Monthly Archives: July 2014

Catch 22

Yes, in Europe you have the right to be forgotten.  But when you seek to enforce that right, the website needs to be notified to take down the “offending” article.  And when they are notified, especially in the States, that is a separate story.

“Tantric Sex Workshop Gets ‘Forgotten,'” Wall Street Journal, July 19, 2014 B4 An American, named in an article in the US, move to Amsterdam, and seeks European protection.  But the US website gets notified.

Memory is a tricky thing.  So is information.

Leave a comment

Filed under Definition, Privacy, Protect information assets

Protect the grid

The pot calling the kettle black.

The Federal government, by way of the Federal Energy Regulatory Commission, is telling industry to increase the security around the electricity grid.  And requesting additional authority for the Fed to say which facilities need enhanced security.

“FERC Seeks Changes To Grid-Security Plan,” Wall Street Journal, July 18, 2014 B2  An industry-led group prepared the proposal for providing physical security.  The Fed wants the plan to apply to more facilities.  This is the same government that had issues with Wikileaks, Edward Snowden, the Navy Yard shooter, and other physical security lapses.

That being said, this does highlight an important point.  While there’s a lot of focus on on-line security, what about the security of the physical assets containing your company’s information?  Are you as secure as you need to be where you need to be?


Leave a comment

Filed under Protect assets, Risk, Security, Third parties

Who feels the pain? And when?

Compliance enforcement measures sometimes fail because the wrong people are punished.

“Prosecutors Change Tune on Prevention,” Wall Street Journal, July 17, 2014 C2.  US Department of Justice and FBI officials are starting to realize that threatening prison for corporate officials involved in bad behavior isn’t as effective a deterrent as imposing fines large enough to make shareholders angry.  Especially when few corporate officials go to prison.  But how large do fines need to be before they are confiscatory?  And are you taking money from people who did nothing wrong?  Isn’t the objective compliance, not punishment?

Does imposing huge fines convince shareholders to lean on their Boards to do a better job of oversight and compliance?   Does that really have the intended impact?  And the shareholders at the time of the fines aren’t the same shareholders anyway.

I think the impact would be a lot more powerful, and the effect more immediate, if prison terms were a real threat.  You don’t want to hit your puppy on the nose two weeks after some other dog had an “accident.”

Leave a comment

Filed under Board, Compliance, Compliance Verification, Controls, Culture, Governance, Internal controls, Investor relations, Oversight, Risk

Smallpox and anthrax

Lessons learned.

People get desensitized to the risks and dangers of the things they work with every day.  Specifically and to wit: smallpox virus.

“CDC Needs Tougher Oversight, Critics Say,” Wall Street Journal, July 17, 2014 A3. “[G]overnment laboratories that handle dangerous microbes [have] problems with oversight and a lax culture.”

If the labs handling smallpox and anthrax can’t keep track of stuff,  how can you expect your employees to follow the rules on keeping and organizing your companies information?  Oversight and culture, I guess.


Leave a comment

Filed under Board, Compliance, Compliance, Compliance, Compliance Verification, Controls, Culture, Governance, Internal controls, Management, Oversight, Protect, Protect assets, Protect information assets, Risk, Security

Medium or message?

A different issue than usual.

Does information governance focus not only on what content you receive, but also on how you receive it?

“TV Viewers of the World, Untie: Finally Cutting Cable,” Wall Street Journal, July 16, 2014 D1  This focuses on possible cost savings availability through changing the medium (full TV package from, say, Comcast, or just getting basic internet and streaming selected shows or using a digital antenna) through which you receive TV.

Why do you care?  Is there an analogy in the business environment, where the packages through which you receive and send (or process) content may be more costly than just buying what you need and want?  Or is this just a question of focusing on where content comes from, and how, and what are the alternatives?

Leave a comment

Filed under Collect, Information, Interconnections, IT, Use

What’d you get?

What do test scores really mean? Are they hyper-inflated?

Some suggestion that Common Core test scores are scaled. But scaled down, not up. Is this just managing expectations?

“Test Scores May Move, Learning Doesn’t,” Wall Street Journal, July 12, 2014 A2

Once you get or derive information, what does it mean? What assumptions have you made about it? Is this part of information governance? If not, why not?

