Are you serious about enforcing your policies?

The headline from Tuesday says it all.  “Data Blowback Pummels Facebook,” The Wall Street Journal, March 20, 2108 A1.  Inquiries into allegedly improper data access in support of Trump campaign.  Stock dropped 6.8% on Tuesday (-$36 billion in shareholder value).  Congress stirs.  Wants to restrict how Facebook deals with user data.

At issue is information of the same type shared with the Obama campaign in 2012, allowing access to your connections.  After that election, Facebook changed their policies.  This case involves a professor (technically, a vendor?) getting information from Facebook and sharing it with others, including a group advising the Trump campaign.  After Facebook discovered what the professor had done, an audit was done at the campaign adviser group, which said it had deleted all the data once it learned the professor had violated Facebook’s policies when he provided the information.

Who owns the data (such as who your friends are), and what protections are applied to this data?  Is Congress getting involved going to help or hurt?  How do you make sure your vendors comply with your policy?

And Facebook’s policies?  Today’s headlines says it all (sort of):  “Lax Data Policies Haunt Facebook,” The Wall Street Journal, March 21, 2018 A1.  Actually, it wasn’t a problem with the policies, it was the fact that Facebook wasn’t very good at monitoring or enforcing them.  And the policies were adopted as part of a settlement with the FTC.  This could get expensive.  The Canadian government (where there is more extensive privacy protection by law) is also investigating.  An additional 2.6% drop in shareholder value on Tuesday.

See also “Facebook Provokes Storm Over User Data,” The Wall Street Journal, March 19, 20198 B1.  How did an outside data firm get access to users’ private data without their permission?  Unclear whether the data firm kept the data longer than it should have.

Watch this space. This is going to be news for a while.


Leave a comment

Filed under Access, Analytics, Compliance (General), Controls, Corporation, Duty, Duty of Care, Governance, Information, Internal controls, Oversight, Ownership, Privacy, Protect assets, Third parties, Value, Vendors

Who governs the Internet?

ICANN, which oversees domain names on the Internet, keeps track of who owns which website, and until now has made a lot of that information publicly available.  In order to comply with new EU privacy rules, ICANN is going to reduce the amount of information available to all but as- yet-to-be-determined accredited group.

“Group to Tighten Web Privacy Rules,” The Wall Street Journal, March 16, 2018 B4.

Good luck tracking down the source of hacking or intellectual property theft, which isn’t easy even now.  On the other hand, won’t keeping secret who owns a website in a country with less press freedoms increase the amount of governmental transparency?  Who decides these issues?


Leave a comment

Filed under Access, Compliance, Compliance (General), Controls, Governance, Internal controls, IT, Oversight, Policy, Privacy, Security, Technology, Third parties

It was nice being #2

“Nike No. 2 Executive Quits Amid Complaints,” The Wall Street Journal, March 16, 2018 B1.  “Nike brand president and a potential successor to [CEO] leaves position after complaints about “inappropriate workplace behavior.”

Why am I harping on the numerous resignations and dismissals over allegations of sexual harassment and similar? Isn’t this blog supposed to be about information governance?

At the core of governance is what rules you have and what rules you enforce.  High-profile violations of the law or the Code of Conduct, by high-profile executives, catches a lot of splash in the headlines.  Are some aspects of the Code of Conduct more worthy of enforcement than others?  If the company chooses to penalize high flyers for some violations, but not for others, do you really have compliance?

Employees have a duty to obey the law and to follow company policy.  All employees.  All policies.  Even those pesky ones about information.  Or is the company willing to allow some employees to violate some policies sometimes?

What enforcement steps has your company taken of late for violations of law or policy?  Do you know?  Do the shareholders?

Leave a comment

Filed under Board, Compliance, Compliance, Compliance (General), Controls, Corporation, Duty, Employees, Governance, Oversight, Oversight

Routine teaching case

“Insider Trade Alleged After Equifax Breach,” The Wall Street Journal, March 15, 2018 B1.  The CIO of an Equifax unit indicted for insider trading after learning of the Equifax hack, but before that information was disclosed.  Sold nearly $1 million in stock 10 days before the disclosure.

This reminds me of the lawyer who approved the sale by some Equifax execs of some stock after the breach but before disclosure.  See post here.  Those executives have since been cleared, as they didn’t know of the breach at the time of the sale.

The company said it had cooperated in the investigation (no doubt having re-read a copy of the Yates memo).  The defendant had been promoted to be Equifax’s CIO before the trading was discovered, at which time the offer was “rescinded.”  He hadn’t been told about the breach, but figured it out.  Avoided $117,000 in losses.  But not getting fired and indicted.


Leave a comment

Filed under Access, Compliance, Controls, Duty, Employees, Governance, Internal controls, IT, Oversight, Security, Uncategorized

Knowledge is dangerous

“In a First, U.S. Firms Reveal Workers’ Pay Gap With CEO,” The Wall Street Journal, March 12, 2018 A1.  US law requires disclosure of comparison of CEO’s pay to that of the median worker in the CEO’s company.

Noodle on this for a minute.  Who “owns” the information as to what you earn?  Do you?  If so, you could, if you wanted to, publish that information or post it on your door.  Does your employer encourage you not to do that?  Who’s hiding what from whom?  Would you be interested to learn that Joe in the next cubicle is paid 10% more than you are?  Is his job or his qualifications that much different?  Why don’t companies post this information by position?  Why are you nervous about posting your salary?  Are you embarrassed?

Just curious.

Leave a comment

Filed under Access, Business Case, Controls, Duty, Employees, Information, New Implications, Ownership, Privacy


What does blockchain have to do with information governance?

It’s early days yet, but think about what happens with information.  It gets created, modified, transferred, stored, used, reused, exchanged, and, hopefully, deleted at the end of its life.  Would it be useful to be able to track who owns the information and where it is at each step of its life?  Is a piece of information that much different than a cargo container being tracked from origin to destination?

Just saying.

“Blockchain Has Power to Transform,” The Wall Street Journal, March 12, 2018 B4.

Leave a comment

Filed under Access, Accuracy, Analytics, Controls, Governance, Information, Interconnections, IT, Operations, Supervision, Technology, Third parties, Use

Who’s in charge?

Sometimes, the federal government and state governments clash over who controls some activity.  For example, marijuana, the sale or distribution of which is prohibited by federal law.  But some states have “legalized” it.  There’s a supremacy clause in the Constitution (Article VI), as well as the Tenth Amendment, and people disagree which applies, and when.

“Fight Over Student Loans Intensifies,” The Wall Street Journal, March 10, 2018 A4.  Federal government asserts sole authority over companies that collect federal student loans.  States object.

What does this have to do with information governance?  Don’t you need to know who make the rules that you need to comply with?

Leave a comment

Filed under Controls, Duty, Governance, Who is in charge?