Category Archives: Board

August 7, 2018 · 2:29 pm

We didn’t know

Knowledge, or lack thereof, is often a good defense.

“Fiat Says It Didn’t Know CEO was Ill,” The Wall Street Journal, July 27, 2018 B1.  Company says privacy of health care information meant they didn’t know that their CEO had been sick for a year.

Who knew or should have known?  Was this insider information that would affect the value of investments?

Should the Board have known?  Did the CEO have a duty to disclose?  For more than a year!

Governance, Compliance, and Information.  All in one.  Add a dash of privacy.

Leave a comment

Filed under Access, Accuracy, Board, Communications, Compliance, Compliance (General), Compliance Verification, Controls, Corporation, Directors, Duty, Employees, Governance, Inform market, Inform shareholders, Internal controls, Investor relations, Oversight, Privacy, To report, Uncategorized

July 31, 2018 · 1:13 pm

Your vendors

This blog focuses more on the intersection of Governance, Information, and Compliance than on the implications of information security.  But the topics do overlap.

So, what controls do you have in place to prevent from someone accessing your computer and changing the information there or, as important, changing how your computer operates?  That’s an identified risk, right?

“Russia Hacks Its Way Into U.S. Utilities,” The Wall Street Journal, July 24, 2018 A3.  Russian hackers gain access to sensitive information at utilities by compromising the utilities’ vendors and their access to the utilities’ systems.  Can the hackers take control of those systems or shut them down?

Does anyone recall the name of the HVAC contractor that was the entry point for the Target hack several years ago?  Contractors can be a massive IT security risk.

Is this part of Information Governance?

What duties do the directors of the utilities have to make sure processes are in place to prevent third parties from causing harm by accessing the company’s information and process control systems?  And to control the third parties who do have that access?  Is there a process?

Leave a comment

Filed under Access, Board, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Internal controls, IT, Management, Oversight, Oversight, Protect, Protect assets, Protect information assets, Risk Assessment, Risk assessment, Security, Third parties, Vendors

July 23, 2018 · 7:41 pm

Fraudster

“Theranos Settle Investor Suit As Firm Runs Low on Funds,” The Wall Street Journal, July 23, 2018 B3.  Investors alleged Theranos had defrauded them by making false statements about the company’s technology.

This joins the long (and growing) list of people suing for harm caused by this company.  Are the directors in the dock?  The CEO and former president are.

False statements are information, in a sense.  The is the kind of basic, bog standard stock fraud that led to the creation of the SEC.

Who’s going to get the last drop of blood out of this stone?

Leave a comment

Filed under Board, Communications, Compliance, Compliance, Compliance (General), Controls, Corporation, Culture, Data quality, Definition, Directors, Duty, Duty of Care, Employees, Governance, Inform shareholders, Information, Internal controls, Investor relations, Oversight, Oversight, Protect information assets

July 23, 2018 · 6:57 pm

Loose lips volume II

“Chips CEO Resigns Over Conduct,” The Wall Street Journal, July 18, 2018 B1.  CEO of Texas Instruments fired/forced-to-resign after two months for violating company’s Code of Conduct.  Probably no package, either.  No details on the nature of the violation.

It’s nice when a company enforces its policies against the CEO.  Sends a message to the worker bees.

Leave a comment

Filed under Board, Communications, Compliance, Compliance, Compliance (General), Controls, Corporation, Culture, Directors, Duty, Employees, Governance, Internal controls, Oversight, Oversight, Policy

July 23, 2018 · 11:08 am

Sexting

It’s always good to have a catchy headline.

“Lust, Anger Topple Powerful Lawyer,” The Wall Street Journal, July 14, 2018 A1.  Sexting scandal costs head of major law firm his job (and his ~$6 million salary), even though he did nothing beyond sending and receiving the texts.

Would you trust a lawyer who had such lapses in personal judgment?  Would you trust the law firm of which he was the chairman?  He had reason to suspect the woman he was texting, as he became aware of her when looking into her relationship with a friend of his at church.  Good deeds don’t go unpunished.

She sent copies of the email exchanges to the firm’s executive committee.

The problem with email is that it doesn’t go away, and you can’t control what the recipient does with them.