Leave a comment

Filed under Data quality, Definition, Knowledge Management, Use, Value

Resisting temptation

I was tempted to discuss the apparent breach/hack at the Office of Personnel Management, which keeps information on government employees. “U.S. Probes Federal Computer Hacking,” Wall Street Journal, July 11, 2014 A14  I was thinking about the breach notification implications.

But then I got to the last page of the last section.  “Now On Campus: Drones,” Wall Street Journal, July 11, 2014 D10  Did you know that there were degree programs at some universities for unmanned aircraft systems?  Drones (starting at $1,000) being used to monitor practices.  Closely.

What are the new sources of information?  Certainly, it is easier to see the utility of the information they can gather than perhaps it is to imagine the different uses to which the new technologies can be put.  What controls are there around the collection, storage, and use of this newly available information?

Leave a comment

Filed under Collection, Information, IT, Privacy, Use, Value

Seven year itch

Getting in our time machine and going back to 2006, when the ediscovery rules in federal civil litigation were amended; lawyers at the time were concerned with how to capture and reproduce email, text messages, and instant messages. Failure to do so could lead to charges of spoliation, and court sanctions. (Going back even further, the civil discovery rules required much the same production in the early 1990s, but few people follow those rules).

Fast-forward: Just after the IG delivered a report on the targeting of conservatives, and in the midst of the investigation, 2013 email from Lois Lerner asks IT whether instant messages are being archived, and is informed that, while they could be, they aren’t. “IRS Didn’t Archive Instant Messages,” Wall Street Journal, July 10, 2014 A4  Even if they related to the subject of a federal investigation, or something within the jurisdiction of an agency of the US government? Where were the lawyers?

While ediscovery is certainly one aspect of information governance, it is not the only one; in fact, is not the major one.  So, too, is obstruction of justice.

Does your company do a better job  of protecting  and preserving  relevant communications in the midst of ongoing litigation?

Leave a comment

Filed under Collection, Compliance, Compliance, Controls, Definition, Discovery, Internal controls, Protect, Protect assets, Protect information assets, Risk, Value

Flag football?

Metrics in healthcare spending.  There’s a massive amount of data.  And, the stats show, 10% of payments under Medicare are improper.  Lots of red flags.

“Red Flags in Medicare Billing,” Wall Street Journal, July 9, 2014 A3  As they say, a billion here, a billion there; eventually, you’re talking real money.

What metrics do you watch on your data?

On a lighter side, taking a page from “Moneyball,” Ultimate Frisbee players are beginning to use statistics to identify the best players and the best strategies.  “Ultimate Geeks: Frisbee Enthusiasts Try to Play a Numbers Game,” Wall Street Journal, July 9, 2014 A1  I honestly didn’t know there’s a smartphone app that maps locations of passes.  No mention of using drones to capture video footage.

Are these information governance issues or just information usage questions?  Is there a difference?

Leave a comment

Filed under Board, Collect, Compliance, Compliance, Compliance, Compliance Verification, Definition, Governance, Information, Management, Oversight, Protect assets, Risk, Use, Value

An educated consumer

I know that American Express charges a merchant more if I use my Amex card than if I use Visa or my debit card.  But the cost to me is the same, so what the heck?  Amex gives me miles and a detailed bill.  The merchant will spread the cost over all customers.

But apparently Amex doesn’t want merchants to tell buyers that other cards cost the merchant less (worried that the customers will use other cards, or, Lord forfend, cash).  It says so in Amex’s contracts with the merchants.

The Department of Justice is of the opinion that the contract between Amex and the merchants is an antitrust violation.

“AmEx Antitrust Trial Begins,” Wall Street Journal, July 8, 2014 C3

Is Amex prohibited from prohibiting its merchants from telling customers that Amex costs the merchant more?  Hard (for me) to see the antitrust violation, or market, in this vertical restriction, but not my area.

Is this information control?  In reverse?




Leave a comment

Filed under Board, Compliance, Controls, Definition, Governance, Information, Internal controls, Management, Ownership, Protect, Protect assets, Protect information assets, Risk, Third parties, Use, Value