Continuing from https://infogovnuggets.com/2019/01/04/catching-up-again/
- Pot calling the kettle black
“Comey Tells House Panel He Suspected Giuliani Was Leaking FBI Information to Media,” The Wall Street Journal, December 10, 2018. Former FBI Director Comey, who admitted to leaking information to a reporter through a law school professor, complains that someone else did it, too.
- Yes, we have no privacy
“Thieves Can Now Nab Your Data in a Few Minutes for a Few Bucks,” The Wall Street Journal, December 10, 2018. Following the series of major hacks of privacy data (e.g., Marriott, LinkedIn, Equifax, and Yahoo), “Every American person should assume all of their data is out there,” said one FBI agent. Comforting.
- Duty to report
“New Report Shows Olympics Executives Concealed Knowledge of Nassar Allegations,” The Wall Street Journal, December 11, 2018. Executives knew information about sexual abuse allegations, and failed to report. To whom did they breach a duty?
- Interesting intersection of the right to petition the government and your right to privacy
“U.S. Investigating Fake Comments on ‘Net Neutrality,’” The Wall Street Journal, December 11, 2018. “Earlier this year, the FCC said it would upgrade its website to try to prevent fakery. … Several federal agencies warn that it is a felony to send falsified comments to the federal government when posting on websites soliciting opinions on federal rulemaking.” What if the comments were anonymous?
- Lying or overspending on your expense account can get you canned
“Under Armour Ousts Two Executives After Review of Expenses,” The Wall Street Journal, December 11, 2018. Complying with company policy and procedures is sort of kind of like a job requirement. Even if you signed Jordan Spieth. But how were they to know how much was too much?
- Weakest link?
“Amazon, Amid Crackdown on Seller Scams, Fires Employees Over Data Leak,” The Wall Street Journal, December 11, 2018. Employees bribed for access to inside information. What’s your information worth to you? To the briber? To the (former) employee? Do you have a policy against taking bribes?
- Collateral impact
“Nissan-Renault Scandal Shows It’s Hard to Keep Car Alliances On Track,” The Wall Street Journal, December 12, 2018. A scandal at your business partner can affect your company’s relationships. Is that Governance?
- How do you deal with rumors? Are they “information,” too?
“Super Micro Finds No Malicious Hardware in Motherboards,” The Wall Street Journal, December 12, 2018. This contradicts a prior report from Bloomberg. How do you govern other sources of information? Is using a trusted third party to investigate just standard crisis management planning?
- Should Compliance be more congenial?
“Banks Get Kinder, Gentler Treatment Under Trump,” The Wall Street Journal, December 13, 2018. Regulators are urged to be more collegial with the banks they regulate. Is that better “Governance,” in the short term or in the long term?
- What does it say?
“Renault Sticks With Carlos Ghosn as Internal Probe Finds No Illegality,” The Wall Street Journal, December 13, 2018. What does it say to the rank-and-file when the Chairman gets arrested? And when he’s thereafter kept in place? The Board may have some explaining to do.
- What can your employer do with your information?
“U.S. Companies Asked to Disclose More About Their Workers,” The Wall Street Journal, December 14, 2018. Pension funds ask employers to disclose more information than the SEC currently requires. Whose decision is that? When and how can you object?
- Watch your contractors
“Chinese Hackers Breach U.S. Navy Contractors,” The Wall Street Journal, December 15, 2018. What’s this information worth, both to the US and to China? How much do you look at the security at your vendors who process or create information for you? Are they a weaker link than your employees? (See item 6, above.)
- Information and Governance and Compliance
“PG&E Falsified Gas Safety Records, California Claims,” The Wall Street Journal, December 15, 2018. From the explosion in San Bruno in 2010 (after which PG&E couldn’t find a bunch of inspection records relating to hundreds of miles of its pipelines) to more recent claims about fudging the records on pipeline locations, PG&E has had this problem for awhile. For now, these are just allegations. But what impact on every claim made against the company, and every claim made by it? If they falsify safety records, do they falsify bills, too? “The [state regulator] last month expanded a continuing probe of PG&E’s safety practices and said it would explore the way the company is structured and managed.” There seems to be a link between record-keeping and management and compliance and culture.
