Monthly Archives: January 2014

January 31, 2014 · 8:32 pm

Truth in tweeting

Let’s say you decide to pump up your advisory services business and a mutual fund.  So you send tweets puffing up your average returns by claiming performance before fund was created. And you state your fund was ranked number one, which, while true for some of the time, wasn’t completely accurate. And claim that you performed at twice the S&P 500 for ten years. And when a newspaper questions some of your claims, you sue.

The SEC brings civil charges for misleading investors and you get fined.  Your lawsuit gets dismissed.

Does this besmirch not only your reputation but also that of Suze Orman, who’d helped you get started.  Is that a risk she knew she was taking?

“SEC: Adviser Tweets Not So Sweet,” Wall Street Journal, January 31, 2014 C3 http://on.wsj.com/1bK7AlA

Leave a comment

Filed under Business Case, Content, Information, Legal, Requirements, Risk

January 30, 2014 · 2:51 pm

Things to remember.

Is there a case for negligent infliction of emotional distress? If not, what is the duty of a company leasing a customer contact list to avoid causing harm to the customer being contacted?  The duty of the company providing the data on that list?  What would Judge Learned Hand have said?

“How Big Data Created a Cruel Result,” Wall Street Journal, January 30, 2014 B1 http://on.wsj.com/1fAXUwF

I am not sure it was Big Data that created the result.  Seems more to me that an insensitive agent entered an insensitive comment into a data base, and that comment subsequently turned up in the address field when the customer list was rented to another company. Whatever controls the system had in place failed to prevent information other than name and address from making it into the address field.

In any event, a 17 year-old girl died in a car crash a year ago. Apparently somebody bought a memorial gift for her parents at Things Remembered and had it shipped to them.  Things Remembered “rented” its customer list (apparently complete with ship-to addresses) to OfficeMax, who then mailed an ad to the parents.  The second line of the address block reads,”Daughter Killed in Car Crash.”

Lots of lessons here, or things to be remembered.  Your name and address isn’t private. Why would any retail outlet capture the information about the daughter’s death?  Who’s data is it?  Can someone track who entered this into the data base?  How can they rent information about you to someone else?  Did I agree to that?  Did you? Is there no privacy or decency in the US? [Apparently not when it comes to marketing, as long as the information is objectively true.] There are business set up for the express purpose of brokering data about you, and that goes beyond name and address.  How many disaster communications plans were activated when this hit the wires?

Leave a comment

Filed under Business Case, Controls, Data quality, HR, Information, Internal controls, Ownership, Privacy, Risk

January 29, 2014 · 11:15 am

Structures and Culture

Companies often provide financial incentives to employees to drive the achievement of objectives.  What do you do if your incentives increase the likelihood of violations?  What if senior management encourage or promote violations?

“Ohio School District Hit By Cheating Allegations,” Wall Street Journal, January 29, 2014 A2 http://on.wsj.com/LoAvoZ

“[T]op-down culture of data manipulation and employee intimidation.”  Changing test scores and playing with attendance statistics to make schools appear to be better than they are.  Criminal charges recommended. 7,000 student grades may be affected. Thankfully, no teachers accused.  Just principals and data collection folks.

What incentives do you have in place?  Do they incentivize the wrong behavior, especially by senior management?  What other checks do you have in place?

Leave a comment

Filed under Business Case, Controls, Data quality, Information, Internal controls, Risk, Value

January 28, 2014 · 10:49 pm

It’s not pulp fiction

What do you when all the steps you take to prevent your copyrighted screenplay from being leaked come to naught and it gets posted on a website, and links appear elsewhere?

Well, this being America, the land of the free and the home of the brave, you sue.  Who do you sue? Not only the website that posted it, but also a site that posted links to the screenplay on that first website.  Theory: contributory infringement.  By providing people a link (which isn’t copyrighted), you’ve assisted the infringer in his/her nefarious deed.

“Tarantino Sues Website Over Script,” Wall Street Journal, January 28, 2014 B2 http://on.wsj.com/1goJl41

Is the Journal also a contributory infringer by reporting the news?  Am I?  You might now go look.

What steps did you take to prevent this from happening?  In whom did you wrongfully place your trust?

This by no means settled law.  Although there has been stuff about links.

Leave a comment

Filed under Business Case, Controls, Governance, Information, Internal controls, Ownership, Protect assets, Risk, Third parties

January 27, 2014 · 12:22 pm

Problems in Middle Earth?

More data/information on the Coke breach (55 laptops “temporarily” stolen over six years; did you know that >half of Fortune 1000 companies had a breach affecting more than 1,000 employees each year?; may have been part of process of integrating operations of a bottler bought in 2010; senior executive in charge of integrating the new business left Coke 2 days after breach discovered; Coke has tighter security than most). “Data Breaches Like Coke’s Aren’t Rare,” Wall Street Journal, January 27, 2014 B3 http://on.wsj.com/1hF5EPA

And the Apple monitor kerfuffle keeps kerfuffling along.  One of the possible impacts of doing something wrong is having the court appoint a monitor to oversee everything, it appears. “Apple Monitor Backed,” Wall Street Journal, January 27, 2014 B5 http://on.wsj.com/1aYbP09

What if the information you collect in Country A can’t legally be sent to Country B, where you need it?

“China Criticizes Judge’s Ruling Suspending Auditors,” Wall Street Journal, January 27, 2014 C3 http://on.wsj.com/1gjX8ca.   An SEC administrative law judge penalizes Big Four accounting firms for failing to turn over information on audits of operations in China of Chinese companies traded in US markets; the Chinese affiliates of the Big Four say disclosure of those materials outside of China is against Chinese law. China says it’s willing to negotiate.  The SEC may not be as willing.  So, if you’re the audit partner in Shanghai, where do you want to serve your time? If you’re the Chinese company listed on the NYSE, where else might you be listed? Do people remember that person from Shell who got into China trouble over market data?

