Monthly Archives: September 2014

Information protection

With limited exceptions, what gets written down in a business has to be produced in litigation.  Example: GM’s ignition switch litigation.

“GM Ordered to Open Files on Defect Response,” Wall Street Journal, September 20-21, 2014 B3. GM required to turn over documents of its investigation, while bankruptcy proceeding continues apace.  The pending bankruptcy filed in July 2009 doesn’t protect the documents that may relate in part going back to 2005, even though some accidents prior to July 2009 may be beyond scope of current litigation.

Lesson:  don’t rely on attorney-client privilege or work product to protect documents from disclosure.  Write them with that in mind.

1 Comment

Filed under Business Case, Discovery, Legal, Risk


Sports is a target-rich environment for information-related pieces.  Here’s one on information-in-use.

“Baseball Experiments With Brain Science,” Wall Street Journal, September 20-21, 2014 A16. Use of neurologic training systems designed to improve a batter’s ability to hit the ball.  Interesting graphic on what’s going through a batter’s mind in the 400 milliseconds between the pitch and the ball arriving at home plate. baseball pic

Information governance has three main areas: compliance, protection, and use.  This is “use.”

Leave a comment

Filed under Analytics, Collect, Information, Management, Use, Value


“Home Depot Breach Tops Target’s,” Wall Street Journal, September 19, 2014 B1. A custom-made virus allowed hackers to steal data from 56 million credit cards over 5 months before it was detected and, hopefully, removed.  Cost for investigation, credit monitoring, call center, and the like: $62 million, or a bit more than $1.10 per breached card.  Cost of lawsuits: priceless.

Insurance covered $27 million of initial costs.

How good are your protections against hackers?  How good is your cyberrisk insurance? How much information do you have that belongs to others?  How well do you protect it?

Leave a comment

Filed under Board, Business Case, Collect, Controls, Governance, Information, Interconnections, Internal controls, IT, Management, Ownership, Protect, Protect assets, Protect information assets, Risk, Security, Third parties, Value

Saucus goose, saucus gander

Students of the Target credit card breach may remember that access to Target’s POS system started with a security breach/hole at a small refrigeration contractor saving money on its antivirus software.

“Hackers Find a Way In,” Wall Street Journal, September 18, 2014 A3. Transportation companies working with the US military were breached at least 20 times last year, and the US military was advised of 2 of the breaches. The hackers were linked to the Chinese government.

Do your contracts with vendors require them to notify you if they are attacked or breached?  The government now does.   Wouldn’t that be a good control for you to have? Would you enforce it?

What about US attempts to spy on Chinese government activities?  Is that different?

Leave a comment

Filed under Board, Business Case, Controls, Governance, Information, Interconnections, Internal controls, IT, Management, Oversight, Ownership, Protect, Protect assets, Protect information assets, Risk, Security, Third parties, Value

The flipside of Occam’s razor

“‘[E]ntities must not be multiplied beyond necessity.'”  Per Wikipedia, September 17, 2014. A principle variously stated, generally along the lines of the simplest explanation is preferred over the more-complex one.

“Insurance Site’s Frailties Detailed,” Wall Street Journal, September 17, 2014 A4. Report on a study by the GAO on security weaknesses of is an amalgamation of a bunch of other sites, with multiple connections and numerous contractors, rather than a single site, built from scratch. “Many of the problems stemmed from … disagreements about security roles and responsibilities with the various contractors, states and federal agencies that exchange information ….”

Are your information systems unnecessarily complex?  Are they too complex to secure against attack? Is there a simpler solution?

Leave a comment

Filed under Board, Business Case, Compliance, Controls, Interconnections, Internal controls, IT, Oversight, Risk, Security

1.5% isn’t bad.

As reported earlier (a dozen nuggets), people who fail to confirm their immigration status may lose healthcare cover.

“Missed Deadline to Cost Coverage for Thousands,” Wall Street Journal, September 16, 2014 A3.  The failure to provide information is costing over 100,000 people their health coverage purchased through  Another 279,000 are asked to verify income data in connection with health care subsidies.  Deadline is September 30, a little more than a month before the mid-term elections.

Take a moment to look at the information flows.  Eight million people apply for cover and get it.  It takes the US government only four months to resolve immigration discrepancies on a million enrollees, with only 1.5% of the 8 million applications unresolved (on this issue) in the first year of the plan’s operation.  How would you have verified the data?

Leave a comment

Filed under Business Case, Controls, Data quality, Governance, Information, Requirements, Risk, Value

Employee loyalty and criminal behavior

Is one of your employees an informant for the Department of Justice?  Does that chill internal discussion or cramp operations?

“‘Flipped’ Bankers Aid Forex Probe,” Wall Street Journal, September 15, 2014 C1. Rumors of “flipped” employees, who are acting as informants while still working for the target banks.

Were I a skeptical type, I might say that spreading the rumors of the existence of such informants might be part of the government’s compliance strategy.  So, too, might actually having the informants.  But if you’re about to enter settlement negotiations (as is the case here), might rumors be enough?

To assist its own compliance initiative, a company might mention the possibility of such informants to keep people in compliance.  Or might actually place informants in sensitive roles.

What would this do to the culture of compliance at the company?  What impact on the free flow of information within the company?  What impact on trust and job satisfaction?  Is a rumor information that the company wants to (or needs to) manage or control? How? If the employee has a contractual obligation to keep company information confidential, can the government do this?

Leave a comment

Filed under Board, Communications, Compliance, Culture, Culture, Definition, Governance, Information, Management, Oversight, Use, Value