Monthly Archives: January 2014

Truth in tweeting

Let’s say you decide to pump up your advisory services business and a mutual fund.  So you send tweets puffing up your average returns by claiming performance before fund was created. And you state your fund was ranked number one, which, while true for some of the time, wasn’t completely accurate. And claim that you performed at twice the S&P 500 for ten years. And when a newspaper questions some of your claims, you sue.

The SEC brings civil charges for misleading investors and you get fined.  Your lawsuit gets dismissed.

Does this besmirch not only your reputation but also that of Suze Orman, who’d helped you get started.  Is that a risk she knew she was taking?

“SEC: Adviser Tweets Not So Sweet,” Wall Street Journal, January 31, 2014 C3

Leave a comment

Filed under Business Case, Content, Information, Legal, Requirements, Risk

Things to remember.

Is there a case for negligent infliction of emotional distress? If not, what is the duty of a company leasing a customer contact list to avoid causing harm to the customer being contacted?  The duty of the company providing the data on that list?  What would Judge Learned Hand have said?

“How Big Data Created a Cruel Result,” Wall Street Journal, January 30, 2014 B1

I am not sure it was Big Data that created the result.  Seems more to me that an insensitive agent entered an insensitive comment into a data base, and that comment subsequently turned up in the address field when the customer list was rented to another company. Whatever controls the system had in place failed to prevent information other than name and address from making it into the address field.

In any event, a 17 year-old girl died in a car crash a year ago. Apparently somebody bought a memorial gift for her parents at Things Remembered and had it shipped to them.  Things Remembered “rented” its customer list (apparently complete with ship-to addresses) to OfficeMax, who then mailed an ad to the parents.  The second line of the address block reads,”Daughter Killed in Car Crash.”

Lots of lessons here, or things to be remembered.  Your name and address isn’t private. Why would any retail outlet capture the information about the daughter’s death?  Who’s data is it?  Can someone track who entered this into the data base?  How can they rent information about you to someone else?  Did I agree to that?  Did you? Is there no privacy or decency in the US? [Apparently not when it comes to marketing, as long as the information is objectively true.] There are business set up for the express purpose of brokering data about you, and that goes beyond name and address.  How many disaster communications plans were activated when this hit the wires?

Leave a comment

Filed under Business Case, Controls, Data quality, HR, Information, Internal controls, Ownership, Privacy, Risk

Structures and Culture

Companies often provide financial incentives to employees to drive the achievement of objectives.  What do you do if your incentives increase the likelihood of violations?  What if senior management encourage or promote violations?

“Ohio School District Hit By Cheating Allegations,” Wall Street Journal, January 29, 2014 A2

“[T]op-down culture of data manipulation and employee intimidation.”  Changing test scores and playing with attendance statistics to make schools appear to be better than they are.  Criminal charges recommended. 7,000 student grades may be affected. Thankfully, no teachers accused.  Just principals and data collection folks.

What incentives do you have in place?  Do they incentivize the wrong behavior, especially by senior management?  What other checks do you have in place?

Leave a comment

Filed under Business Case, Controls, Data quality, Information, Internal controls, Risk, Value

It’s not pulp fiction

What do you when all the steps you take to prevent your copyrighted screenplay from being leaked come to naught and it gets posted on a website, and links appear elsewhere?

Well, this being America, the land of the free and the home of the brave, you sue.  Who do you sue? Not only the website that posted it, but also a site that posted links to the screenplay on that first website.  Theory: contributory infringement.  By providing people a link (which isn’t copyrighted), you’ve assisted the infringer in his/her nefarious deed.

“Tarantino Sues Website Over Script,” Wall Street Journal, January 28, 2014 B2

Is the Journal also a contributory infringer by reporting the news?  Am I?  You might now go look.

What steps did you take to prevent this from happening?  In whom did you wrongfully place your trust?

This by no means settled law.  Although there has been stuff about links.

Leave a comment

Filed under Business Case, Controls, Governance, Information, Internal controls, Ownership, Protect assets, Risk, Third parties

Problems in Middle Earth?

More data/information on the Coke breach (55 laptops “temporarily” stolen over six years; did you know that >half of Fortune 1000 companies had a breach affecting more than 1,000 employees each year?; may have been part of process of integrating operations of a bottler bought in 2010; senior executive in charge of integrating the new business left Coke 2 days after breach discovered; Coke has tighter security than most). “Data Breaches Like Coke’s Aren’t Rare,” Wall Street Journal, January 27, 2014 B3

And the Apple monitor kerfuffle keeps kerfuffling along.  One of the possible impacts of doing something wrong is having the court appoint a monitor to oversee everything, it appears. “Apple Monitor Backed,” Wall Street Journal, January 27, 2014 B5

What if the information you collect in Country A can’t legally be sent to Country B, where you need it?

“China Criticizes Judge’s Ruling Suspending Auditors,” Wall Street Journal, January 27, 2014 C3   An SEC administrative law judge penalizes Big Four accounting firms for failing to turn over information on audits of operations in China of Chinese companies traded in US markets; the Chinese affiliates of the Big Four say disclosure of those materials outside of China is against Chinese law. China says it’s willing to negotiate.  The SEC may not be as willing.  So, if you’re the audit partner in Shanghai, where do you want to serve your time? If you’re the Chinese company listed on the NYSE, where else might you be listed? Do people remember that person from Shell who got into China trouble over market data?


Leave a comment

Filed under Business Case, Controls, Legal, Requirements, Risk

Number 3 and counting

In the latest round, first there was Target, then Neiman Marcus.  Now Michaels.  Another store chain may have been hit by hacker software.

Why these three?  Were their systems particularly vulnerable?  Or was this random?  Were I to plan such a hack, and only had three chances, I would have picked differently.  Might have leaned more towards BestBuy, WalMart and Macy’s. I’d look for high-volume stores where the customers are wealthier.  Security holes are everywhere.  Seriously, were these the only three chains where someone opened a phishing email?  Or where thieves could remotely or physically attack the mainframe?

I guess we’ll learn when we learn.

“Michaels may be latest to suffer credit card breach,” Houston Chronicle, January 26, 2014 A5

Leave a comment

Filed under Business Case, Controls, Interconnections, Internal controls, IT, Risk, Security, Third parties

Scary stuff on how the stolen credit card market works

via Deborah Dillon @Infogovgeek

Introduction to the Business of Stolen Card Data … via @infosecedu

Leave a comment

Filed under Business Case, Definition, Information, IT, Risk, Security, Value