Monthly Archives: June 2018

It’s not just VW

Often, a corporation’s violation of law don’t result in a conviction of the senior officers or directors.  Sometimes it does, and when it does, that’s a powerful compliance message.

“Audi CEO Is Arrested In Emissions Scandal,” The Wall Street Journal, June 19, 2018 A1. Executive jailed in Germany to prevent obstruction of ongoing investigation into emissions testing scandal at VW.

This goes to Governance, Compliance, and Information.

Leave a comment

Filed under Compliance, Compliance (General), Controls, Corporation, Culture, Directors, Duty, Employees, Governance, Oversight, To report, Who is in charge?

Information – Use

In a robbery investigation, the victim gave police an Instagram photo of the suspect and the police ran that photo through a facial recognition system and the state’s drivers license database, and a driver’s license photo was identified.  The driver was arrested.

Is it okay for police to use (a) the Instagram photo or (b) the driver’s license photo to identify a robbery suspect?  Who’s information is it?  Is this an invasion of privacy?  As long as the suspect can contest the accuracy of the facial recognition software, do his rights count more than the victim’s?  Do restrictions on the use of biometrics in some states (Texas, Illinois, and Washington that I know of) change the calculus?

“Police Use of Driver Photos Stirs Debate,” The Wall Street Journal, June 18, 2018 A3.

Leave a comment

Filed under Controls, Duty, Duty of Care, Governance, Government, Information, Internal controls, Ownership, Privacy, Third parties

Poster boy for Information Governance

Years ago, while teaching a course to MBA students at Rice University, I used the Target credit card breach as a case study.  It touched a lot of bases.  Now we have a better one.

While there have been a lot of information governance-related stories in the news over the past two years, including Equifax and Facebook and VW and Wells Fargo, my nominee for the one name associated with the most significant teaching example in information governance and compliance is the former FBI Director, James Comey.

First, he gave us The Day That Information Governance Died, with his July 5, 2016 pronouncement that, notwithstanding her clear violations of several applicable legal laws dealing with the handling of confidential or secret information (and the destruction of information subject to a subpoena), Secretary Hillary Clinton’s use (and wiping) of a private server to store government email was not going to be prosecuted.  Such a pronouncement deviated “‘from well-established Department policies'” that the FBI does not comment about  ongoing criminal investigations.

Then he wrote a memo ostensibly commemorating a meeting he had with his boss on government business on a government computer (while in a government vehicle) during the work day, and declared that that was his personal correspondence that he could (and did) distribute as he pleased.

And now we learn that he conducted government business over his own private gmail account {that information does not appear in the WSJ article – Ed.}, and actively avoid his boss’ oversight (and his bosses failed to adequately supervise him).  “Report Blasts FBI Agents, Comey Over Clinton Probe,” The Wall Street Journal, June 15, 2018 A1. Inspector General releases his report on the Clinton Investigation.

Recap:

  • Violations of law are not enforced
  • Evidence is destroyed notwithstanding a subpoena
  • Senior employees ignore long-standing policy
  • Senior employees treat documents prepared by them in the course of business as their personal information
  • Senior employees use private email accounts to transact government business
  • Employees hide things from their bosses
  • Bosses failed to adequately supervise their reports

And this is at the FBI, by a lawyer.

Does anyone wonder why we have a hard time getting traction on information governance initiatives?  Certainly an argument for an Information Governance case study of just the Clinton email investigation and its aftermath.  Not sure you could cover it all in one semester, at both law schools and business schools.

 

Leave a comment

Filed under Communications, Compliance, Compliance (General), Controls, Culture, Discovery, Duty, Duty of Care, Employees, Governance, Government, Information, Internal controls, Lawyers, Managers, Oversight, Ownership, Ownership, Policy, Requirements, Supervision, Who is in charge?

A billion here, a billion there

Eventually, you’re talking real money.

“Volkswagen Fined $1 Billion in Germany,” The Wall Street Journal, June 14, 2018 B4. Fine for “dereliction of management oversight” following the diesel emissions-testing scandal.  Somewhat broader than a Caremark claim.

