Monthly Archives: June 2018

What you have, where you have it

A common starting point to information governance projects is to determine what information you have and where you have it.  Then you can start to manage it. But what happens if you don’t know what you have nor where you have it?

“Facebook Struggles to Find User Data,” The Wall Street Journal, June 28, 2018 B1. “The company can’t track where much of the [user] data went after it left the platform or figure out where is it now.”

A lot of the information is or was with app developers that are now out of business.  What happened to your/Facebook’s/their data?

Sure is easier to figure this out going forward than it is to figure out what happened between 2007 and 2015.  Especially if disclosure of some of that information is blocked by the government in far-off lands.  Or if the app developers don’t fancy having Facebook root through their servers and discovering their business secrets.  Or if Facebook doesn’t have a contractual right to get this information.

Sure would be easier if they’d had the proper controls in place at the time.

Leave a comment

Filed under Access, Controls, Corporation, Duty, Duty of Care, Governance, Government, Information, Internal controls, Oversight, Ownership, Ownership, Privacy, Protect assets, Security, Third parties, Vendors

Denying friendships

A simple compliance case.  An employee shares confidential information with a few friends and they trade stocks based on that information.  The employee (now suspended) and the two friends were arrested on criminal insider trading charges.  The employer is cooperating with the SEC’s investigation.  Civil charges pending, too.

“Analyst Arrested On Insider Charges,” The Wall Street Journal, June 27, 2018 B12.  S&P Global Ratings employee allegedly disclosed information about acquisition of Valspar by Sherwin-Williams.

What separates this from the other run of the mill insider trading cases is the fact that the employee apparently denied knowing his two life-long friends.

Lying to the Feds is not a good strategy.

Leave a comment

Filed under Accuracy, Compliance, Compliance (General), Duty, Duty of Care, Employees, Governance, Oversight

That clears that up

“Court Ruling Boosts Phone Privacy,” The Wall Street Journal, June 23, 2018 A1.  The Supremes’ rule that, in order to get your cell phone’s location data from your service provider, the government needs a warrant.

This raises several interesting Information-related points.  First, who owns that information?  Second, who (beyond the “owner”) has possession of that information? Third, who does the warrant get served on – the third party (also) in possession of this data, or the person who owns it and who doesn’t possess this data, and who in fact seldom knows that this data exists? Fourth, what else, beyond cell phone location data, is within this special zone of privacy, both today and in the future?  Fifth, what exactly are the exceptions?  Are they limited to bomb threats and shooters and child abductors?  Or is that somewhat flexible, too?  Does this hinge on “reasonableness,” which is somewhat loosy-goosey except in retrospect?  Does this apply to your Metro card?  Or your PayPal account?

And, then, as a Governance point, how does one justify this expansion of protection to things that are not “their persons, houses, papers, and effects …”?  Expanding a right to privacy that does not exist in the express language of the Constitution.

I haven’t read the decision and the dissents, just some news reports.  But didn’t a statute passed by Congress allow the government to access your data when stored with third parties? Is that statute (the Stored Communications Act) now valid or invalid?

Leave a comment

Filed under Access, Compliance, Duty, Governance, Government, Information, Ownership, Ownership, Privacy

Essence of governance

“Court Rejects SEC Judge Process,” The Wall Street Journal, June 22, 2018 A2.  Supreme Court rules administrative law judges appointed by lower level staff are not constitutional.

This doesn’t speak to information.  It is more Governance and Compliance; these concepts are close, but different.

Compliance: The process for appointment was unconstitutional.  Does this mean that every decision they made was invalid? What does it say that the agency did not follow the appropriate processes?  What did other agencies do (ALJ’s are everywhere in Washington, D.C.)?  The Executive Branch sort of overlapped with the Judicial?

Governance: Appointing judges in an unconstitutional manner seems to suggest a failure of governance.  Who decided to do this this way?  Is he or she going to be held accountable for the decision?  What about other agencies?  What type of risk assessment was performed, if any?

