Monthly Archives: August 2013

The Board and the Cloud

In Vince Polley’s latest issue of MIRLN, he links to an article regarding the legal obligations of the Board when the company uses the cloud.

What is the Board’s duty to take reasonable care to protect the company’s assets, like information put in the cloud? Can the Board fulfill this duty without knowing which officer is responsible for managing all aspects of information?

Vince and I have a long history – both hired by Schlumberger out of DC law firms by the same guy in the same year and both independently coming to Knowledge Management for Lawyers, from an inhouse perspective. MIRLN is a must-read collection of information-related stuff, presented in a very usable form.

Leave a comment

Filed under Ownership, Policy, Risk, Security

University? We don’t need no stinkin University

“Online Class Aims To Earn Millions,” Wall Street Journal, August 31, 2013 A3. Two professors at UT Austin are trying to make millions from online psychology course.  Following Coursera, EdX, and other online, watch-it-when-you-want-it college course offerings, they are trying to get 10,000 students at $550 each.  No time-shifting allowed.

Implications? Well, compare what’s happened with newspapers.  Which ones can still charge for access to daily content (WSJ is one) versus access to the archives?  Who needs the big campus quad to get a degree (or to pass the tests seniors may have to take to satisfy prospective employers?  (See earlier post at

I am not an economist, but let’s say there are 2,000 professors nationwide offering an introductory psychology course.  One of those professors is “the best.”  How do those other 1,999 professors stay in business if “the best” puts his or her course online at a reasonable rate?  Without the overhead of an ivy-walled university with a great reputation.

Who :owns” the content?  The university or the prof?


Just asking.

Leave a comment

Filed under Data quality, New Implications, Ownership, Risk, Use, Value

NASDAQ stops finger-pointing, almost

“Nasdaq Takes Blame for Stock Halt,” Wall Street Journal, August 30, 2013 C1.  While shouldering some of the blame for the trading halt, Nasdaq still argues rival platform NYSE Euronext was the root cause (I use this term with reservation, as it was not used in the story. Root cause investigations are to find what to do differently the next time, not to find out what “caused” an accident.  But people use the term as a noun anyway.).

When you find yourself in a hole, the first thing to do is stop digging. One of the lessons from successful crisis management is to act responsibly, while leaving determination of legal liability for later.

When you’re in the information business, being sloppy is not good.  Being snarky and blaming someone else in the business is worse.  What’s a reputation worth, anyway?

Leave a comment

Filed under Business Continuity, Content, IT, Risk, Value

Rules? They’re more like guidelines.

“Fed Staffers Broke Rules In Release Of Minutes,” Wall Street Journal, August 30, 2013 A2. Fed staffer emailed minutes of policy meeting a day early to a bunch of banks, investment firms and congressional staffers. Distribution list changed to exclude financial industry trade associations and bank lobbyists.

Lower-level employees often make mistakes, or don’t follow rules exactly.  Is an email to a distribution list the best practice for sensitive data? Do you have a second line of defense?  And a third? Does digital rights management offer a possible solution?

Leave a comment

Filed under Policy, Risk, Security

Libor fixing, continued

“Rate-Probe Spotlight Shines on Higher-Ups,” Wall Street Journal, August 29, 2013 A1.

Citigroup employee fired for Libor-fixing attempt says senior levels were doing same thing.

This has the normal ties to discovery and following the chain.  Assuming there was a policy in place prohibiting this behavior, and the fired employee violated it, then in a sense the system worked, as it caught him.  But if his allegations are true, and senior-level officials were doing the same thing, was there a core defect in culture for which the Board bears some responsibility?  Either selection of the seniors, or failure to adequately monitor, or whatever?

Leave a comment

Filed under Uncategorized

Syrian attack on DNS, NYT, Twitter

“Syrian Electronic Army’s Alleged Attack Hit Soft Spot,” Wall Street Journal, August 29, 2013 B3.  Attack on Australian domain registrar leads to denial of service at New York Times, Twitter, Huffington Post and other sites. Syrian Electronic Army claims responsibility.

There was an optional feature that would have prevented this, but NYT and Twitter didn’t use it.  Now they do.

Focus on IT security is often at the server level.  Prevent physical access by outsiders, and limit system access to approved people.  Snowden was a failure in limiting system access and downloading.  But what was the process in place for deciding whether to activate the registry-change lock ?  Did people quantify the risks?  Who was involved in the decision?

Where else do third parties control potential links?  Are you using the cloud?

Leave a comment

Filed under Business Continuity, Risk, Security

How many official requests to Facebook for information?

“Facebook tells of official requests for data,” Houston Chronicle, August 28, 2013, D1 Government requests for information on >30,000 members in first six months of 2013.  Reporting required by law.

If the government requested your information, would you know? Do you care?  Facebook owns the information, right? Does this limit what you put on-line? Is there any privacy to what goes on-line?



Leave a comment

Filed under Ownership, Privacy, Requirements, Risk

SEC asks questions about retailers’ on-line sales

“After Decades of Toil, Web Sales Remain Small for Many Retailers,” Wall Street Journal, August 28, 2013 A1.    SEC presses major retailers for more details on actual level of on-line sales.

So, in addition to proxy disclosures, Boards need to worry about how it discloses information to shareholders about non-material portions of its business.  Vague claims of growth in call with investors subject to scrutiny. A thirty percent growth rate sounds impressive until you understand that the growth is from an infinitesimal percentage.


Is this a Data Quality point or a Governance point? Or both?  Content?

Leave a comment

Filed under Communications, Content, Data quality, Risk

Control failure

“Leaker’s Security Check Faulted,” Wall Street Journal, August 28, 2013 A1,  Discussions of the cursory nature of the background check on Edward Snowden.

To protect sensitive information, one would normally segregate the information, limit access to trusted individuals, and monitor attempts by non-trusted individuals to access the information.  And you would monitor and control downloads of that information by the trusted individuals.

One obvious failure in the Snowden case is how the government goes about figuring out who are trusted individuals.  Especially someone with the high level of system access that Snowden had.  But what about his ability to download information to three computers and a thumb drive?  Apparently, no one (other than Snowden) knew about his downloads until he was in Hong Kong.  And the Administration says the information downloaded was especially sensitive.

Compare and contrast Pfc. Bradley Manning.

Leave a comment

Filed under Security, Value

Yosemite fire threatens San Francisco water supply  Houston Chronicle, August 27, 2013 A2.

What do fire and water have to do with information governance?  If you had a business in San Francisco and your water was cut off, how would you continue to operate?  Would you have access to the information you need?  Would customers be able to contact you if your workforce didn’t come to the office?

The business management principle is business continuity. How do you plan for these disruptions?  What information is critical to your continued operation?

In the early 1990’s, I was with Amoco in Chicago, in what is now the Aon Building at 200 East Randolph.  The tunnels underneath the building flooded, disrupting the network servers.  No email.  What would your business do without network connections for a day or two?

Is that information management? Who owns the planning for this type of event?

Leave a comment

Filed under Business Continuity, Risk, Security, Value