- Facebook, again
“Facebook Bug Potentially Exposed Unshared Photos of Up 6.8 Million Users,” The Wall Street Journal, December 15, 2018. One almost gets the idea that protecting your privacy is not a high priority for them.
Filed under Board, Collect, Communicate, Communications, Compliance, Compliance (General), Controls, Corporation, Culture, Data quality, Directors, Duty, Employees, Governance, Information, Internal controls, Investor relations, IT, Management, Oversight, Oversight, Ownership, Privacy, Protect, Protect assets, Records Management, Security, Supervision, Technology, Third parties, To report, Use, Value, Vendors
I was otherwise engaged in December, what with the holidays and travel and our first grandchild, born in Hong Kong, and haven’t been posting. Here’s the month in review, in chronological order, in multiple parts:
- How to monetize your information
“Paywall for HuffPost? Verizon Hunt for Web Revenue Goes Beyond Ads,” The Wall Street Journal, December 3, 2018. Do you let people see content (plus ads) for “free,” or do you charge for access? Which one places the “correct” value on the information you are providing? What if you did both?
- Who’s in charge?
“Disney Raises the Bar Robert Iger Has to Clear to Win Bonus,” The Wall Street Journal, December 4, 2018. Shareholders push back on bonus compensation plan, demonstrating an unusual level of control (i.e., Governance) over their investment. See also, “Shell to Link Carbon Emissions Targets to Executive Pay,” The Wall Street Journal, December 4, 2018.
- How much is your view worth?
“Who’s Reading That News Story? Startup Will Help Marketers Find Out,” The Wall Street Journal, December 4, 2018. Linking the desire of publishers and advertisers to monitor what news stories you look at and for how long, a start-up fills the gap. The answer to the question,”Whose data is that?” is taking on multiple dimensions.
- It takes a village to prevent someone from getting top-secret information
“China Maneuvers to Snag Top-Secret Boeing Satellite Technology,” The Wall Street Journal, December 5, 2018. Boeing seemed unconcerned when a customer for one of its satellites told Boeing that the customer was being financed by Chinese interests, to whom sale of the top-secret technology involved was restricted. But after an alleged payment default, Boeing cancels order. “Boeing Backs Out of Global IP Satellite Order Financed by China, The Wall Street Journal, December 7, 2018. Did the press coverage have an impact?
- Law firms leak, too
“U.S. Prosecutors Charge Four People in Panama Papers Probe,” The Wall Street Journal, December 5, 2018. Action follow leak of law firm documents showing how wealthy people hid money from tax.
- Who owns (or controls) the Cloud?
“China’s Alibaba Takes On Amazon in European Cloud,” The Wall Street Journal, December 5, 2018. Chinese Cloud company challenges Amazon for control of the Cloud in Europe. Which (the US or China) will better protect the privacy of the users?
- Does your information governance program cover the content of the training provided to your customers?
“Boeing Omitted Safety-System Details, Minimized Training for Crashed Lion Air 737 Model,” The Wall Street Journal, December 6, 2018. Questions arise after 189 people killed in a crash and the crews hadn’t been trained on the new flight-control system.
- Facebook tried to monetize “your” data? Gadzooks!
“Facebook’s Zuckerberg at Center of Emails Released by U.K. Parliament,” The Wall Street Journal, December 6, 2018. Newly released emails show that Facebook apparently considered charging app developers for accessing “your” data held by Facebook, and suggest Facebook discounted the chance of developers sharing that data with others.
