Would you hide something stupid from the Board?
“GE Board in Dark on CEO’s Use of Extra Jet,” The Wall Street Journal, October 30, 2017 B1. As if it weren’t bad enough that the CEO flies on the company plane, it appears that he brought a second plane along, just in case.
Now why would you keep that secret? Even after an internal complaint several years ago? How do you define waste? Who thought that this was an appropriate use of the shareholders’ money?
Might there be gaps in the compliance program? If this slipped through, what else is out there?
Filed under Board, Compliance, Controls, Corporation, Culture, Culture, Directors, Duty, Employees, Governance, Information, Internal controls, Oversight, Oversight, To report
How do you protect against intrusions (including hacking and viruses and ransomware)? Policies and technology, mainly. How do you protect against internal breaches (phishing, etc.)? Policies, training, and a bit of technology. How do you respond to an actual breach? Policies and procedures, training, and technology.
In the response, keep the notice requirements in mind. The rules vary from state to state.
“States Quiz Equifax on Disclosure,” The Wall Street Journal, October 30, 2017 B1. Several states initiate investigations into by Equifax’s delay in reporting after the hack that may have compromised the records of 145.5 million credit accounts. What did they know, when did they know it, and when did they report it, and to whom? Notice to the state, to the fed, to the consumers, and to investors? What’s reasonable, or what’s required by statute?
It’s all about notice. Given the business, should the directors have been on top of this?
Filed under Communications, Compliance, Controls, Corporation, Directors, Duty, Governance, Information, Interconnections, Internal controls, IT, Legal, Oversight, Requirements, Security, To report, Value
“Hackers Target Schools,” The Wall Street Journal, October 24, 2017 A3. Cyberthefts and ransomware attacks at a whole host of schools, targeting data on students, as well as the normal financial stuff.
So, how much money should schools spend to prevent hacking and subsequent release of student data? And isn’t it nice of the news media to report how much ransom the attackers got?
So, whose data is it, anyway? And who’s the custodian?
Filed under Access, Compliance, Controls, Duty, Duty of Care, Governance, Government, Information, Interconnections, Internal controls, IT, Oversight, Ownership, Protect assets, Security, Third parties, Value
“Countermove in Code War,” The Wall Street Journal October 24, 2017 B4. Kaspersky Lab promises to turn over the source code to deflect allegations that its antivirus software led to the compromise of some confidential US government documents.
What can you do when software you sell to protect information from infection is, itself, potentially infected? What business will you have if you can’t provide adequate assurances?
“Fidelity Is Hit by Employee Conduct Problems, The Wall Street Journal October 23, 2017 A1. Several high-level employees canned following sexual harassment allegations.
Who knew Harvey W. would start a trend that reached beyond entertainment into high-finance?
Did these companies not have policies against sexual harassment and bullying? Had compliance with the policies been audited? What’s the compliance history?
Filed under Board, Compliance, Compliance, Compliance Verification, Controls, Corporation, Culture, Directors, Duty, Employees, Governance, Internal controls, Oversight, Oversight
Normally, I use articles from The Wall Street Journal to kick off my points. But the story making the rounds isn’t, as far as I can tell, in the Journal.
“YouTuber says Apple engineer father fired over her viral iPhone video,” New York Daily News, October 29, 2017 (accessed online). An engineer working on the Apple iPhone X got fired after his daughter posted a video on YouTube showing how it works.
Now, one assumes the engineer was subject to a confidentiality agreement with his employer, and that Apple restricts disclosure of technology prior to release. And he screwed up by leaving his test phone out where his daughter could get it and post the video on YouTube. And Apple had to enforce against the engineer or it would be hard for Apple to enforce against others on the same topic. Trade secrets need to be secret.
Two things. First, people do get fired for disclosing their employer’s confidential and proprietary information to third parties (or, apparently, allowing a family member to do so). Second, do we/you ever leave confidential or proprietary information belonging to our/your employers or clients out where family members can access it?
“Pacemaker Fix Against Hackers Raises New Fears,” The Wall Street Journal, October 21, 2017 B4. Will updating the software crash your pacemaker? Fix to prevent a potential hacker pathway.
A couple of information points. Software is information. Limiting unauthorized access to “my” pacemaker seems to be something the manufacturer should be responsible for. Who manages the risk of hacking? What about the risk of the change itself? Is this a doctor’s call or the patient’s call?
Filed under Access, Compliance, Controls, Corporation, Duty, Governance, Interconnections, Internal controls, IT, Risk, Security, Third parties