Monthly Archives: November 2017

Delay in disclosure

In the news, generally, several claims of sexual harassment, many dating from decades ago.  On both sides of the political aisle, and in other industries.

What does it say that the alleged victims felt the need to keep quiet all those years?  How do the alleged harassers disprove the allegations after so much time has passed?  Have “standards,” such as they are, changed over the years?  It would seem that the behavior complained of would have been actionable at the time, but maybe not.

I raise this not to make a political or legal point, but rather to demonstrate that the value of information changes over time, sometimes increasing in value and sometimes decreasing.

Leave a comment

Filed under Data quality, Information, Value

Hacking denial

Keeping a hack of your enterprise secret should be difficult.  Some find it easy.

“Uber CEO Knew of Hack for Months,” The Wall Street Journal, November 24, 2017 A1.  Uber was hacked in October 2016 (they say), affecting 57 million accounts.  Less than Yahoo’s 3 billion, and Equifax’s 145 million.  The CEO learned of the breach in September 2017, shortly before taking the top job.  Uber also paid the hackers $100,000 to destroy some of the stolen data.

Would they have disclosed it at all if they weren’t seeking outside financing?

What’s your obligation to disclose to your customers that their information may have been stolen from you?

Leave a comment

Filed under Communications, Compliance, Controls, Corporation, Directors, Duty, Employees, Governance, Information, Internal controls, Investor relations, IT, Legal, Oversight, Ownership, Requirements, Security, To report

It depends what you mean by “lost”

When someone touts numbers, what do they really mean?

“Your Lost Luggage May Not Count as Lost,” The Wall Street Journal, November 16, 2017 A12.  The “official” figures on how many pieces of luggage each airline misplaces are different than how many bags get lost.  The government defines the operating statistics that must be reported.

Are your sufficiently critical when someone gives you numbers?  Especially when it affects their compensation?

Leave a comment

Filed under Accuracy, Controls, Data quality, Definition, Information, Requirements

20% failure rate

What does it say about your process if it has a 20% failure rate?  Are you not serious about quality?

“Army Didn’t Submit Convictions,” The Wall Street Journal, November 16, 2017 A3.  Twenty percent of the time, the Army failed to file records of military convictions into the federal database used for background checks for gun purchases.

The Air Force missed filing one, and the Texas church shooter killed 26.  The Defense Secretary ordered a review of all military units and how they process convictions.  Apparently, this is done (or not) by the local base.

Does your company have policies or processes that remote offices doesn’t follow 20% of the time?  Other than your record retention schedule?

Leave a comment

Filed under Uncategorized

Eggs and baskets

On the one hand, regulators want to be able to easily see all the trading data about stock trades.  On the other, if you put all the important information in one place, hackers might go after it.  What’s a body to do?

“Exchanges Seek Database Delay, Citing Security,” The Wall Street Journal, November 15, 2017 B18. The NYSE and others asked the SEC to delay the start of a new database of sensitive trading information so that they can enhance the security. By adding a CISO, for example.

The SEC hasn’t been a positive model for computer security, and industry has had a few oopsies as well.  How does one balance ease of regulatory enforcement and security?  Which one is more important?  Who’s responsible/liable if there’s an oops?


Leave a comment

Filed under Access, Accuracy, Controls, Corporation, Duty, Duty of Care, Governance, Government, Internal controls, Oversight, Protect assets, Security, Third parties, Value

Checkers checking checkers

What happens when the person in charge of protecting whistle blowers is alleged to have retaliated against employees who pointed out possible wrongdoing?

“SEC Watchdog Faces Complaints,” The Wall Street Journal, November 13, 2017 B9.  The Inspector General at the SEC faces complaints of retaliation against whistle blowers, who raised time and attendance fraud.  Was there also some office hanky-panky?  The investigation may also not have been independent.

It’s good when the government gives examples of behavior.  It would be better if they were examples of good behavior.

Leave a comment

Filed under Compliance, Controls, Culture, Duty, Employees, Governance, Government, Internal controls, Oversight


A fascinating area for exploration is the drafts that led to the final version.  The dates, the wording, the recipients.  Why do people keep drafts?  Just because?

“Comey Originally Tougher On Clinton, The Wall Street Journal, November 7, 2017 A5.  A Republican Senator discloses that Comey’s early draft of the exoneration document used the language “grossly negligent,” the statutory test.

I’ve referred to July 5, 2016 as the Day that Information Governance Died.  That’s when the Director of the FBI announced his decision not to prosecute someone who had routinely violated the rules on handling secret documents, because “no reasonable prosecutor would bring charges.”  Not to get into the politics of things, but how can you argue that following the rules is required when the Secretary of State isn’t held to the standards that apply to a Navy seaman?

That being said, why do people hold on to drafts?  Because it’s easy?  Or because it’s hard to get rid of them?  There is seldom a reason to retain them beyond when the document is final.  Maybe a phrase or a paragraph.  But the entire document?  How can we convince people not to keep drafts?



Leave a comment

Filed under Compliance, Controls, Corporation, Discovery, Duty, Employees, Governance, Internal controls, Legal, Records Management, Risk

Swiss cheese, revisited

I am reminded of the Swiss cheese model for managing risk.  See

The awful shooting at the church outside San Antonio.  How many controls to manage the risk of a lunatic buying a gun failed?  Certainly, the Air Force failed by not recording the circumstances of his dishonorable discharge and related matters. (Was this systemic?  What about other branches?  Were there incentives/disincentives?)  And the fact that he had been in a mental institution wasn’t in the data base either. Who else failed?

And what about the self-certification, where a gun buyer needs to certify that he/she hasn’t done a bunch of bad things, which in turn is confirmed by the background check?  Do self-certifications work?  How much do you rely on having your employees sign an annual certification that they’ve read and understood (and don’t know of any violations of) your Code of Conduct?  Does that provide any protection?  Or does it just give you false comfort and a metric to measure?


Leave a comment

Filed under Compliance Verification, Risk

Equifax, continued

“Equifax Clears Four Executives,” The Wall Street Journal, November 4, 2017 B8.  Apparently, the senior execs didn’t know about the hack of 145.4 million accounts that was allegedly discovered only three days before they sold stock.

How do you prove what you didn’t know?  How does the lawyer approving the sales know what they knew?  Someone in the company knew about the hack.  Doesn’t that knowledge get imputed to all the senior execs?

Leave a comment

Filed under Access, Compliance, Controls, Corporation, Duty, Employees, Governance, Internal controls, Lawyers

Rogue employees

What do you do when a rogue employee decides to express his or her politics by messing with your product?  Could that affect your brand?

No, this isn’t about the NFL.

“Twitter Tightens Security,” The Wall Street Journal, November 4, 2017 B3.  Security lapse allows a departing and now former Twitter employee to shut down President Trump’s Twitter feed for eleven minutes.

Cybersecurity focuses not only on external hackers but also internal bad-deed doers.  Sometimes, even well-designed security plans fail.  But those third-party plans are protecting your information in their control.

Do you have special controls for special celebrity cases?  Do you take extra steps for departing employees?

Not sure Twitter is a brand.

1 Comment

Filed under Access, Business Continuity, Controls, Corporation, Duty, Duty of Care, Employees, Governance, Internal controls, IT, Management, Oversight, Protect, Protect assets, Security, Supervision