Will the directors have to pay anything out of their pockets?  Or just their shareholders’ pockets?

Leave a comment

Filed under Board, Compliance, Compliance, Compliance (General), Controls, Corporation, Culture, Culture, Directors, Duty, Governance, Internal controls, Oversight, Oversight

Apple ≠ Facebook ≠ Google

Apple seems to be taking a different approach than Facebook or Google.

“iPhone Change To Block Police,” The Wall Street Journal, June 14, 2018 B1.  Apple “fixes” the technical hole that allows the authorities to break into the iPhone of a criminal or suspected criminal.

Is Apple more or less concerned about privacy of its users than either Google or Facebook is concerned about the privacy of their customers?  What about Apple’s demonstrated desire to block government access?  Is that more like Google (use of Google AI in weapons systems) or like Facebook (oh, heck, we’ll let just about anyone see our users’ data)?

Is controlling access to user data Governance?  Or is it a feature?  Whom do you trust more?

Leave a comment

Filed under Access, Controls, Corporation, Culture, Duty, Duty of Care, Governance, Government, Internal controls, IT, Oversight, Policy, Privacy, Protect assets, Security, Third parties

Trend to watch

“Vietnam Tightens Web Grip With New Cybersecurity Law,” The Wall Street Journal, June 13, 2018 A7.  The Vietnamese government wants access to all Vietnam-based users’ data.

Several provisions of new law will make the lives of international companies such as Facebook and Google, who must now open an office in Vietnam, store the data of Vietnam-based users in the country, and promptly take down user-posted content at the government’s request.

What happens when an irresistible force (the Internet) encounters and immovable object (the government of a sovereign country)?  The US started this (sort of) when it exported the joys of e-discovery.  Then Europe replied by imposing global privacy rules.  Now China and Vietnam are pushing some of their own requirements, but more as restrictions on Internet companies doing business in their countries.

Who’s going to win?

Intersection of Information, Governance, and Compliance.

 

Leave a comment

Filed under Access, Compliance, Compliance (General), Controls, Corporation, Culture, Duty, Governance, Legal, Requirements

What’s your word worth?

Gosh, it happened again!

“Facebook Gave Out User Data Despite Pledge,” The Wall Street Journal, June 9, 2018 A1. Notwithstanding a commitment not to do so, Facebook continued to give some companies access to user information.

How many times can you lie before people call you a liar?  Or take judicial notice?  What is the culture at Facebook?  Who’s responsible?  Accountable?

Leave a comment

Filed under Access, Board, Compliance, Compliance (General), Controls, Corporation, Culture, Culture, Duty, Duty of Care, Governance, Information, Internal controls, Oversight, Ownership, Privacy, Protect assets

What politically sensitive information do you have on your phone?

“Spies Make Push Into Phone-Hacking,” The Wall Street Journal, June 8, 2018 B4. Governments increase attempts to hack mobile phone to access the vast troves of data there.

Well, of course they wouldn’t do that in the US.  Would they?

Leave a comment

Filed under Access, Communications, Controls, Duty, Governance, Government, Internal controls, IT, Oversight, Privacy, Security, Third parties

What business are you in?

“Google Bans AI in Weapons,” The Wall Street Journal, June 8, 2018 B4. Google prohibits the use of certain of its artificial information technology in weapons systems.

Do you restrict how others can use your information?  How do you enforce that?  I thought Google was in the information business.

Leave a comment

Filed under Access, Controls, Duty, Governance, Information, Internal controls, Ownership, Policy, Third parties, Vendors

Crying “Wolf”?

“Facebook Exposed Postings, The Wall Street Journal, June 8, 2018 B1.  Posts for 14 million Facebook users made public for 10 days, regardless of their default preferences.  Software bug blamed.

Whose information is it and what rules apply?  What happens when you introduce a defective product into commerce?

Leave a comment

Filed under Access, Controls, Corporation, Culture, Duty, Duty of Care, Governance, Internal controls, IT, Oversight, Ownership, Privacy, Protect assets, Security, Third parties