Monthly Archives: August 2015

Weakest link

As tempting as the story on Apple’s ad blockers was, I think I’ll focus on lawyers.

Lawyer’s Offstage Acts Threaten Record Pact,” The Wall Street Journal, August 31, 2015 C1. A lawyer on one side of a law suit allegedly shares information he shouldn’t have shared with a lawyer on the other side. Turns up in an investigation of sham legal bills to MasterCard.  At issue is a now potentially defective $6 billion settlement.

All employees have a common law duty to hold their employer’s confidential information confidential.  Lawyers have a special duty in this regard.

But people breach their duties.  How do you protect yourself? If you’re the law firm, how do you protect yourself?

Leave a comment

Filed under Controls, Duty, Employees, Risk, Third parties, Vendors


Who’s liable if a company provides inadequate security for customer information on its website?

“CEO Out at Hacked Infidelity Website,” The Wall Street Journal, August 29-30, 2015 B4.  The CEO at the parent of Ashley Madison steps down after the site’s customer data was hacked and posted.

And expect lawsuits from the customers, some of whom have been blackmailed.  And from the estates of the people who committed suicide linked to the hack. And a derivative action by shareholders alleging the directors of the Canadian company failed to provide adequate cybersecurity, as with Target and Sony.  And an action by the FTC against the US operations.

Do you have insurance for this?  Even if the initial hack were a criminal act, do you still have exposure?  Will there be a company (or assets) left?

When you (as a director or CEO or CIO) have a duty to protect the information assets entrusted to your company, what happens if you breach that duty?

Leave a comment

Filed under Board, Controls, Duty of Care, Governance

Yes, we have no bananas

Who has what duties to whom with respect to information?  Can the CEO or major shareholder present false information to the Board in order to profit at the expense of the other shareholders?

“Dole CEO Must Pay Shareholders,” The Wall Street Journal, August 28, 2015 B4.  The CEO (and 40% shareholder) wanted to buy the remaining 60% of the stock.  So he drove down the share price and then gave the Board false financial projections.  The court awarded the plaintiffs $148 million in damages.

Duty is a core element of all governance.  What duties do the CEO and major shareholders have to the corporation and to the other shareholders?  How much do shareholders rely upon the CEO to fulfill his duties?  How do they monitor that?

Leave a comment

Filed under Board, Business Case, Duty of Care, Governance, Inform shareholders, Investor relations

The Read-on rule

“Car-Safety Debate: Is a Hacked Vehicle Also Defective?” The Wall Street Journal, August 25, 2015 B1.  Can regulators require a recall if there’s a problem and your car’s electronic systems are hacked?  Can you sue?

On the other hand, if you fail to provide reasonable protection to online customer data, the FTC can come after you for unfair and deceptive trade practices. “FTC Can Target Firms for Lax Security,” The Wall Street Journal, August 25, 2015 B4.

What information do you have within your control, and what protections must you provide?

Leave a comment

Filed under Uncategorized

The Business Case (cont’d)

One way you can make money from “information” is to make it easier to transfer that information more securely.

“Profits From Privacy,” The Wall Street Journal, August 24, 2015 R5. Listing of small businesses who are attempting to address the market for more security in the electronic world.  It’s not just SnapChat anymore.  Encrypted email and texts, automated deletion from servers and phones, and disposable phone numbers (as opposed to disposable phones).

But even though the problem is the inherent insecurity of electronic information, is the solution necessarily technological?

Leave a comment

Filed under Uncategorized

Summer of IG – Connect the dots

I’ve taken a bit of a break from posting here, what with vacations and all.  But the beat goes on.

I’m struck by three different stories that have been bubbling.

Hillary Clinton and her personal server, and the possibility of violations of security protocols and record keeping requirements, to say nothing about a possible claim under 18 USC Section 1519.  That section makes it a felony to knowingly alter, conceal, or cover up any record or document with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States.

Tom Brady deleted a bunch of emails and destroyed his phone in the midst of the NFL investigation into possibly deflated footballs.  He’s glad there wasn’t a potential lawsuit and that the NFL is not an agency of the US government.

And, finally, Ashley Madison provided some interesting and salacious summer reading. The site, which centered around connecting up people who wanted to have extra-martial affairs, was hacked.  Apparently, some of the details (names and credit cards) and email traffic on this site have been made public.  Is the business liable for not protecting its customers’ information, even when they paid extra to have special security?  And why were people with a email address connecting with this site?

I am still looking for the examples of people properly managing information.

Leave a comment

Filed under Uncategorized

Eggs and baskets

You run mutual funds.  Your customers want to be able to figure out the value of their investments.  But they can’t, because of a computer glitch at a vendor.

“Pricing Snag Stymies Trading in Popular Funds,” The Wall Street Journal, August 27, 2015, A1.  Mutual funds can’t supply customers pricing information because of a computer problem at Bank of New York Mellon Corp. Not a great week for that.

What information do you rely on to do your business, and how much of that comes from a third party?  What happens if that third party doesn’t perform as expected?  Is that information governance, or something else?  Does it help that a lot of others relied on that same third party?

Leave a comment

Filed under Business Case, Business Continuity, Definition