a personal friend as a consultant on the project. Then they conspired to overbill the firm and monitor the emails of key personnel. Simple due diligence would have disclosed the relationship. Also, it is important to remember that due diligence on a third party vendor who will have access to your network must include their cybersecurity practices. One of the most publicly scrutinized attacks on a retail chain began through its HVAC vendor. Incidents such as these illustrate how important it is to be aware of your network’s vulnerabilities so you can identify and implement preventive practices.

How have the new technologies used by corporations changed due diligence methods — and where do you continue to see vulnerabilities?

Due diligence methods have not changed that much. Internet-based research has been around for years. But the objectives and scope have greatly expanded. For example, if you are acquiring a company, you are not only concerned with their profitability, personnel, facilities and other traditional qualities, but with their digital practices as well. Can your networks be integrated? Are data protection procedures equivalent? Are your BYOD polices the same? Questions like these have to be addressed so that you are at least aware of the risks you are assuming. These questions are as necessary as evaluating internal financial controls and inventory. The issues are similar when evaluating third-party vendors. They handle your data and access your network. Their cyber vulnerabilities become yours.

What are the most common cyber threats facing high net worth individuals and their families?

High net worth individuals and their families face all the same cyber risks as anyone else, but they are also more lucrative targets and often have higher Internet profiles—of which they may not be aware. For example, information about a prominent executive may exist on multiple websites, including those of his employer’s, a conference he attended, and a trade association he is involved with, as well as on public media platforms. In addition, the executive’s children may be active on numerous social media platforms, leaking details of family and parental activities. From these rich sources, a criminal can mine enough details to craft a carefully scripted approach targeting a specific person (which is known as spear phishing). Far more sophisticated than the more general shotgun attempts aimed at the unwary public, these attacks will reference details of the target’s professional or personal life that only a genuine associate would typically know. That is what makes them so hard to resist. Add the fact many high net worth individuals have personal administrators for their homes or offices who answer emails and the risk escalates. Modern communications have effectively created a due diligence obligation for high net worth individuals to know and control their Internet profiles in order to minimize their risks.

If you could give them one piece of preventive advice, what would it be?

Assume you are at risk. Get educated about your vulnerabilities, address them and periodically reassess.

Cyber risk is in the news daily (and many more incidents are not made public). Can you provide examples of the type of incidents that are most damaging to corporate and executive reputations?

Recent headlines provide all the examples we need. Multiple retail chains have been hurt because they cannot protect their customer data. If the public hesitates to shop at a store because of data breach concerns, sales, income and stock price can all fall. Intrusions have destroyed emails and corporate assets, exposed embarrassing internal communications and identified people looking for sexual affairs. Reputation repair for the individual and the organization may take an extended period of time—or may not happen at all. A high-profile corporate or personal life in the 21st century requires adequate cybersecurity at home and at work as well as a protected and controlled Internet profile. Highly qualified professional assistance to secure those objectives is a must.

This is the third in a series of interviews with experts whose work relates to online reputation management.