Of course the firm’s chief information officer knows all the emails are stored forever. So he wouldn’t write bad stuff in email.
“Defense Puts Spotlight on Law Firm’s Emails,” Wall Street Journal, May 28, 2015 B3. Defense argues that “fake income” is a legitimate accounting term. But he wouldn’t put anything bad in emails. Bankruptcy of Dewey & LeBoeuf.
If you know of the long-term storage of all emails, does that make it more or less likely that you’ll write bad stuff in emails? Is making people more aware a way to “cleanse” the record in advance?
Filed under Business Case, Compliance, Compliance, Controls, Governance, Internal controls, IT, Management, Oversight, Risk, Security
Your top manager is mildly flawed. Does that impact the stock’s value?
In a word, yes.
“An Executive’s Misdeeds Often Prove to Be Costly,” Wall Street Journal, May 27, 2015 B7. Drunk driving by the top boss costs 1.6%. If it’s the chief executive, the cost is 4.1%. About 65% of the execs studied kept their jobs.
What does it say about your culture if your chief executive’s flaws are known? If the CEO is observed jaywalking while walking to a meeting, can your company expect your employees to comply with all applicable laws? Your Code of Conduct does not distinguish between non-compliance with the Foreign Corrupt Practices Act and non-compliance with your record retention schedule.
Is a flawed senior executive a broken window, in the law enforcement context?
An auditor briefs some of company’s directors about an investigation of bribery. In 2006. Nobody tells the SEC until 2011. What are the director’s obligations once they know or have reason to know of criminal wrongdoing? Why do companies have auditors?
“Wal-Mart Auditor Criticized On Probe,” Wall Street Journal, May 26, 2015 B3.
The leader of a price-fixing conspiracy says that people much higher than he was in the bank knew about and indeed participated in the rigging. If true, what does this say about the culture of the company? If true, what happens to the company’s charter?
“Libor Courtroom Drama Is Ready to Begin,” Wall Street Journal, May 26, 2015 C3.
What happens if a company doesn’t meet its duty to comply with the law? How many people knew?
Filed under Board, Business Case, Collect, Compliance, Compliance, Controls, Culture, Culture, Governance, Internal controls, Management, Oversight, Risk, Use
Fingerprints as information.
“London Man Convicted of U.S. Soldier’s Murder,” Wall Street Journal, May 22, 2015 A6. Based on fingerprints on homemade bombs in Iraq, man convicted of murder of a US soldier in Iraq in 2007.
Are fingerprints information? Who owns them? How does that evidence survive for 8 years? Who governs them?
Is it a problem if your employees get work-related email outside working hours? It depends.
“Overtime Pay for Answering Late-Night Emails?” Wall Street Journal, May 21, 2015 B1. If you access your employees by email after hours, you may be liable for overtime.
Does your policy address this? What if they use a company-issued phone for personal business after work? Or a personal phone to access the company server for either (a) personal business of (b) company business?
Filed under Access, Board, Business Case, Compliance, Compliance, Compliance, Controls, Governance, HR, Interconnections, IT, Legal, Management, Oversight, Oversight, Policy, Privacy, Requirements, Risk
Hackers got into the data of a major health insurer in June 2014. Perhaps a million customers affected. Breach was just announced, having gone undiscovered for more than 9 months.
“Hackers Accessed Data From Insurer CareFirst,” Wall Street Journal, May 21, 2015 B2. Third health insurer breach reported this year. This one in the DC area. Were federal employees affected? Don’t know. Yet. Looks like Chinese hackers.
How quickly would you like to know that your name, email, address, and other information had been hacked? I assume 11 months is “too long.” The information that was hacked was the information the customers used to access services at the insurer.
Filed under Access, Board, Business Case, Communications, Compliance, Compliance, Compliance, Controls, Governance, Internal controls, IT, Management, Oversight, Oversight, Privacy, Protect, Protect assets, Protect information assets, Risk, Security
Inside a company, sharing knowledge (aka information) can be a good thing. When you start sharing with other companies, things can get problematic. Or criminal.
“Banks Pay $5.6Billion To Settle U.S. Probe,” Wall Street Journal, May 21, 2015 A1. Banks who shared information in order to maximize profits by price fixing foreign currency rates through use of an online chat room pay a huge fine. And they pled guilty to criminal charges.
So, sharing some information outside the company is bad. That’s bad with a ‘B.” Like the “B” in billion. What does it say when your bank pleads guilty to a crime? Why does the SEC allow them to continue to operate? Sure lucky they aren’t government contractors. And what happens in the future if one of them commits another crime?
Civil suits to follow.
Filed under Board, Business Case, Compliance, Compliance, Compliance, Controls, Culture, Culture, Governance, Internal controls, Management, Oversight, Protect assets, Risk, Third parties
You didn’t need to go far in this morning’s paper to find information governance-related news items.
- “U.S. Says Chinese Professors Stole Tech,” Wall Street Journal, May 20, 2015 A1. Professor arrested for allegedly stealing wireless technology from two US companies and then using it in China to make equipment for sale to the Chinese military.
- “Debit-Card Data Theft At ATMs Is Soaring,” Wall Street Journal, May 20, 2015 A1. Dramatic rise in capture of withdrawal information, including passwords, at ATM machines.
- “Clinton’s Staff Kept Tight Rein On Documents,” Wall Street Journal, May 20, 2015 A1. Allegations that chief of staff interfered with normal process by which FOIA staff decides which documents are to be withheld.
Plus one on page B1: “Bug Exposes Broad Security Flaws,” Wall Street Journal, May 20, 2015 B1. Engineers tweak the systems to fix security flaw, but cause certain websites to virtually disappear.
Controlling access to sensitive data is a major component of information governance as companies have a duty to take reasonable steps to protect their assets. And to take reasonable steps to prevent people from stealing your information. And the government needs to avoid the appearance of allowing political interference in the Freedom of Information Act process. And when protection of the internet is worked out between engineers trying to do their best, stuff happens. [Lord, forfend, that the government gets involved.]
Filed under Access, Business Case, Communications, Compliance, Compliance, Compliance, Controls, Culture, Culture, Governance, Interconnections, Internal controls, Investor relations, IT, Management, Oversight, Oversight, Policy, Protect, Protect information assets, Risk, Security, Third parties
Do your senior executives take sensitive information home? Perhaps they shouldn’t.
“U.S. Special-Operations Force Seizes Digital Trove in Syria Raid” http://www.wsj.com/articles/u-s-forces-seize-digital-trove-in-syria-raid-1431905925 Wall Street Journal, May 18,2015. The raid in Syria resulted in the capture of a treasure trove of digital data.
Are there lessons here for information governance?
[Sorry about the partial post. Doing it on my iPad while traveling. ]
EDGAR, the SEC’s system for handling electronic filings is a good thing, for the most part. But ease of access can be overdone.
“SEC Reviews Fishy Avon Bid,” Wall Street Journal, May 15, 2015 A1. A false takeover bid, filed through Avon’s EDGAR feed, sent Avon’s shares up 20%, before they dropped back. The FBI, among others, is investigating. “FBI Delves Into Avon Offer,” Wall Street Journal, May 16, 2015 B1.
What does it say when the system that the market relies upon for accurate and timely disclosures has weaknesses? Is this a case of trust but verify? This is different than spoofing a trade; this is spoofing a takeover bid. Lots more plaintiffs. But is a bid at a 200% premium, from a company in a country with no registered companies, believable?