In November of last year we called attention to pending changes to the privacy law in Massachusetts that protects state residents’ personal information, and we’ve also just come out with a Perspectives article that details the steps to compliance.  However, good news for companies who deal with this kind of personal data: On February 12, 2009, the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) once again revised its personal information security regulations and postponed the effective date until January 1, 2010.

This means more time to digest the new regulations and act accordingly.  To that end, we’ve scheduled a webinar to review the standards on Tuesday, March 10, and we invite you to register and listen in.  We will be sure to report back after the online event!

The Commonwealth of Massachusetts enacted a law in September protecting state citizens’ personal information. Originally scheduled for January 1, 2009,  the law will now take effect for all Massachusetts businesses and third party providers beginning May 1, 2009, with other requirements coming into effect January 1, 2010.  The law intends to protect employee personal information from unauthorized access and possible exploitation.

Personal information to be protected includes a person’s name and address, combined with complete social security number, driver’s license or other state-issued number, complete credit card or bank account numbers.

Companies that do keep this information will need to take some prescribed steps towards compliance.  They must:

1.  Establish written policies and procedures for the protection of these files, both in the electronic and physical formats.

2.  Be able to justify the need for all such information kept in house. Obviously employee data is needed to for tax, 401K, and insurance withholdings. But for client records is it possible to only maintain the last four digits of a credit card number?

(more…)

Big news from Duane Reade, as the drug store chain is facing fraud charges that allegedly account for a $17.5 million overstatement of pre-tax income. Interesting, but more important are the fraud cases that we are not seeing publicized.

In fact, the Duane Reade article in Accounting Today is just the kind of high profile case that prevents executives of small to mid-sized private companies from recognizing that fraud is a much greater danger to them than to large publics.

The truth is that the large majority of fraud is committed against these smaller companies, and is extremely damaging. In fact, companies with less than 100 employees are most prone and often see losses eclipsing $200,000 – a crippling hit for a small company.

We always encourage owners and financial executives to understand where the opportunity lies for fraudsters and how to mitigate the risks. This presentation, which is a condensed version of a recent seminar, tells a compelling story.  Feel free to let us know if you think fraud is taken seriously enough at your company.

New guidelines on fraud prevention tactics were issued this summer in a joint effort by the Association of Certified Fraud Examiners, the AICPA, and the Institute of Internal Auditors. You can check out a summary press release here; the general theme they convey is that companies need to do more to prevent fraud along a number of fronts:

Five key principles within the guidance address governance, risk assessment, fraud prevention and detection, investigation, and corrective action. Following the guidance will help ensure that there is suitable oversight of fraud risk management, that fraud exposures are identified and evaluated, that appropriate processes and procedures are in place to manage those exposures, and that fraud allegations are addressed in a timely manner.

The risk of fraud is substantial and the median loss amounts have been increasing steadily over the years. For that reason I certainly share the desire to alert company leaders to the risk, especially in the current economic climate. The pressures of fraud are increasing on individuals as consumerism meets a downturning economic environment. The credit crunch, falling housing prices and the pressures of a consumption lifestyle will turn the unlikeliest individuals to acts of misappropriation (more on that in this MFA audiocast).

Though trust and delegation of authority are integral parts of enabling an organization’s members to achieve truly remarkable levels of performance, the lack of oversight can also open up gaps that enable fraud. They can be closed, however, through sound management principles that create oversight mechanisms that will monitor activity, promote transparency, and ensure that the collective assets of the organization are protected from malfeasance.

Despite suffering loss, organizations still have the onus of proving it and recovering lost property, often without the active involvement of law enforcement. Public agencies have limited resources and are often diverted by other causes — and no preventive regulations will ever match the safeguards provided by sound management and a well laid out process.

Local PD’s don’t have the resources to conduct forensic audits, and state and federal agencies only commit to glamour cases. These glamour cases are often restricted to publicly traded companies, identity theft, defrauding investors and other public related matters…there are many gems in this area, but a regional standout was the TJX case that surfaced last year. Internal breaches of fiduciary responsibility, especially when they involve businesses, are often low on the law enforcement totem pole.

The most important starting point in fraud prevention is realizing that the responsibility rests squarely on management’s shoulders to minimize opportunities for a potential fraudster. These newly issued guidelines cite practical approaches to prompt responsible managers to institute appropriate control mechanisms into their organizations. Applying such principles of effective oversight can promote efficiency, create transparency and effectively mitigate an organization’s risks of fraud.