Near-hits

It seems that several (most of?) the large privacy breaches have something in common: something smaller happened earlier that people didn’t pay enough attention to.

“Marriott’s Starwood Missed Chance to Detect Huge Data Breach Years Earlier, Cybersecurity Specialists Say,” The Wall Street Journal, December 2, 2018 (online).  There was a prior breach in 2015 that, some say, could have been investigated more thoroughly.

Might this happen in your business?  Say there’s a relatively minor breach, affecting a single client’s information.  Or a minor compliance issue.  You discover it and take action.  But does the breach itself indicate weaknesses in your system of controls that may have broader implications?  Do you change your training or other controls to reflect this experience, or the experience of others in your industry?

This brings to mind a common finding in accident investigations.  Something small happened that could/should have put you on notice.  But it was ignored or downplayed.

How does your organization deal with near-hits in the compliance or information governance space?  Is this part of oversight?  Or a part of effective knowledge management?

Advertisements

Leave a comment

Filed under Analytics, Collect, Compliance, Compliance (General), Controls, Corporation, Directors, Duty, Duty of Care, Governance, Information, Internal controls, IT, Knowledge Management, Management, Oversight, Privacy, Protect assets, Security, Third parties, Use

Is it live or is it Memorex?

What impact has technology had on the flow of information in your industry, including the flow of information to and from competitors?  Are your controls keeping pace?

“Fashion Industry Gossip Was Once Whispered. Now It’s on Instagram.,” The Wall Street Journal, December 2, 2018 (online).  Instagram used to track fashion statements that are strikingly similar.

Underlying this is the point that copying someone else’s creative expression is frowned upon.  (Compliance) And that public shaming may be a more effective (and less expensive) control than copyright litigation. (Governance) And a photo of a jacket (or the jacket itself) is as much information as an email. (Information)

Leave a comment

Filed under Compliance, Compliance (General), Controls, Definition, Duty, Governance, Information, Internal controls, Ownership, Protect assets, Technology, Third parties

Did your consultant mislead the bankruptcy court?

That’s a serious charge.

“U.S. Watchdog Says McKinsey Misled Bankruptcy Court,” The Wall Street Journal, December 1, 2018 (online).  Did McKinsey make misleading disclosures about  what conflicts of interest it might have had?  Was a related investment unit truly separate?

The point of this post is to highlight what can happen when one of your agents (and a consultant is an agent) makes an inadequate disclosure to a court about potential conflicts in connection with your case.  Are you liable?  Is your reputation damaged?  What’s that worth?  What controls do you have to prevent conflicts of interest by your consultants, and how do you police those controls?

Of course, you wouldn’t fail to disclose such a conflict yourself.

Leave a comment

Filed under Controls, Corporation, Duty, Duty of Care, Governance, Information, Internal controls, Third parties, To report, Vendors

It’s a theme

In the prior post, I expressed some shock and amazement that Amazon would meddle with the patient-doctor relationship.  See www.infogovnuggets.com/2018/12/03/these-folks-have-lost-the-plot/.

Apparently I am not alone in raising some questions about the antitrust implications of some of Amazon’s behavior. “Germany Opens Amazon Antitrust Probe, Adding to European Scrutiny,” The Wall Street Journal, November 30, 2018 (online).  Is Amazon hindering other sellers on their website?

This is primarily a Compliance issue.  I note, however, that the types of behavior at issue here are basic antitrust blocking and tackling.  If you get to a certain size, you can no longer get away with behavior that would be acceptable by a smaller player. Sometimes this isn’t part of the Compliance education package.

 

Leave a comment

Filed under Compliance, Compliance (General), Controls, Corporation, Duty, Governance, Interconnections, Legal, Requirements, Third parties

These folks have lost the plot

I was gobsmacked by the prior piece that described Amazon taking money to place sponsored ads on someone else’s baby gift registry.  But Amazon doesn’t stop there.

Amazon Makes Inroads Selling Medical Supplies to the Sick,” The Wall Street Journal, November 30, 2018 (online).  Doctors are putting lists of products to buy in your medical records, with a link to where you can buy them on Amazon.

What could go wrong?  No behavior going on here to create or extend a monopoly; drive on by.

Who owns your medical record?  Who owns the relationship with your doctor?  Who gets any money from leveraging your doctor’s recommendations?  Who has a moral compass, or an ethics and compliance policy?

 

1 Comment

Filed under Controls, Duty, Information, Ownership, Privacy

Making a list and checking it twice

So, you have a baby coming.  You establish a baby registry online, and list the items/gifts you want to receive.  And then the host of the registry accepts payments from vendors of baby products to add certain items to “your” list.

Is nothing sacred?

“New Parents Complain Amazon Baby-Registry Ads Are Deceptive,” The Wall Street Journal, November 29, 2018 (online).  Amazon accepts money from major companies to put “sponsored ads” on your list; there’s a small gray box saying “Sponsored.”  Nothing descriptive like, “Similar to things the mother-to-be actually wants.”

I guess you have to check to make sure that you check “your” list at least twice, to make sure that Amazon hasn’t made it theirs.  No bait, just switch.

Where’s the FTC on this? Would you buy from a company that paid to advertise on someone else’s gift registry, without asking?  Are they a bit scummy?  These aren’t small-time companies; advertisers buying the ads include Kimberly-Clark and Johnson & Johnson.  To sell baby products!

Next thing, they’ll be posting billboards on your roof and on your car. Without so much as a by-your-leave.

Leave a comment

Filed under Accuracy, Compliance, Controls, Corporation, Culture, Data quality, Duty, Duty of Care, Governance, Information, Internal controls, Oversight, Ownership, Third parties, Value

Selling what isn’t yours

One profit model that seems to be working well is selling stuff that doesn’t belong to you.  Cuts your cost-of-goods-sold dramatically.

“Facebook Considered Charging for Access to User Data,” The Wall Street Journal, November 29, 2018 (online).  Facebook considered charging people to access user data.

Now, I guess that’s marginally different than letting third parties see the “Facebook” user data (i.e., the data of the users of Facebook) for free, in order to develop apps or whatever.  But isn’t it still the users’ information?  Oh, and it might be somewhat contrary to what the CEO said to Congress about Facebook’s policy of never selling user data.

Leave a comment

Filed under Access, Collect, Compliance, Controls, Corporation, Culture, Duty, Duty of Care, Governance, Information, Internal controls, Management, Oversight, Ownership, Ownership, Third parties, To report, Use, Value