 

Leave a comment

Filed under Business Case, Controls, Legal, Requirements, Risk

January 26, 2014 · 1:49 pm

Number 3 and counting

In the latest round, first there was Target, then Neiman Marcus.  Now Michaels.  Another store chain may have been hit by hacker software.

Why these three?  Were their systems particularly vulnerable?  Or was this random?  Were I to plan such a hack, and only had three chances, I would have picked differently.  Might have leaned more towards BestBuy, WalMart and Macy’s. I’d look for high-volume stores where the customers are wealthier.  Security holes are everywhere.  Seriously, were these the only three chains where someone opened a phishing email?  Or where thieves could remotely or physically attack the mainframe?

I guess we’ll learn when we learn.

“Michaels may be latest to suffer credit card breach,” Houston Chronicle, January 26, 2014 A5 http://bit.ly/1iALvxT

Leave a comment

Filed under Business Case, Controls, Interconnections, Internal controls, IT, Risk, Security, Third parties

January 25, 2014 · 4:24 pm

Scary stuff on how the stolen credit card market works

via Deborah Dillon @Infogovgeek

Introduction to the Business of Stolen Card Data http://resources.infosecinstitute.com/introduction-business-stolen-card-data/ … via @infosecedu

Leave a comment

Filed under Business Case, Definition, Information, IT, Risk, Security, Value

January 25, 2014 · 4:02 pm

Was that with a small “p” or a big “P”?

One hazard companies face is the loss or compromise of company information when a laptop gets stolen. To control against this hazard, companies often establish a policy that laptops must be encrypted.  Or at least the laptops with senior executives, HR, and Legal, because of the sensitive nature of the information with which they work.

But what happens if someone doesn’t follow the policy for a bunch of laptops used by HR that contained names, Social Security numbers, addresses, compensation, ethnic background, and driver’s license numbers?  And then the laptops go missing?  Well, you eventually end up sending notices to 74,000 people.

“Coke Says Employee Data Was Exposed,” Wall Street Journal, January 25, 2014 B1 http://on.wsj.com/1ayGymx

The laptops were “temporarily stolen” by a now-former employee who was responsible for maintaining or disposing of the laptops.  The company learned of this on December 10 and notified people January 24, allegedly meeting legal notification requirements.

Questions: if you have a company policy requiring encryption of all laptops, how could a bunch of laptops being used by HR not be encrypted?  Shouldn’t HR know and follow all company policies? Why did IT issue unencrypted laptops to employees? What other company policies aren’t HR and IT following? What’s your policy for notifying employees when their personal data may have been compromised? Do you notify everyone immediately, or do you wait until you have analyzed the data to determine specifically who was affected? Or is that a procedure and not a policy? What other policies or company-mandated procedures aren’t being followed by others in the company?

At least the Coke formula is secure.  The policy on that is a capital “P” policy.

 

 

 

Leave a comment

Filed under Business Case, Compliance, Controls, Culture, Governance, HR, Information, Internal controls, IT, Policy, Privacy, Risk, Security

January 24, 2014 · 1:21 pm

Controlling risks

The first response to an identified hazard/risk is to quantify it.  If it’s big enough to worry about, then you establish controls (people, process, technology) to reduce the likelihood or impact, or both, should that hazard/risk occur.

Now, say the identified hazard/risk is the compromise of your proprietary information.  Like internal conversations about business stuff.  If someone is “mining” that chat stream and analyzing the content, can they get hints about what you’re going to do?

Apparently.  Or at least Goldman Sachs may think so. Or it may be part of the move to a new chat platform. Is Bloomberg’s service scraping data?  And whose data might they be scraping?  Goldman’s?  Its customers’?

“Goldman to Muzzle Some Chat Services, Wall Street Journal, January 24, 2014 C1 http://on.wsj.com/1mRD94Z

Leave a comment

Filed under Business Case, Controls, Information, Internal controls, IT, Ownership, Risk, Security, Third parties, Value

January 24, 2014 · 1:04 pm

How/when do you handle bad news?

One deals with identified information-related hazards/risks in one of two ways:  you institute controls to prevent the hazard from occurring and you prepare mitigations in case the hazard happens.

Let’s say one of the hazards you have identified is the risk of computer hackers breaking into your system and stealing your customers credit card information.  You take a lot of steps to prevent that from happening, but how robust are your response plans (mitigations) if it happens?  Once you have credible evidence that your system has been hacked, does your crisis management plan call for you to give your customers early warning of the potential breach, even if your investigation is not complete?  Do you have a duty to notify?

Target seems to have notified customers fairly quickly.  Not so Neiman Marcus.  A malware program was working inside Neiman Marcus from July 16 to October 30, 2013.  Neiman was warned December 13 of the breach.   On January 1, they discovered evidence of hacking of payment data.  On January 6, they learned the hacking involved multiple stores.  They disabled the software by January 10.  And then told customers about it. After the Christmas holiday season was over.  Only a couple of thousand Visa/MasterCard accounts affected. Apology issued January 16.  Happy Holidays.

They wanted to get more information first.  Didn’t want to worry customers. Not cause a panic.  In retrospect, how does it look?

Does your mitigation plan have similar gaps?

“Malware Hid for Months at Neiman,” Wall Street Journal, January 24, 2014 B2 http://on.wsj.com/M4Qut1

Leave a comment

Filed under Business Case, Business Continuity, Controls, Governance, Information, Internal controls, IT, Operations, Risk, Security