Monthly Archives: June 2018

What you have, where you have it

A common starting point to information governance projects is to determine what information you have and where you have it.  Then you can start to manage it. But what happens if you don’t know what you have nor where you have it?

“Facebook Struggles to Find User Data,” The Wall Street Journal, June 28, 2018 B1. “The company can’t track where much of the [user] data went after it left the platform or figure out where is it now.”

A lot of the information is or was with app developers that are now out of business.  What happened to your/Facebook’s/their data?

Sure is easier to figure this out going forward than it is to figure out what happened between 2007 and 2015.  Especially if disclosure of some of that information is blocked by the government in far-off lands.  Or if the app developers don’t fancy having Facebook root through their servers and discovering their business secrets.  Or if Facebook doesn’t have a contractual right to get this information.

Sure would be easier if they’d had the proper controls in place at the time.

Leave a comment

Filed under Access, Controls, Corporation, Duty, Duty of Care, Governance, Government, Information, Internal controls, Oversight, Ownership, Ownership, Privacy, Protect assets, Security, Third parties, Vendors

Denying friendships

A simple compliance case.  An employee shares confidential information with a few friends and they trade stocks based on that information.  The employee (now suspended) and the two friends were arrested on criminal insider trading charges.  The employer is cooperating with the SEC’s investigation.  Civil charges pending, too.

“Analyst Arrested On Insider Charges,” The Wall Street Journal, June 27, 2018 B12.  S&P Global Ratings employee allegedly disclosed information about acquisition of Valspar by Sherwin-Williams.

What separates this from the other run of the mill insider trading cases is the fact that the employee apparently denied knowing his two life-long friends.

Lying to the Feds is not a good strategy.

Leave a comment

Filed under Accuracy, Compliance, Compliance (General), Duty, Duty of Care, Employees, Governance, Oversight

That clears that up

“Court Ruling Boosts Phone Privacy,” The Wall Street Journal, June 23, 2018 A1.  The Supremes’ rule that, in order to get your cell phone’s location data from your service provider, the government needs a warrant.

This raises several interesting Information-related points.  First, who owns that information?  Second, who (beyond the “owner”) has possession of that information? Third, who does the warrant get served on – the third party (also) in possession of this data, or the person who owns it and who doesn’t possess this data, and who in fact seldom knows that this data exists? Fourth, what else, beyond cell phone location data, is within this special zone of privacy, both today and in the future?  Fifth, what exactly are the exceptions?  Are they limited to bomb threats and shooters and child abductors?  Or is that somewhat flexible, too?  Does this hinge on “reasonableness,” which is somewhat loosy-goosey except in retrospect?  Does this apply to your Metro card?  Or your PayPal account?

And, then, as a Governance point, how does one justify this expansion of protection to things that are not “their persons, houses, papers, and effects …”?  Expanding a right to privacy that does not exist in the express language of the Constitution.

I haven’t read the decision and the dissents, just some news reports.  But didn’t a statute passed by Congress allow the government to access your data when stored with third parties? Is that statute (the Stored Communications Act) now valid or invalid?

Leave a comment

Filed under Access, Compliance, Duty, Governance, Government, Information, Ownership, Ownership, Privacy

Essence of governance

“Court Rejects SEC Judge Process,” The Wall Street Journal, June 22, 2018 A2.  Supreme Court rules administrative law judges appointed by lower level staff are not constitutional.

This doesn’t speak to information.  It is more Governance and Compliance; these concepts are close, but different.

Compliance: The process for appointment was unconstitutional.  Does this mean that every decision they made was invalid? What does it say that the agency did not follow the appropriate processes?  What did other agencies do (ALJ’s are everywhere in Washington, D.C.)?  The Executive Branch sort of overlapped with the Judicial?

Governance: Appointing judges in an unconstitutional manner seems to suggest a failure of governance.  Who decided to do this this way?  Is he or she going to be held accountable for the decision?  What about other agencies?  What type of risk assessment was performed, if any?

Leave a comment

Filed under Compliance, Compliance (General), Controls, Duty, Governance, Government, Internal controls, Third parties

Verrry interesting

“Europe’s Privacy Law Fails to Stoke Demand for Cyber Insurance,” The Wall Street Journal, June 21, 2018 B10.  Companies aren’t buying as much privacy insurance as people thought.

Certainly, in the wake of the GDPR rollout, the risk of a privacy law violation has increased.  Apparently companies think that they have adequate controls in place, and don’t need the protection of insurance to backstop their controls.  Insurance is a mitigation in case your controls aren’t totally effective.

Are these companies doing the same with other risks to other assets?  Or is you private data somehow different?

Leave a comment

Filed under Board, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Internal controls, IT, Management, Oversight, Ownership, Privacy, Protect, Protect assets, Protect information assets, Security, Third parties

Tracking empties

Sometimes tracking is a good thing.

“Tech to Track Errant Kegs,” The Wall Street Journal, June 21, 2018 B4.  Sensors installed to reduce 10% shrinkage rate from theft or misplacement of beer kegs.  Could also track temperature.

Do you track similar information?  Is this more or less valuable than knowing what records you have and where you have them?

Leave a comment

Filed under Controls, Governance, Information, Protect assets, Records Management, Value

Inside job

“Tesla Accuses Former Employee of ‘Sabotage,'” The Wall Street Journal, June 21, 2018 B3. Did  a former employee hack Tesla’s manufacturing software and trade secrets and transfer information outside the company?  Was this for convenience, or was it theft?  Or to give to the press?

Do you have adequate controls to prevent this?  Or to discover it?  Who’s responsible if your controls fail?

Will the directors or senior officers be punished?  Did they fail in their obligations to protect the corporation’s assets?  Or is it just the shareholders who pay?  And pay, and pay.


Leave a comment

Filed under Access, Board, Compliance, Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Information, Internal controls, Management, Oversight, Oversight, Protect, Protect assets, Protect information assets, Third parties, Value