Monthly Archives: September 2014

Saucus goose, saucus gander

Students of the Target credit card breach may remember that access to Target’s POS system started with a security breach/hole at a small refrigeration contractor saving money on its antivirus software.

“Hackers Find a Way In,” Wall Street Journal, September 18, 2014 A3. Transportation companies working with the US military were breached at least 20 times last year, and the US military was advised of 2 of the breaches. The hackers were linked to the Chinese government.

Do your contracts with vendors require them to notify you if they are attacked or breached?  The government now does.   Wouldn’t that be a good control for you to have? Would you enforce it?

What about US attempts to spy on Chinese government activities?  Is that different?

Leave a comment

Filed under Board, Business Case, Controls, Governance, Information, Interconnections, Internal controls, IT, Management, Oversight, Ownership, Protect, Protect assets, Protect information assets, Risk, Security, Third parties, Value

The flipside of Occam’s razor

“‘[E]ntities must not be multiplied beyond necessity.'”  Per Wikipedia, September 17, 2014. A principle variously stated, generally along the lines of the simplest explanation is preferred over the more-complex one.

“Insurance Site’s Frailties Detailed,” Wall Street Journal, September 17, 2014 A4. Report on a study by the GAO on security weaknesses of is an amalgamation of a bunch of other sites, with multiple connections and numerous contractors, rather than a single site, built from scratch. “Many of the problems stemmed from … disagreements about security roles and responsibilities with the various contractors, states and federal agencies that exchange information ….”

Are your information systems unnecessarily complex?  Are they too complex to secure against attack? Is there a simpler solution?

Leave a comment

Filed under Board, Business Case, Compliance, Controls, Interconnections, Internal controls, IT, Oversight, Risk, Security

1.5% isn’t bad.

As reported earlier (a dozen nuggets), people who fail to confirm their immigration status may lose healthcare cover.

“Missed Deadline to Cost Coverage for Thousands,” Wall Street Journal, September 16, 2014 A3.  The failure to provide information is costing over 100,000 people their health coverage purchased through  Another 279,000 are asked to verify income data in connection with health care subsidies.  Deadline is September 30, a little more than a month before the mid-term elections.

Take a moment to look at the information flows.  Eight million people apply for cover and get it.  It takes the US government only four months to resolve immigration discrepancies on a million enrollees, with only 1.5% of the 8 million applications unresolved (on this issue) in the first year of the plan’s operation.  How would you have verified the data?

Leave a comment

Filed under Business Case, Controls, Data quality, Governance, Information, Requirements, Risk, Value

Employee loyalty and criminal behavior

Is one of your employees an informant for the Department of Justice?  Does that chill internal discussion or cramp operations?

“‘Flipped’ Bankers Aid Forex Probe,” Wall Street Journal, September 15, 2014 C1. Rumors of “flipped” employees, who are acting as informants while still working for the target banks.

Were I a skeptical type, I might say that spreading the rumors of the existence of such informants might be part of the government’s compliance strategy.  So, too, might actually having the informants.  But if you’re about to enter settlement negotiations (as is the case here), might rumors be enough?

To assist its own compliance initiative, a company might mention the possibility of such informants to keep people in compliance.  Or might actually place informants in sensitive roles.

What would this do to the culture of compliance at the company?  What impact on the free flow of information within the company?  What impact on trust and job satisfaction?  Is a rumor information that the company wants to (or needs to) manage or control? How? If the employee has a contractual obligation to keep company information confidential, can the government do this?

Leave a comment

Filed under Board, Communications, Compliance, Culture, Culture, Definition, Governance, Information, Management, Oversight, Use, Value

Right to be forgotten, part 2.

The page 1 story is how Home Depot reacted to the Target credit card breach, but perhaps too late.  “Home Depot Upped Defense But Hacker Moved Faster,” Wall Street Journal, September 13-14, 2014, A1.  But that’s not the subject of today’s post, as interesting as the story may be.

Instead, I turned to page 4, for “Gun Law Gone, Debate Over Files Persists,” Wall Street Journal, September 13-14, 2014 A4.  Unusual information governance issues, in a different context.  Apparently, since 1935 Durham County in North Carolina required gun owners to register their weapons with the county clerk.  The law was recently repealed.  But what to do with all those paper records?

Leaving aside the politics, what happens to information that was illegally collected (assuming a constitutional violation)?  Even if it has historic value?  What if this were the registry of people of a particular religious faith?

Does the legality of the collection of the data influence the decision to destroy it?  Maybe not a problem for corporations, but the government keeps a lot of information.  That information was collected for one purpose or another and is now a subject for retention for yet another purpose.  Who owns it?  Do different rules apply to the government?

I guess this raises the right to be forgotten.  But that doesn’t apply here.  Should it?

Leave a comment

Filed under Collection, Controls, Information, Ownership, Privacy, Requirements, Value

4 sections, 4 stories

A blurb from each of the four sections of today’s Wall Street Journal.

“Website Alleged to Extort Millions from Companies,” Wall Street Journal, September 12, 2014 A9. This is a follow-up story on the 21st Century Herald website, which allegedly required companies doing IPOs to buy expensive advertising on the site or face bad news articles. Gosh, newspapers can do that?  Maybe just in China.  What’s information worth?

“Yahoo Faced Big U.S. Fines,” Wall Street Journal, September 12, 2014 B1.  Next in the extortion parade, the US government wanted to fine Yahoo $250,00 a day for its refusal to turn over customer data in response to a secret proceeding, pre-Edward Snowden.  Portions of the record is still sealed.  Balancing constitutionally protected privacy rights versus national security – I guess my copy of the Constitution is missing that provision.  Yahoo for Yahoo for not caving in.

