Monthly Archives: March 2017


Information shared on WhatsApp is regulated, and may be visible, too, if you’re in banking.

“U.K. Fines Ex-Banker For Boasting on App,” The Wall Street Journal, March 31, 2017 B10.  A managing director used WhatsApp to share confidential deal information with his buds.  The managing director resigned and was fined £37,198.  The company had discovered the messages when searching the former employee’s phone on another matter. [Messages on WhatsApp normally can’t be seen by government investigators because of end-to-end encryption; you need access to the device and the password – see the recent terrorist attack in London.]


  • Managing Directors don’t follow policies
  • Companies do well when they report transgressions to the authorities.
  • People get fired for this stuff

Leave a comment

Filed under Access, Compliance, Controls, Corporation, Directors, Duty, Employees, Governance, Internal controls, IT, Oversight, Security

How important is keeping records?

In September 2010, a pipeline exploded in San Bruno, California, killing eight.  PG&E, the pipeline’s owner, couldn’t find records of pipeline inspections required by regulation.  Lots of fines and civil damages.

As part of the resolution, or as part of their post-crisis communications plan, PG&E placed a full-page ad in The Wall Street Journal on March 21.

Here’s a pdf of the ad.  TheWallStreetJournal_20170321_B005

Doubt if the corporation has that ad in Lucite paperweights.

Does your corporation adhere to regulatory record-keeping requirements?



Leave a comment

Filed under Board, Compliance, Compliance, Corporation, Directors, Duty, Employees, Governance, Legal, Oversight, Records Management, Requirements

Presidential liability

No, not that President.

The former president of Penn State University was convicted of child endangerment connected with the Jerry Sandusky scandal, for not telling the authorities about a complaint of allegedly inappropriate conduct in order to preserve the university’s reputation.  “Ex-College Head Guilty In Sandusky Case,” The Wall Street Journal, March 25, 2017 A2 (U.S. Watch).

A couple of points.

First, the president of a corporation is responsible for his or her own acts, even if the corporation hasn’t (yet) been held vicariously liable for the criminal act.

Second, the common law duty to report violations of law or policy applies to all employees, even the president.  If the president had reported this to the Board (or it’s close friend, the Compliance Department), and the Board didn’t act (disclose to authorities), would criminal liability against the corporation be easier to establish?

Third, as far as I know, the corporation hasn’t been criminally charged.  Why not?

Leave a comment

Filed under Controls, Duty, Employees, Internal controls, To report

What you don’t say

If a corporation fails to raise “‘known trends or uncertainties'” in securities filings, has it committed fraud against third parties?


“High Court To Weigh Corporate Omissions,” The Wall Street Journal, March 28, 2017 A2.  Supreme Court to hear a case involving suit by investors against company for omissions in public filings, otherwise the purview of the SEC.

So, does this mean that unspoken information is “information” subject to government regulation or third-party litigation?

Leave a comment

Filed under Accuracy, Board, Communications, Corporation, Definition, Duty, Governance, Inform market, Inform shareholders, Information, Oversight

Do you track what’s the normal cost?

“Venezuela Alleges Fraud in $1.3 Billion Oil-Rig Lease,” The Wall Street Journal, March 16, 2017 A10.  “Officials at PdVSA [the state oil company in Venezuela] were accused of embezzlement by paying inflated fees.”

How do you track whether the company is paying inflated fees to companies owned by Saudi princes, with a no-bid contract to an industry newcomer?  You do track that, don’t you?  As a director you would want to make sure that people weren’t paying too much for service contracts.  Why would the state oil company pay inflated rates?  Aren’t these bribes going the ‘wrong’ way?  Or was it just waste and incompetence?  The difference is only $250,000 a day for seven years.

Do you consider the information governance aspects of the FCPA, beyond the books and records?  It is good that the government checks.

Leave a comment

Filed under Board, Compliance, Compliance Verification, Controls, Corporation, Definition, Directors, Duty, Employees, Governance, Government, Information, Internal controls, Oversight, Oversight, Protect assets, Risk Assessment, Risk assessment

About time

Part of governance is punishing someone who violates the rules.  Good, though, to have some temporal connection between the violation and the punishment.

