Monthly Archives: August 2014

Why there?

The data breach at Target last Christmas was one thing.  Or a prodrome?

“Supervalu Probes Possible Data Breach,” Wall Street Journal, August 15, 2014 Data from a 1,000 stores may have been breached.  Normal discussion regarding whether and when (if) to notify customers, whether they will take the required precautions, and who pays (and how much) for this.

But why would hackers target a discount grocery chain?  Is it because the controls are weaker than at stores with more credit card sales volume?  Are there lessons for the non-retail businesses? Or just another bog-stand data beach?

Leave a comment

Filed under Compliance, Inform market, Inform shareholders, Protect, Protect information assets, Risk, Security, Value

Is fear the same as information?

I was struck by the extraordinary steps being taken to prevent us from an Ebola outbreak.  I recall a presentation on risk by Dr. Vincent Covello years ago in which he stated that you were less likely to contract HIV from a dentist who knew she or he had it than you were to contract it from a dentist generally. So how do you control,or mitigate that risk?  There’s just something about certain diseases that causes a visceral fear. They are viewed as loathsome.

Today, there were several articles in the Journal that seemed appropriate for a post. The coming collapse of the Internet infrastructure or the different prognostications about the upcoming college football season. But I went with the Ebola story. Why?

“Ebola Fears Prompt Extraordinary Precautions,” Wall Street Journal, August 14, 2014

Is public concern a “factoid” that you factor into your company’s operating decisions?  Should it be?  How do you “use” fear?

Leave a comment

Filed under Communications, Controls, Definition, Inform market, Risk, Use

Undue diligence

Getting information on prospective business partners is common practice. In opaque economies, it’s a felony.

“Chinese Case Raises Risks For Business,” Wall Street Journal, Asia Edition, August 13, 2014 A1

Is this in your risk register?

Leave a comment

Filed under Business Case, Compliance, Governance, Information, Knowledge Management, Risk

Information deficit

If the information upon which you base your decisions is not reliable, then the decisions often turn out badly.

“U.S. Underestimated Urgency of Islamic State Threat,” Wall Street Journal,” August 11, 2014 A1 [] Missing the build-up and strength of the Islamic State has had severe repercussions on the US response.

How reliable and complete is the information upon which your decisions are based?

Leave a comment

Filed under Business Case, Collect, Data quality, Management, Risk, Use, Value

Fertile Friday

Several nuggets in today’s Journal.

Page A1: “New Credit Scores to Ease Access to Loan,” Wall Street Journal, August 8, 2014 A1 Forcing companies to reduce the amount of weight given to facts, such as unpaid medical bills sent for collection.

Page A5: “Murkowski Tells Begich: Take Me Out of Your Ads,” Wall Street Journal, August 8, 2014 A5 Apparently, implying support from the other party is a no-no.

A7: “Pilots Say U.S. Failed to Assess Ukraine Threat,” Wall Street Journal, August 8, 2014 A7 Apparently, flying over a war zone isn’t an obvious danger, and needs a government assessment.

B1. “Yahoo and Google Plot Spy-Free Emails,” Wall Street Journal, August 8, 2014 B1 Apparently, encryption option on gmail and hotmail. Only 20 years late.

B1. “How Do You Insure a Driverless Car?” Wall Street Journal, August 8, 2014 B1 Regulators rush to keep up with technological advances.

C1. “Deutsche Bank Gets Slapped,” Wall Street Journal, August 8, 2014 C1. Weak systems and poor oversight lead to Agency order.

This is just a sampling. What do we take from this?[sorry; couldn’t insert links; technical problems posting remotely.

Do information issues arise daily? Does the Government affect the quality of information you can get and use? Does the FTC control political advertising?  Do companies ignore obvious risks, or accept them, only to regret their decision later? How will discovery handle a large collection of encrypted emails?

Leave a comment

Filed under Business Case, Compliance, Duty of Care, Internal controls, Oversight, Ownership, Privacy, Protect assets, Protect information assets, Risk, Security, Value


I posted a piece a while ago about a proposal to NOT report breaches.  And even before that on USIS, the company hired by the US government to vet contractor security clearances for Edward Snowden and the Navy Yard shooter (nobody remembers his name).  The two themes collide, maybe.