Leave a comment

Filed under Compliance, Compliance (General), Controls, Duty, Governance, Government, Internal controls, Third parties

Verrry interesting

“Europe’s Privacy Law Fails to Stoke Demand for Cyber Insurance,” The Wall Street Journal, June 21, 2018 B10.  Companies aren’t buying as much privacy insurance as people thought.

Certainly, in the wake of the GDPR rollout, the risk of a privacy law violation has increased.  Apparently companies think that they have adequate controls in place, and don’t need the protection of insurance to backstop their controls.  Insurance is a mitigation in case your controls aren’t totally effective.

Are these companies doing the same with other risks to other assets?  Or is you private data somehow different?

Leave a comment

Filed under Board, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Internal controls, IT, Management, Oversight, Ownership, Privacy, Protect, Protect assets, Protect information assets, Security, Third parties

Tracking empties

Sometimes tracking is a good thing.

“Tech to Track Errant Kegs,” The Wall Street Journal, June 21, 2018 B4.  Sensors installed to reduce 10% shrinkage rate from theft or misplacement of beer kegs.  Could also track temperature.

Do you track similar information?  Is this more or less valuable than knowing what records you have and where you have them?

Leave a comment

Filed under Controls, Governance, Information, Protect assets, Records Management, Value

Inside job

“Tesla Accuses Former Employee of ‘Sabotage,'” The Wall Street Journal, June 21, 2018 B3. Did  a former employee hack Tesla’s manufacturing software and trade secrets and transfer information outside the company?  Was this for convenience, or was it theft?  Or to give to the press?

Do you have adequate controls to prevent this?  Or to discover it?  Who’s responsible if your controls fail?

Will the directors or senior officers be punished?  Did they fail in their obligations to protect the corporation’s assets?  Or is it just the shareholders who pay?  And pay, and pay.


Leave a comment

Filed under Access, Board, Compliance, Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Information, Internal controls, Management, Oversight, Oversight, Protect, Protect assets, Protect information assets, Third parties, Value

Happy Birthday!

Vendors with whom you deal can (and do) capture lots of information about you.  They use that information.  Hopefully to improve customer service.  Can they disclose what they know to others?  What if your traveling companions don’t know it’s your birthday because you don’t want them to know?

“What  the Airline Knows About The Guy in Seat 12A,” The Wall Street Journal, June 20, 2018 A11.  What information on you do airlines collect and how do they use it?

If the information is correct and used positively, that’s one thing.  What if it’s wrong, or used negatively?  What if it leaks?  What if it’s sold?

Leave a comment

Filed under Access, Accuracy, Collect, Controls, Corporation, Duty, Duty of Care, Governance, Information, Management, Oversight, Ownership, Privacy, Protect, Use

Conflicts as information

“McKinsey Held Back Chapter 11 Positions,” The Wall Street Journal, June 20, 2018 B1. Consultant advises in bankruptcy proceedings while holding undisclosed interests in the outcomes.

Did McKinsey not know that they had these investments?  Did they not have a process for checking for conflicts?  Or did they not care?  Did the lawyers not ask when employing an agent?  Was there no policy, at McKinsey or the court or the attorneys, about conflicts?

Maybe they need an outside consultant to review their processes.  Lots of really cool slides.

Leave a comment

Filed under Access, Accuracy, Compliance, Compliance (General), Controls, Corporation, Definition, Duty, Duty of Care, Governance, Information, Internal controls, Lawyers, Oversight, Third parties, To report

Car 54, Where Are You?

Is where you are “information”?  If so, who owns it?  Can one piece of information be owned by more than one person, at the same time?  Is this something unique about “information” generally?

“Phone Giants Cut Off Two Location Services,” The Wall Street Journal, June 20, 2018, A1.  Verizon, AT&T, and Sprint will stop selling your location to two middlemen.

This decision wasn’t a recognition that your location is your information.  Rather, it was because one middleman allowed law enforcement agencies to see location data without a warrant. So, the phone companies are protecting your privacy from the government, but not from the phone companies.

One would hope that you could decide how and when your location data could be used by someone else.  But that is your decision, on your information.

Toody and Muldoon, where are you?


Leave a comment

Filed under Access, Controls, Corporation, Definition, Duty, Information, Internal controls, Ownership, Privacy, Third parties