Category Archives: Protect information assets

January 4, 2019 · 3:47 am

Catching up, again

I was otherwise engaged in December, what with the holidays and travel and our first grandchild, born in Hong Kong, and haven’t been posting.  Here’s the month in review, in chronological order, in multiple parts:

  1. How to monetize your information

    “Paywall for HuffPost? Verizon Hunt for Web Revenue Goes Beyond Ads,” The Wall Street Journal, December 3, 2018.  Do you let people see content (plus ads) for “free,” or do you charge for access?  Which one places the “correct” value on the information you are providing?  What if you did both?

  2. Who’s in charge?

    “Disney Raises the Bar Robert Iger Has to Clear to Win Bonus,” The Wall Street Journal, December 4, 2018.  Shareholders push back on bonus compensation plan, demonstrating an unusual level of control (i.e., Governance) over their investment.  See also, “Shell to Link Carbon Emissions Targets to Executive Pay,” The Wall Street Journal, December 4, 2018.

  3. How much is your view worth?

    “Who’s Reading That News Story? Startup Will Help Marketers Find Out,” The Wall Street Journal, December 4, 2018.  Linking the desire of publishers and advertisers to monitor what news stories you look at and for how long, a start-up fills the gap.  The answer to the question,”Whose data is that?” is taking on multiple dimensions.

  4. It takes a village to prevent someone from getting top-secret information

    China Maneuvers to Snag Top-Secret Boeing Satellite Technology,” The Wall Street Journal, December 5, 2018.  Boeing seemed unconcerned when a customer for one of its satellites told Boeing that the customer was being financed by Chinese interests, to whom sale of the top-secret technology involved was restricted.  But after an alleged payment default, Boeing cancels order. “Boeing Backs Out of Global IP Satellite Order Financed by China, The Wall Street Journal, December 7, 2018.  Did the press coverage have an impact?

  5. Law firms leak, too

    “U.S. Prosecutors Charge Four People in Panama Papers Probe,” The Wall Street Journal, December 5, 2018.  Action follow leak of law firm documents showing how wealthy people hid money from tax.

  6. Who owns (or controls) the Cloud?

    “China’s Alibaba Takes On Amazon in European Cloud,” The Wall Street Journal, December 5, 2018.  Chinese Cloud company challenges Amazon for control of the Cloud in Europe.  Which (the US or China) will better protect the privacy of the users?

  7. Does your information governance program cover the content of the training provided to your customers?

    “Boeing Omitted Safety-System Details, Minimized Training for Crashed Lion Air 737 Model,” The Wall Street Journal, December 6, 2018.  Questions arise after 189 people killed in a crash and the crews hadn’t been trained on the new flight-control system.

  8. Facebook tried to monetize “your” data?  Gadzooks!

    “Facebook’s Zuckerberg at Center of Emails Released by U.K. Parliament,” The Wall Street Journal, December 6, 2018.  Newly released emails show that Facebook apparently considered charging app developers for accessing “your” data held by Facebook, and suggest Facebook discounted the chance of developers sharing that data with others.

  9. Not “just-in-time” discipline

    “Wells Fargo Firing Dozens of Regional Managers in Retail-Bank Cleanup,” The Wall Street Journal, December 6, 2018.  More than two years after the account-cramming scandal, Wells Fargo starts to fire some regional managers for failure of oversight responsibilities.  Sort of like punishing your full-grown dog for an accident she had as a puppy.  And what about the executives who were overseeing those fired managers?

  10.  Biometrics is/are information, too

    “Microsoft Pushes Urgency of Regulating Facial-Recognition Technology,” The Wall Street Journal, December 7, 2018.  Lack of worldwide restrictions on surveillance without a warrant leads Microsoft to urge restrictions on the technology.  Is privacy when in public a basic human right?

  11. It’s not the crime, it’s the coverup?

    “U.S. Alleges Huawei CFO Hid Ties to Telecom With Iran Business,” The Wall Street Journal, December 8, 2018. Did the CFO lie to hide from banks connections Huawei had with company that did business with Iran?  What is the impact to the current state of trade relations with China?

4 Comments

Filed under Accuracy, Board, Compliance, Compliance, Compliance (General), Compliance Verification, Controls, Corporation, Definition, Directors, Duty, Governance, Information, Internal controls, Managers, Oversight, Oversight, Ownership, Privacy, Protect assets, Protect information assets, Technology, Third parties, To report, Value, Vendors, Who is in charge?

December 3, 2018 · 5:23 am

Coming up to speed

Marriott Says Starwood Data Breach Affects Up to 500 Million People,” The Wall Street Journal, November 30, 2018 (online).  Data breach potentially affecting passports and credit cards of as many as 500 million guests at Marriott’s Starwood properties, which were acquired in 2016.  They knew about this in September, but reflects a breach that may go back to 2014.