“Network Attack Hits Security Contractor,” Wall Street Journal, August 7, 2014 A3.  Reportedly they were hacked by a foreign state, who targeted information on DHS employees.   I guess it would have been better if they hadn’t made the news as being a bit “weak” in the protection department.

What information do your contractors have about your employees, and how secure is it?

And a different type of spies checking out your postings on Facebook and the like.  In Russian, no less.

“Spies Plugging Into Social-Media Networks,” Wall Street Journal, August 7, 2014 A4  Story about the Defense Intelligence Agency monitoring Facebook and other social media and capturing a post after Malaysian Airlines flight 17 was shot down.  Social media is apparently full of interesting information.

So, where’s your information and who’s looking at it?

Leave a comment

Filed under Collect, Controls, Information, Internal controls, IT, Management, Oversight, Privacy, Protect assets, Protect information assets, Risk, Security, Use, Value

Methinks the lady doth protest too much

Reports of data breaches are a pain, and expensive.  And embarrassing.  Think about P.F. Chang’s, who reported a data breach involving 33 locations and customer credit cards and debit cards.  Wall Street Journal, August 5, 2014 B5

So, how do you view the suggestion that not all data breaches should be reported?  “A Contrary View on Data Breaches,” Wall Street Journal, August 5, 2014 B1

Does this really expose companies to more attacks from fraudsters?  Or are they already a target?  Isn’t it better to let potentially affected customers know?  Whose information is it, anyway?

Leave a comment

Filed under Board, Business Case, Communications, Compliance, Compliance, Controls, Duty of Care, Governance, Inform market, Information, Internal controls, IT, Management, Ownership, Protect, Protect assets, Protect information assets, Risk, Security, Value

It just ain’t so

One would think that the highest rated, most-watched TV shows would charge the most for ad spots.  That’s true.  What’s not true is whether those shows result in the most actual “views” of the ads.

“Ad-Skipping Skews Upscale ,” Wall Street Journal, August 4, 2014 B4  Thankfully, the amount of actual views is taken into consideration during negotiations between the sponsors and the TV channel.

What impact do new technologies have on what used to be true but is no longer so?  It’s not what you don’t know that kills you; it’s what you do know that just ain’t so.  Is the information you collect/rely upon the right information?

Leave a comment

Filed under Collect, Controls, Definition, Information, Management, Third parties, Use, Value

Nike v. Under Armour

Does it happen that steps to protect brand jump over the line?

Consider “Nike to 9-Year-Old: Change Your Shirt,” Wall Street Journal, August 2, 2014 A12  The son of the Florida State University football coach ran up to his dad after a major win and the moment was captured on TV.  Celebration ensures, right?  Wrong.

Apparently, Florida State has a deal with Nike whereby Nike supplies a bunch of money and free apparel to Florida State.  All that apparel has the Nike marks on it.  Not so the sweatshirt the coach’s son was wearing; it clearly displays the Under Armour logo.  Nike actually raised this in an email to the coach.

Query:  Wouldn’t it be unseemly for an uniform manufacturer to enter into a contract with a 9-year-old whereby he was paid to wear the manufacturer’s logo?  Or a contract with his dad (or his dad’s employer) that required the kid to wear branded merchandise?  Aren’t there child labor laws?

Is this information governance?  I submit that for the Nike assistant director it was a career limiting move.  Did his actions actually hurt the Nike brand?


Leave a comment

Filed under Controls, Definition, Information, Ownership, Protect assets, Protect information assets, Third parties, Value

The value of information

It’s a brave new world.  With new territories to be discovered.  This one is not Mars, but three miles underwater.

“Deep-Sea Hunt Reboots For Missing Malaysia Jet,” Wall Street Journal, August 1, 2014 A1  Firms line up to re-start the search, outside the view of cable news.

Yes, the driver is the search for the missing Malaysian Airlines jet. But what else will be discovered?  What’s that information worth and who will own it?  What and who will be the unintended beneficiaries?

Leave a comment

Filed under Definition, Information, Ownership, Value