“U.S. Plans Charges In Breach At Yahoo,” The Wall Street Journal, March 15, 2017 B1.  Move comes after 2014 breach at Yahoo that exposed 500 million users in late 2014, after the larger breach in 2013 exposing twice as many accounts.  Huge impact on the users and the shareholders.

The company’s lawyer resigned and the CEO lost her cash bonus.  Have the directors at the time been penalized at all? They missed this, too.

Leave a comment

Filed under Board, Controls, Directors, Duty, Employees, Governance, IT, Lawyers, Oversight, Oversight, Protect assets, Protect information assets, Security

Managing Fake News

How do you respond when someone starts spreading false rumors about you or your organization?  Would it be good to have your country’s president’s support?

“Muslim Group Fights Web Spread of Fake News,” The Wall Street Journal, March 13, A13.  Government and a private organization join forces in Indonesia to battle fake news.  Think of Snopes, in Bahasa, sharing because “‘This is our responsibility as a society as a whole because hoaxes, false information, is not healthy for society.”

Could other countries benefit from a government-supported push?



Leave a comment

Filed under Accuracy, Controls, Data quality, Duty, Governance, Government, Oversight, Third parties

What does bad information governance cost?

One of the risks of bad information governance is that your employees will violate some restriction/law/regulation and the corporation will have to pay for it.  How much, you may ask?

“Volkswagen Faces Up to Penalties,” The Wall Street Journal, March 11, 2017 B1.  Volkswagen pleaded guilty and “agreed” to pay penalties of $4.3 billion for misleading the regulators and the public in the diesel emissions scandal.

Cost to date: $25 billion for trying to hide something from the regulators and the public.  Would your company do something like that?  What has this cost the directors and managers who either missed it or ignored it?  What has it cost the Volkswagen shareholders?


Leave a comment

Filed under Accuracy, Board, Business Case, Compliance, Compliance, Compliance, Compliance Verification, Corporation, Culture, Directors, Duty, Employees, Governance, Management, Oversight, Oversight, Protect assets, Protect information assets, Risk

Paying to cover up?

Say your mortgage company is highly regarded in part because of your low customer default rate.  Say as well that your low customer default rate is because you pay off some of the mortgages that otherwise would be in default.  Is that kosher?

“Lender Masked Borrower Debt Woes,” The Wall Street Journal, March 9, 2017 B1.  Renovate America Inc., which is involved in solar panel financing, paid off customer debts (secured by their homes) to avoid having to report defaults (or, perhaps, to avoid the customers’ making complaints to the state governments behind the loans).  How will investors in your company react to the news?  If it’s only a hundred customers out of 90,000?  $175,000 versus $1 million?

Is it material?  Not the amount of the repayments but the mere fact that the company was making any such payments?  Surprised by the fact that the allegations come from three former members of the company’s compliance department?  What else aren’t you being told?


Leave a comment

Filed under Accuracy, Board, Compliance, Controls, Corporation, Data quality, Directors, Duty, Employees, Governance, Inform market, Inform shareholders, Internal controls, Investor relations, Oversight, Oversight, Supervision

Deception strategy

How do you prevent the competition from punking your business?  Caller ID helps the pizza delivery business identify who’s calling.

“Uber Used Program to Evade Authorities,” The Wall Street Journal, March 6, 2017 B4.  Uber apparently wrote its terms of service, and monitors data on who and where calls are coming from, to reduce competitors’ interfering with its business (by making fake calls).  Also identifies people suspected of running a law enforcement sting operation.

So Uber looks for clues to see if you’re a regulator.  Do you use a burner phone?  Does your credit card belong to a regulatory agency? Is this using information to assist the achievement of your business model?

Leave a comment

Filed under Access, Accuracy, Analytics, Business Case, Collect, Controls, Governance, Management, New Implications, Operations, Policy, Protect assets, Risk assessment, Use, Use