So, two years after an acquisition, the target’s information security practices blow up in the acquiror’s face.  What does that say about the acquiror’s duty to integrate the data practices and controls around information protection?

Does your M&A team think about information governance issues?  Is that an identified risk, with an identified (and owned) action plan?  Did the Board identify this as a risk?  What the value of this information considered part of the transaction value?  How was that reflected?

Leave a comment

Filed under Board, Compliance, Compliance Verification, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Information, Internal controls, IT, Management, Oversight, Protect, Protect assets, Protect information assets, Risk Assessment, Risk assessment, Security, Value

October 15, 2018 · 10:10 am

FB in the news. Again.

“Facebook Hackers Access Nearly 50 Million Accounts,” The Wall Street Journal, September 29, 2018 A1.  Unknown hackers may have gotten access as early as July 2017 by exploiting flaws in the system’s code.  May have taken over your account and gotten to your posts and private messages, and may have the credentials to access other services, like Tinder and Spotify.

Is Facebook responsible for making sure its site is secure?  How did the executive in charge of safety and security miss this?  Does the Board at Facebook have liability?  Facebook no longer has a Chief Security Officer.

1 Comment

Filed under Access, Board, Compliance, Compliance (General), Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Internal controls, IT, Oversight, Oversight, Protect assets, Protect information assets, Security, Technology, Third parties

July 31, 2018 · 1:13 pm

Your vendors

This blog focuses more on the intersection of Governance, Information, and Compliance than on the implications of information security.  But the topics do overlap.

So, what controls do you have in place to prevent from someone accessing your computer and changing the information there or, as important, changing how your computer operates?  That’s an identified risk, right?

“Russia Hacks Its Way Into U.S. Utilities,” The Wall Street Journal, July 24, 2018 A3.  Russian hackers gain access to sensitive information at utilities by compromising the utilities’ vendors and their access to the utilities’ systems.  Can the hackers take control of those systems or shut them down?

Does anyone recall the name of the HVAC contractor that was the entry point for the Target hack several years ago?  Contractors can be a massive IT security risk.

Is this part of Information Governance?

What duties do the directors of the utilities have to make sure processes are in place to prevent third parties from causing harm by accessing the company’s information and process control systems?  And to control the third parties who do have that access?  Is there a process?

Leave a comment

Filed under Access, Board, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Internal controls, IT, Management, Oversight, Oversight, Protect, Protect assets, Protect information assets, Risk Assessment, Risk assessment, Security, Third parties, Vendors

July 23, 2018 · 7:41 pm

Fraudster

“Theranos Settle Investor Suit As Firm Runs Low on Funds,” The Wall Street Journal, July 23, 2018 B3.  Investors alleged Theranos had defrauded them by making false statements about the company’s technology.

This joins the long (and growing) list of people suing for harm caused by this company.  Are the directors in the dock?  The CEO and former president are.

False statements are information, in a sense.  The is the kind of basic, bog standard stock fraud that led to the creation of the SEC.

Who’s going to get the last drop of blood out of this stone?

Leave a comment

Filed under Board, Communications, Compliance, Compliance, Compliance (General), Controls, Corporation, Culture, Data quality, Definition, Directors, Duty, Duty of Care, Employees, Governance, Inform shareholders, Information, Internal controls, Investor relations, Oversight, Oversight, Protect information assets

June 22, 2018 · 3:16 pm

Verrry interesting

“Europe’s Privacy Law Fails to Stoke Demand for Cyber Insurance,” The Wall Street Journal, June 21, 2018 B10.  Companies aren’t buying as much privacy insurance as people thought.

Certainly, in the wake of the GDPR rollout, the risk of a privacy law violation has increased.  Apparently companies think that they have adequate controls in place, and don’t need the protection of insurance to backstop their controls.  Insurance is a mitigation in case your controls aren’t totally effective.

Are these companies doing the same with other risks to other assets?  Or is you private data somehow different?

Leave a comment

Filed under Board, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Internal controls, IT, Management, Oversight, Ownership, Privacy, Protect, Protect assets, Protect information assets, Security, Third parties

June 22, 2018 · 3:00 pm

Inside job

“Tesla Accuses Former Employee of ‘Sabotage,'” The Wall Street Journal, June 21, 2018 B3. Did  a former employee hack Tesla’s manufacturing software and trade secrets and transfer information outside the company?  Was this for convenience, or was it theft?  Or to give to the press?

Do you have adequate controls to prevent this?  Or to discover it?  Who’s responsible if your controls fail?