- Not “just-in-time” discipline
“Wells Fargo Firing Dozens of Regional Managers in Retail-Bank Cleanup,” The Wall Street Journal, December 6, 2018. More than two years after the account-cramming scandal, Wells Fargo starts to fire some regional managers for failure of oversight responsibilities. Sort of like punishing your full-grown dog for an accident she had as a puppy. And what about the executives who were overseeing those fired managers?
- Biometrics is/are information, too
“Microsoft Pushes Urgency of Regulating Facial-Recognition Technology,” The Wall Street Journal, December 7, 2018. Lack of worldwide restrictions on surveillance without a warrant leads Microsoft to urge restrictions on the technology. Is privacy when in public a basic human right?
- It’s not the crime, it’s the coverup?
“U.S. Alleges Huawei CFO Hid Ties to Telecom With Iran Business,” The Wall Street Journal, December 8, 2018. Did the CFO lie to hide from banks connections Huawei had with company that did business with Iran? What is the impact to the current state of trade relations with China?
Filed under Accuracy, Board, Compliance, Compliance, Compliance (General), Compliance Verification, Controls, Corporation, Definition, Directors, Duty, Governance, Information, Internal controls, Managers, Oversight, Oversight, Ownership, Privacy, Protect assets, Protect information assets, Technology, Third parties, To report, Value, Vendors, Who is in charge?
This blog tends to mention cases where senior executives get (or don’t get) punished for their alleged misdeeds. The spin is often that the seniors don’t get punished as hard as the worker bees.
But what happens when the CEO gets put in jail for his or her alleged misdeeds, which may have led to under-reporting in the company’s financials for the past five years?
“Carlos Ghosn’s Arrest Rocks Auto Empire,” The Wall Street Journal, November 21, 2018 (online). Nissan’s CEO jailed for allegedly under-reporting his earnings by several tens of millions of dollars.
How do you explain this to the worker bees? What’s the culture at the top? How did the Board not catch this? Were there not controls in place? Might the shareholders be a bit upset?
More a Governance and a Compliance issue, perhaps, although if one looks, one could find some information-related failures.
Filed under Board, Compliance, Compliance (General), Compliance Verification, Controls, Corporation, Culture, Culture, Data quality, Directors, Duty, Duty of Care, Governance, Internal controls, Oversight, Oversight
“Rebuke at Wells Shows Clash,” The Wall Street Journal, November 15, 2018 B1. Chief administrative officer (and former head of HR) at Wells placed on leave after the Office of the Comptroller of the Currency criticizes the oversight that she and the bank’s chief auditor provided.
If your company interacts with government regulators (and whose doesn’t?), is the government effectively a part of your governance structure? Or is government a separate component of Governance, whether that is Compliance Governance or Information Governance? Or just “Governance”?
And what does it say about communications when the government holds up a senior official for poor oversight? What about the board? Highly visible to the worker bees.
Filed under Board, Communications, Compliance, Compliance, Compliance (General), Controls, Corporation, Duty, Employees, Governance, Government, Internal controls, Management, Oversight, Oversight, Third parties, To report
“Facebook Hackers Access Nearly 50 Million Accounts,” The Wall Street Journal, September 29, 2018 A1. Unknown hackers may have gotten access as early as July 2017 by exploiting flaws in the system’s code. May have taken over your account and gotten to your posts and private messages, and may have the credentials to access other services, like Tinder and Spotify.
Is Facebook responsible for making sure its site is secure? How did the executive in charge of safety and security miss this? Does the Board at Facebook have liability? Facebook no longer has a Chief Security Officer.
Filed under Access, Board, Compliance, Compliance (General), Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Internal controls, IT, Oversight, Oversight, Protect assets, Protect information assets, Security, Technology, Third parties
What you do when an important executive is alleged to have violated company policy says a lot about your compliance program.
“Claims About Executive Tested Uber Overhaul,” The Wall Street Journal, September 27, 2018 B3. Senior executive investigated; rather than being terminated, he received a formal warning (apparently, informal was not sufficient), his bonus was reduced Why do you give bonuses to people who violate company policy?), and was required to take sensitivity training.