Important safety tip, Egon,  That bears repeating.  And repeating.

1 Comment

Filed under Board, Communications, Compliance, Controls, Governance, Internal controls, Third parties

July 8, 2018 · 5:29 pm

Policy

This blog looks at the intersection of Information, Governance, and Compliance.  Normally, when one hears “Compliance,” one assumes it means compliance with law.  But Compliance also extends to compliance with policy.

“Barnes & Noble Cites Policy In Firing,” The Wall Street Journal, July 5, 2016 B1.  B&N CEO and a member of the board fired after a little more than a year for violation of a so-far-undisclosed company policy..  No severance package.  Ouch.

What sort of message does that send to the rank and file when the CEO gets punished for violating company policy?  Does that extend beyond the policy the CEO is accused of violating?  Is that why the specific policy wasn’t mentioned?

I assume this was for a violation more serious than failing to follow the company’s Records Retention Policy.  But aren’t all violations of company policy by the CEO equally serious? Aren’t all violations of policy equal, or are there capital “P” policies, and small “p” policies?  How does an employee tell the difference?

And the company chose to publicize at least the basic reason for the firing; does it do that in all firings for policy non-compliance?  Does the CEO have more or less privacy rights than the lowest-paid employee?

Leave a comment

Filed under Board, Communications, Compliance, Compliance, Compliance (General), Controls, Corporation, Directors, Duty, Employees, Governance, Internal controls, Policy, Privacy

June 22, 2018 · 3:16 pm

Verrry interesting

“Europe’s Privacy Law Fails to Stoke Demand for Cyber Insurance,” The Wall Street Journal, June 21, 2018 B10.  Companies aren’t buying as much privacy insurance as people thought.

Certainly, in the wake of the GDPR rollout, the risk of a privacy law violation has increased.  Apparently companies think that they have adequate controls in place, and don’t need the protection of insurance to backstop their controls.  Insurance is a mitigation in case your controls aren’t totally effective.

Are these companies doing the same with other risks to other assets?  Or is you private data somehow different?

Leave a comment

Filed under Board, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Internal controls, IT, Management, Oversight, Ownership, Privacy, Protect, Protect assets, Protect information assets, Security, Third parties

June 22, 2018 · 3:00 pm

Inside job

“Tesla Accuses Former Employee of ‘Sabotage,'” The Wall Street Journal, June 21, 2018 B3. Did  a former employee hack Tesla’s manufacturing software and trade secrets and transfer information outside the company?  Was this for convenience, or was it theft?  Or to give to the press?

Do you have adequate controls to prevent this?  Or to discover it?  Who’s responsible if your controls fail?

Will the directors or senior officers be punished?  Did they fail in their obligations to protect the corporation’s assets?  Or is it just the shareholders who pay?  And pay, and pay.

 

Leave a comment

Filed under Access, Board, Compliance, Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Information, Internal controls, Management, Oversight, Oversight, Protect, Protect assets, Protect information assets, Third parties, Value

June 14, 2018 · 4:39 pm

A billion here, a billion there

Eventually, you’re talking real money.

“Volkswagen Fined $1 Billion in Germany,” The Wall Street Journal, June 14, 2018 B4. Fine for “dereliction of management oversight” following the diesel emissions-testing scandal.  Somewhat broader than a Caremark claim.

Will the directors have to pay anything out of their pockets?  Or just their shareholders’ pockets?

Leave a comment

Filed under Board, Compliance, Compliance, Compliance (General), Controls, Corporation, Culture, Culture, Directors, Duty, Governance, Internal controls, Oversight, Oversight

June 14, 2018 · 3:47 pm

What’s your word worth?

Gosh, it happened again!

“Facebook Gave Out User Data Despite Pledge,” The Wall Street Journal, June 9, 2018 A1. Notwithstanding a commitment not to do so, Facebook continued to give some companies access to user information.

How many times can you lie before people call you a liar?  Or take judicial notice?  What is the culture at Facebook?  Who’s responsible?  Accountable?

Leave a comment

Filed under Access, Board, Compliance, Compliance (General), Controls, Corporation, Culture, Culture, Duty, Duty of Care, Governance, Information, Internal controls, Oversight, Ownership, Privacy, Protect assets