Monthly Archives: January 2018

Willie Sutton?

Willie Sutton (a famous bank robber) was reportedly asked, “Why do you rob banks?” He reportedly said, “Because that’s where the money is.”

“Hackers Plunder Crypto Exchange,” The Wall Street Journal, January 27, 2018 B5. More than $500 million in credits hacked from the Coincheck site in Japan.  One assumes virtual banks are easier to rob than brick and mortar banks.

This is a concrete example of the cost of a cyber breach.  But it also follows on from an earlier post (Law School Exam Question) equating cash money and information, in terms of value.

If businesses (including the Board of Directors) treated information assets as cash, and managing, protecting, and controlling the organization’s information as currency, would that be “information governance”?  Why do they handle information assets differently?  Why should the Board and the officers get a pass on this?  The shareholders certainly don’t.

Leave a comment

Filed under Board, Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Internal controls, IT, Oversight, Oversight, Ownership, Protect, Protect assets, Protect information assets, Security, Third parties, Value

Fake news

“Fake Public Comments On New Rules Probed,” The Wall Street Journal, January 25, 2018 A3.  Were faked ids used to post comments on proposed federal regs?

When you make comments on a proposed government regulation, do you have to provide your correct name or id?  Is there a special problem when the government tries to limit your free speech?  Is this fraud (and if so, why?)?  Apparently, it is a crime to “knowingly make false, fictitious or fraudulent statements to a US agency.”  Is this 18 USC §1519, or something else?  Can the government criminalize “fictitious” comments to the government?  There’s the 1st Amendment of course, and the right to petition.

For a non-commercial site, how do you stop “spoofing”?

Leave a comment

Filed under Accuracy, Controls, Duty, Government


Stealing an asset from someone else is a crime.  Information is an asset.

“Firm Found Guilty of Tech Theft,” The Wall Street Journal, January 25, 2018 B2.  Chinese company bribes a vendor’s European employee to get software code.  The employee was convicted of the theft in Austria in 2011.  Only now is the company itself convicted in the US.

The cost of the theft was alleged to be $800 million.  The convicted company (which used to be the vendor’s major customer) faces fines of nearly $5 billion.

Is this just part of a trade war with China?

Leave a comment

Filed under Compliance, Controls, Corporation, Duty, Duty of Care, Employees, Governance, Information, Internal controls, Value


GE, fresh from the embarrassing disclosure that the Board didn’t know about the two-jet policy, is now being questioned by the SEC over its accounting practices.

“GE Faces An SEC Probe of Accounts,” The Wall Street Journal, January 25, 2018 A1.  Questions arise over how GE accounted for revenue on long-term projects.

How did the Board miss this, too?  The new CEO must be beside himself.  Welcome to the party.


Leave a comment

Filed under Accuracy, Board, Compliance, Compliance, Controls, Corporation, Culture, Culture, Directors, Duty, Employees, Governance, Inform market, Inform shareholders, Internal controls, Oversight, Oversight

Leaking government documents

One would think that professionals hold themselves to a higher standard, and would not conspire to take advantage of leaks of information from someone who shouldn’t be leaking it.

Au contraire, mes amis.

“Former KPMG Executives Charged,” The Wall Street Journal, January 23, 2018 B1.  KPMG execs arranged to get a heads up on which KPMG audits were going to be reviewed by the PCAOB.  After things went south and the investigation started, people started deleting emails and texts.  Same song, different verse.

So, working with a federal government agency to get confidential government information.  Consequence: criminal indictments of KPMG partners and civil suits.  They were also fired.  KPMG cooperated “fully” in the investigation.  The leakers at the government were angling for jobs at KPMG.


  1. Auditors commit crimes, too
  2. Confidential government information belongs to the government
  3. Conspiring with government employees to get that information is a crime
  4. Your employer has a lot of incentives to cut you loose if you’ve committed a crime in the course of your business
  5. It’s hard to get a job as an auditor after a criminal conviction
  6. Deleting emails and texts after an investigation started is Bad.  See also 18 USC §1519
  7. If partners in your firm are doing this, what else is going on?
  8. No one at the government has been charged

Leave a comment

Filed under Access, Board, Compliance, Compliance, Controls, Corporation, Directors, Duty, Employees, Governance, Information, Internal controls, Oversight, Ownership, Third parties

Risk versus cost

“Investors Turn to ‘Drive By’ Home Appraisals, Adding Risk,” The Wall Street Journal, January 22, 2018 A1.  A method that is illegal when used for a single home is used to quickly and cheaply (quick and dirty?) value large collections of houses, which are then used as collateral.

These values are then used as collateral on billions of dollars of bonds.  Isn’t that comforting?  Think of the money they are saving!

For now.

Do you know what information underpins your decisions?  Does the Board?  Does the market?  What could go wrong?

Leave a comment

Filed under Accuracy, Board, Controls, Corporation, Data quality, Duty, Governance, Information, Oversight, Oversight, Protect assets, Value

Process safety

“Hack of Saudi Plant Targeted Safety System,” The Wall Street Journal, January 19, 2018 B4. Cyberattack focused not on the theft of information, but on a critical emergency safety shut-off system.

So, this is more about information security than it is about information governance.  Or is it?  This is the type of attack that keeps the information security folks awake at night.  A big deal in the oil patch.

Who’s responsible?  The vendor of the equipment (and software) that was hacked?  Or the owner of the plant that had the equipment on-line?

Do your company have information that is critical to the safety of your operations?  Who’s responsible for protecting that from outside attack?


Leave a comment

Filed under Access, Board, Controls, Corporation, Duty, Interconnections, Internal controls, IT, Security, Vendors