“Top Trader Linked to Probe Gets New Job,” Wall Street Journal, September 12, 2014 C2. What does it say about the culture of his new employer when a trader fired in wake of the alleged shenanigans in the global currency markets is hired?  His new employer did a lot of due diligence and talked with the investigators several times, and the employee hasn’t been convicted of anything yet. But what’s the impact on the other employees, and how limited is his new role?  Would you want to be his manager?

I can normally use sports to make an information point.  And how can one let the Ray Rice incident go unnoticed? “A New Twist in the NFL’s Ray Rice Probe,” Wall Street Journal, September 12, 2014 D9. [Who writes their headlines? Was this on purpose?] Following on the Watergate theme, what did you know and when did you know it?  Did the NFL big shots see the full video before deciding on a two-game suspension? If so, end of story for them.  If not, why not?  What do your senior executives not see before they decide something? Did they make reasonable inquiries?  Did some low-level employee receive the full copy and decide not to share it with the top brass?  Why? How many papers will these stories sell?

Leave a comment

Filed under Board, Business Case, Collect, Communications, Compliance, Compliance, Controls, Culture, Culture, Duty of Care, Governance, Internal controls, Management, Oversight, Privacy, Protect assets, Protect information assets, Risk, Use, Value

Return to the well

I’ve blogged before about the leaks of information in Washington that led to profit-taking on Wall Street.  The story continues.

“Hedge Funds Scrutinized in Washington Insider Probe,” Wall Street Journal, September 11, 2014 A1  Did someone in the government leak information to a research firm that in turn emailed several of its big clients, who then traded on the information? Did anyone know/care that they were trading on possibly illegally obtained information?  I mean before the SEC got involved?  Did they check?  Can they proved they checked?

Information has value, even if that information was not obtained legitimately.  Are you willing to put your firm’s reputation and your personal liberty at risk?  What’s the culture at the firms who traded on this information?  Or was this all legitimate?  How well do you document your sources of information?

Leave a comment

Filed under Board, Business Case, Collect, Compliance, Compliance, Compliance, Controls, Culture, Governance, Information, Internal controls, Management, Oversight, Ownership, Risk, Third parties, Use, Value

King Canute

If you’re in the information search business, as Google is, your ability to search and report back on what you find is core.  So how do you navigate jurisdictions that want to selectively limit access to certain information on the web?  This even before control of ICANN gets controlled by a UN committee, to say nothing about net neutrality.

“Google Officials Debate Web Privacy in Europe,” Wall Street Journal, September 10, 2014 B4. Following the court decision applying the “right to be forgotten” to truthful information on the web, Google is in something of a bind.  So how to influence people while implementing the ruling, which apparently requires Google to take down search results that present accurate information about people, information that is stored outside of Google?  Not the information itself, mind you; just the search results.

What does that do to the value of a search of information known to be inaccurate and incomplete? If information is on the web but no one can find it, does the information still exist?

Would your risk assessment have identified the risk of future legal rulings that make your business model illegal?   Who owns information on the web?  Who controls what gets stored there and who can see what?  Why not go after the places where the information is stored?  Is Google just too big or too American? Maybe all the information will end up sitting on servers in the US (or elsewhere) and European regulators will be forced to paly Whack-a-Mole in tracking down workarounds that allow people in Europe to search information stored elsewhere.

The mind boggles.  I picture King Canute ordering the tides to recede.  He was an early European regulator, come to think of it.

Leave a comment

Filed under Business Case, Controls, Information, Internal controls, Legal, Ownership, Privacy, Requirements, Risk, Third parties

Farmers’ Almanac 2.0

No, this isn’t about Martoma and his 9-year sentence for insider trading.  Nor is it about Home Depot’s admission of a breach that may have affected tens of millions of credit cards.  It’s about farming.

“Cargill Inc. Harnesses Analytics For Farms,” Wall Street Journal, September 9, 2014 B4.  Cargill starts a service to compete with DuPont and Monsanto in providing farmers advice on planting.  Can increase a farmer’s yield 5%-10%; no word on what yield Cargill gets, either from the service or from its sales of seeds or pesticides.

But clearly there is a market for this information, and the Big Three are competing in its sale.  Is there something novel you can sell to your customers that will increase sales of your main products?  Ben Franklin would be proud.

Leave a comment

Filed under Collection, Information, Operations, Ownership, Use, Value

Puzzled or clueless?

“A Services-Sector Gauge Finally Gets Its Due,” Wall Street Journal, September 8, 2014 A2

I had never heard of the Quarterly Services Survey, or QSS, before this morning.  I wager you hadn’t either.  Measures consumer spending on services, like hospitals, daycare centers, and law firms.  It’s 20% of the Commerce Department’s quarterly GDP calculation.  The May estimate of health care spending was 9.1%; in June, it was revised downward to -1.4%.

What’s that as a percentage change?  Plus or minus 110%?  For 20% of the GDP (okay, health care spending is only one element, but that’s still huge).  GDP contraction more than doubled.  New figures due Thursday.  Experts were puzzled.

Is this information valuable to you?  Is variability/accuracy a concern?

Is there other government or economic data you rely upon?  Is it more accurate?  Do you know what the numbers are based on and how they are derived?

“If the information is more accurate, at least in theory, [businesses, investors, and policy makers] will make better decisions about investing …, tweaking interest rates and revising tax laws.”

Experts were puzzled?  I’d say more like clueless.

Leave a comment

Filed under Business Case, Data quality, Information, Risk, Value