Will the directors or senior officers be punished?  Did they fail in their obligations to protect the corporation’s assets?  Or is it just the shareholders who pay?  And pay, and pay.

 

Leave a comment

Filed under Access, Board, Compliance, Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Information, Internal controls, Management, Oversight, Oversight, Protect, Protect assets, Protect information assets, Third parties, Value

May 18, 2018 · 11:40 am

Equifax Hack went deeper

This is old news.  This post never made it out of “Drafts.”  But worthy of note.

The hack at Equifax that may have affected 145.5 million people went deeper than Equifax originally reported.

“Equifax:Hack Went Deeper,” The Wall Street Journal, February 10, 2018 B10.  In addition to names, addresses, driver’s license numbers, and Social Security Numbers, the hack may have reached tax id numbers, email addresses, and additional driver’s license information.

It’s comforting (?) to know that your personal email address isn’t considered either (a) yours or (b) “sensitive,” at least in the US.

Have any of the Equifax directors been sued by their shareholders?  The CEO retired.  The shareholders are paying for all this.

See, also, the post from February 11 about the spat between Equifax and Senator Warren about whether the hack reached passport numbers. https://infogovnuggets.com/2018/02/11/believable-denials/

Leave a comment

Filed under Access, Board, Compliance, Compliance, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Information, Internal controls, Oversight, Oversight, Ownership, Protect assets, Protect information assets, Security, Value, Vendors

May 4, 2018 · 9:27 am

Three returning contestants

And all on the same page.

  1. “U.S. Indicts VW’s Former CEO,” The Wall Street Journal, May 4, 2018 B1. Former CEO indicted in March for conspiracy and wire fraud following the emissions cheating scandal.  Do CEOs go to jail?
  2. “Facebook Has Dual Standard On Privacy,” The Wall Street Journal, May 4, 2018 B1. If you’re in a special group in Facebook, you get an alert if someone accesses your profile; if you’re a muggle, or don’t work at Facebook, you don’t.  Maybe this will change?
  3. “Theranos Hurt Big-Name Investors,” The Wall Street Journal, May 4, 2018 B1.  Company said it had the technology to do a wide range of blood tests based on a few drops of blood.  It didn’t, and a host of big-name investors lost a bundle. Is this a governance issue, an information issue, or a compliance issue?  Don’t believe everything you hear; it’s costly.  And don’t serve as a director without doing your own due diligence.

Leave a comment

Filed under Access, Accuracy, Board, Compliance, Compliance, Compliance, Controls, Corporation, Culture, Data quality, Duty, Duty of Care, Employees, Governance, Internal controls, Oversight, Oversight, Policy, Protect information assets, Supervision

May 1, 2018 · 9:56 am

A handful for May Day

A departure from the one-story-one-post approach.

  1. “Israel Targets Iran Accord,” The Wall Street Journal, May 1, 2018 A1. Israel releases Iranian documents about a nuclear weapons program found in an abandoned warehouse. At least two themes: (a) What does information mean? Did Iran lie during negotiations? (b) Do you destroy documents/information that are/is no longer useful to you?  What does it say when you don’t?
  2. “‘Fake News’ Law Snares an Offender,” The Wall Street Journal, May 1, 2018 A16. A visitor to Malaysia convicted and sentenced for publishing “fake news” about how quickly/slowly emergency services responded to a shooting. Interesting that the first conviction under the new law was of a foreigner.
  3. “Banks Draw Bead on Guns,” The Wall Street Journal, May 1, 2018 B1. Banks and credit card companies discuss tracking your purchases of guns.  What will they do with that information? Is there other information they can deduce from your purchases that someone would like to track? Would your health insurer/doctor like to track your food and alcohol purchases?  Whose information is that, anyway?
  4. “Guilty Verdict in Autonomy Case,” The Wall Street Journal, May 1, B2.  Former CFO of Autonomy convicted of fraud in connection with the sale of Autonomy to HP for $11 billion in 2011.  This was not some lower-level accountant accused of misstating aspects of a tax-motivated deal. Instead, the fraud overstated Autonomy’s revenue and generally misstating financial results.  The former CEO has also been sued in the UK for damages.
  5. “Facebook Shares the Shared,” The Wall Street Journal, May 1, 2018 B5. Now you can download any of 25 categories of the information that Facebook keeps on you.  Your search history.  When you liked or didn’t like something.  Which and how many advertisers have your contact information.  How many categories does Facebook have?  We don’t know.

Leave a comment

Filed under Access, Accuracy, Analytics, Communications, Compliance, Compliance (General), Controls, Corporation, Data quality, Definition, Duty, Duty of Care, Employees, Governance, Information, Internal controls, Oversight, Oversight, Ownership, Ownership, Privacy, Protect assets, Protect information assets, Technology, To report, Value