Monthly Archives: December 2013

Compliance’s long tail

£2.3 million fine for Barclays for failing to properly preserve emails from 2002 – 2012. didn’t take steps to laminate them, to prevent subsequent alterations. And other record keeping stuff. FINRA.

“Barclays fined £2.3m over record-keeping,” the Guardian (online),

How long before people figure out what compliance requires?

Leave a comment

Filed under Business Case, Controls, Internal controls, IT, Records Management, Requirements, Risk, Security

What if the requirements are unclear?

Somewhere on the road between governance and management, someone needs to determine what the requirements are. Then management develops ways to meet those requirements (whether they be legal or corporate), and to test and report how well the company is meeting those requirements.

But how can management do that if the requirements aren’t clearly stated? How can you govern to squishy requirements?

“New Kind of Stress Tests Big-Bank Outlook,” Wall Street Journal, December 30, 2013 (online)

The Federal Reserve is reportedly keeping the “real measures” of the stress tests to themselves, and not letting the banks or the investors know what they are.

Is this a failure of governance, or something else?

Leave a comment

Filed under Communications, Compliance, Controls, Definition, Governance, Information, Requirements

What happens when your brand is damaged?

One risk of poor compliance is jail; another is fines; a third is reputation damage.

A fourth is loss of key employees, who prefer to peddle their papers elsewhere. How much would that hurt?

“SAC Portfolio Managers Moving to Rival,” Wall Street Journal, December 28, 2013

Leave a comment

Filed under Business Case, Business Continuity, Compliance, HR, Operations, Risk

Quality v. Quantity

What happens when the information the regulator relies on is unreliable? Plus or minus 10% in the swaps market. How do you regulate what you can’t measure? What’s $40 trillion between friends?

“Inaccurate Swaps Data Bedevil Regulator” Wall Street Journal, December 27, 2013

Leave a comment

Filed under Business Case, Controls, Data quality, Information, Risk, Value

The Mountain came to NSA

Can you have too much information? how do you filter out what you really need from what you want (I.e., everything)?

NSA Struggles to Make Sense of Data Flood

Leave a comment

Filed under Data quality, Information, IT, New Implications

Unwanted memories?

A bit of a detour.

What about information you no longer want to have? Not of a white T-shirt with a barbecue stain, but of something else?

Researchers are now looking at a way to erase memories. If the memory was relevant to a lawsuit, would you be guilty of obstruction of justice?

“Unwanted Memories Erased in Study,” Wall Street Journal, December 23, 2013 online

Leave a comment

Filed under Controls, Information, Internal controls, New Implications, Ownership

Training your new puppy

How do you train a new puppy not to do something you don’t want him or her to do?

Step 1: Catch him or her in the “prohibited act.” Tell him/her “No” in a strong voice.

Step 2: Catch him or her in the “prohibited act.”  Explain that Daddy/Mommy doesn’t like that.

Step 3: Catch him or her in the “prohibited act” and quickly take him/her outside.

Step 4: Catch him/her in the “prohibited act” and pop him/her with a newspaper across the nose. [This may not be politically correct.]  Repeat as necessary.

“Phishing still hooks energy workers,” Houston Chronicle, December 22, 2013 D1  Companies that have told their workers not to open suspicious emails (Step 1) because of the risk of data compromise (Step 2); the companies then tell the employees that the company sends fake phishing emails to see who, internally, will click anyway (cute cat pictures seems to work), and then counsels those who still click (Step 3). Reduce carpet damage from 56% to 10%.

What do you do with the few who just don’t get the message and continue to open the test emails?

Got a newspaper?

Leave a comment

Filed under Business Case, Communications, Controls, Governance, Internal controls, IT, Policy, Protect assets, Risk, Security

Information at home

Knowing and following your employer’s information-related policies is one thing.  Do your kids follow one at home? Do you?  Does your personal wealth advisor advise you what to do and what not to do?

“Risks of Being Rich on Social Media,” Wall Street Journal, December 21, 2013 B9 Tells the story of a wealthy kid who posted something on his Facebook page about the family vacation.  The family came home to a ransacked house – the burglars, it would appear, had taken the kid’s posting as an invitation. Or the wealthy kid who posted something on Twitter about Dad’s conversation over dinner about developments at work – How did Dad’s employer feel when that information went public? (Remember the outing of J.K. Rowling’s pseudonym? The wife of one of the author’s lawyers spilled the beans. July 18, 2013 Who’s problem is information security? Does it matter?

Facebook, Twitter, photos from your/their smartphones (if the GPS stuff is on), networks, etc.  If you’re a potential target, avoid being targeted easily. Electronically or otherwise.

Leave a comment

Filed under Business Case, Controls, Governance, Information, IT, Policy, Privacy, Risk, Security, Third parties, Uncategorized, Use, Value

I know. Let’s start a hedge fund.

More insider trading.  Ho hum.

“Ex-Microsoft Employee, Partner Accused of Insider Trading,” Wall Street Journal, December 20, 2013 C3

Employee at Microsoft tipped his business partner to trade in advance of announcements.  Aim was to create their own hedge fund (where no doubt they would be scrupulously honest).  Nearly $400,000 later, looking at jail time.  He got fired, too.

What’s your confidential information worth to someone else?  Are your own employees feathering their nests at your expense?  What controls do you have in place?


Leave a comment

Filed under Business Case, Controls, Governance, Information, Internal controls, Legal, Ownership, Policy, Protect assets, Requirements, Risk, Third parties, Value

Three front page stories, plus one missing one

Sections A, B, and C of the Wall Street Journal each had a front page story related to information.  And one was missing.

  1. “Traders Seek an Edge With High-Tech Snooping,” Wall Street Journal, December 19, 2013 A1

Not the NSA this time.  No, it’s people using technology to get a jump on public market information, which has real value and gives traders with access to the information an edge over those who don’t.  How can you protect (a) the information and (b) market integrity? Crop yields, electricity, and oil storage, among others.

2.   “Target Hit By Breach Of Credit Cards,” Wall Street Journal, December 19, 2013 B1

Millions of customers who shopped at Target since Black Friday may have had their credit cards compromised.  How many millions?  Breach affected 40,000 card readers at stores.  You try and try to protect the information, but Willie Sutton was right (about banks, at the time) about what to target and why. Target was targeted.

3.    “Jury Votes to Convict SAC Manager,” Wall Street Journal, December 19, 2013 C1

Insider trading conviction for Michael Steinberg.  He allegedly got inside data from Dell and Nvidia and traded on it.

4.  Not in the Wall Street Journal headlines, but available online: “Ex-BP Engineer Found Guilty of Obstruction”.

Kurt Mix deleted emails and texts that may have included information about BP’s response to the Gulf spill.  The government had other copies of this, but Mr. Mix (who I do not know – I left BP before the spill) nonetheless appears to have violated the letter of the obstruction statute (18 USC 1512).  I would think selective prosecution would be an issue, as the DOJ seldom prosecutes under this or the other obstruction section (18 USC 1519).  It would be a full time job.  As a cautionary tale, the Kurt Mix conviction is “bigger” for information governance than the Steinberg conviction, which is sort of the same old story.  A prosecution or conviction for deleting emails or texts without a showing of intent to obstruct (versus intent to delete) is hugely troubling.

Leave a comment

Filed under Business Case, Business Continuity, Compliance, Controls, Definition, Governance, Information, Internal controls, IT, Legal, Operations, Ownership, Requirements, Risk, Security, Third parties, Use, Value