This at a company that had a rather sordid history of sexual harassment.
How will Uber convince its remaining employees that this time it is serious? Do you believe them? Is this an effective compliance program under the Federal Sentencing Guidelines, assuming that’s the appropriate measure?
Where’s the Board? Do they care?
Filed under Board, Compliance, Compliance (General), Controls, Corporation, Culture, Directors, Duty, Employees, Governance, Oversight, Oversight, Uncategorized
“CBS to Weigh CEO’s Fate,” The Wall Street Journal, July 30, 2018 A1. Discussion over whether CEO accused of sexual harassment should stand down while the investigation continues.
Curious that Urban Meyer has to stand aside while an investigation into whether he should have reported domestic abuse by an assistant coach 9 years earlier at a different school, but Leslie Moonves remains on board as the CEO of CBS. See https://infogovnuggets.com/2018/08/07/caesars-wife/
What does it say about a company’s culture when, in the current environment, the CEO can remain in his job during such an investigation? How convinced are the rank-and-file employees that the sexual harassment policy is real, or just a piece of paper? Are the directors serious about this policy? What about other policies?
Filed under Board, Compliance, Compliance, Compliance (General), Corporation, Culture, Culture, Directors, Duty, Employees, Governance, Oversight, Oversight, Policy
Knowledge, or lack thereof, is often a good defense.
“Fiat Says It Didn’t Know CEO was Ill,” The Wall Street Journal, July 27, 2018 B1. Company says privacy of health care information meant they didn’t know that their CEO had been sick for a year.
Who knew or should have known? Was this insider information that would affect the value of investments?
Should the Board have known? Did the CEO have a duty to disclose? For more than a year!
Governance, Compliance, and Information. All in one. Add a dash of privacy.
Filed under Access, Accuracy, Board, Communications, Compliance, Compliance (General), Compliance Verification, Controls, Corporation, Directors, Duty, Employees, Governance, Inform market, Inform shareholders, Internal controls, Investor relations, Oversight, Privacy, To report, Uncategorized
This blog focuses more on the intersection of Governance, Information, and Compliance than on the implications of information security. But the topics do overlap.
So, what controls do you have in place to prevent from someone accessing your computer and changing the information there or, as important, changing how your computer operates? That’s an identified risk, right?
“Russia Hacks Its Way Into U.S. Utilities,” The Wall Street Journal, July 24, 2018 A3. Russian hackers gain access to sensitive information at utilities by compromising the utilities’ vendors and their access to the utilities’ systems. Can the hackers take control of those systems or shut them down?
Does anyone recall the name of the HVAC contractor that was the entry point for the Target hack several years ago? Contractors can be a massive IT security risk.
Is this part of Information Governance?
What duties do the directors of the utilities have to make sure processes are in place to prevent third parties from causing harm by accessing the company’s information and process control systems? And to control the third parties who do have that access? Is there a process?
Filed under Access, Board, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Internal controls, IT, Management, Oversight, Oversight, Protect, Protect assets, Protect information assets, Risk Assessment, Risk assessment, Security, Third parties, Vendors
“Theranos Settle Investor Suit As Firm Runs Low on Funds,” The Wall Street Journal, July 23, 2018 B3. Investors alleged Theranos had defrauded them by making false statements about the company’s technology.
This joins the long (and growing) list of people suing for harm caused by this company. Are the directors in the dock? The CEO and former president are.
False statements are information, in a sense. The is the kind of basic, bog standard stock fraud that led to the creation of the SEC.
Who’s going to get the last drop of blood out of this stone?
Filed under Board, Communications, Compliance, Compliance, Compliance (General), Controls, Corporation, Culture, Data quality, Definition, Directors, Duty, Duty of Care, Employees, Governance, Inform shareholders, Information, Internal controls, Investor relations, Oversight, Oversight, Protect information assets