Category Archives: Risk

Ransomware Week

“Faux Ransomware Does Damage,” The Wall Street Journal, June 30, 2017 B3.  Motive for recent attacks was not blackmail, but just disruption.  The files that were attacked may not be recoverable.  “Malware Leaves Big Law Firm Hobbled,” The Wall Street Journal, June 30, 2017 B3.  DLA Piper shuts down after its computer systems hit.  “Hospital Is Forced To Scrap Computers,” The Wall Street Journal, June 30, 2017 B3. West Virginia hospital tosses its entire computer network after cyberattack.

Have the Visigoths gathered at the gate?  If we can’t protect our computers and the information they contain and send, does our civilization survive?  Is IT now more important that all the other functions?

Leave a comment

Filed under Access, Business Case, Business Continuity, Controls, Information, Interconnections, IT, Operations, Risk, Security, Value

Snitches get stitches

Apparently, keeping the identities of confidential informants secret poses some challenges.  Are there information governance lessons to be learned?

“Inmates Targeting Informants,” The Wall Street Journal, June 21, 2017 A3. “[C]lose to 700 witnesses and informants believed to have cooperated with the government have been threatened, wounded or killed” over three years.  One source of information: online court records that provide clues as to who cooperated with the prosecutors.  Some inmates may be posting their sentencing files to establish their bona fides.

Hard to classify this in this blog.  Does this pertain to

  • the value of accurate and complete information
  • the risk in making information widely available
  • the government’s duty to protect informants
  • the government’s duty to have a transparent criminal justice system
  • a defendant’s right to confront his/her accusers
  • the need for security and the difficulty in providing it
  • the proactive value of disclosure
  • the fact that information can be misused
  • the difficulty in creating effective controls
  • other?

 

Leave a comment

Filed under Access, Accuracy, Communications, Compliance, Controls, Data quality, Duty, Duty of Care, Governance, Government, Information, Internal controls, Oversight, Privacy, Protect assets, Risk, Third parties, Value

4 for Thursday

There were four pieces in today’s WSJ relevant to governance or information governance, or both.

“Currency Trading Data Hint at Leaks in U.K.,” The Wall Street Journal, April 27, 2017 B1. Indications that some investors are getting a sneak peek at UK statistics before they are published.  Does this go to access or to the calculus of the value of information including a factor for timeliness?

“FCC Chief Rails At Net Neutrality,” The Wall Street Journal, April 27, 2017 B1.  Is the government right in trying to control how information is accessed over the internet, or how (high-speed) access to that information is priced?  Who governs the internet, if any one?

“United Cites Litany of Failures,” The Wall Street Journal, April 27, 2017 B1.  CEO says “‘We let our policies and procedures get in the way of doing the right thing.'”  CEO also to give up his role as Chairman of the Board. A CEO taking accountability for the actions of employees on his watch – remarkable.  United also took out full-page ad.  Intersection of governance and crisis management.

“Hedge Fund Bets on ‘Big Data,'” The Wall Street Journal, April 27, 2017 B11.  Investments in analytics to identify profitable trades.  Timeliness of information is a factor in the value of that information.

Leave a comment

Filed under Access, Analytics, Board, Business Case, Compliance, Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Government, Information, Internal controls, New Implications, Oversight, Oversight, Protect assets, Risk, Third parties, Value

What does bad information governance cost?

One of the risks of bad information governance is that your employees will violate some restriction/law/regulation and the corporation will have to pay for it.  How much, you may ask?

“Volkswagen Faces Up to Penalties,” The Wall Street Journal, March 11, 2017 B1.  Volkswagen pleaded guilty and “agreed” to pay penalties of $4.3 billion for misleading the regulators and the public in the diesel emissions scandal.

Cost to date: $25 billion for trying to hide something from the regulators and the public.  Would your company do something like that?  What has this cost the directors and managers who either missed it or ignored it?  What has it cost the Volkswagen shareholders?

 

Leave a comment

Filed under Accuracy, Board, Business Case, Compliance, Compliance, Compliance, Compliance Verification, Corporation, Culture, Directors, Duty, Employees, Governance, Management, Oversight, Oversight, Protect assets, Protect information assets, Risk

Access

If you are in the information business (and who isn’t?), what if you can’t get to that information?  Worse, what if your customers can’t get to information you store for them, or their customers can’t get to their web pages?

“Amazon Outage Hits Cloud Customers,” The Wall Street Journal, March 1, 2017 B4. Failure at a storage center just outside of Washington, D.C. lasted about 4 hours and affected Amazon Web Services.  Uptime/downtime, and reliability.

What’s your plan if your main storage goes out?  How does your business continue to operate?

Leave a comment

Filed under Access, Business Case, Business Continuity, Controls, Governance, Interconnections, IT, Management, Operations, Protect, Protect assets, Risk, Third parties

Making a hash of hash

“Hashing” a document has been a lynch pin of document security for most of the digital age.  It uses an algorithm to create a unique identifier for a digital document.  Useful for things like computer security and ediscovery.  Perhaps time has moved on.

“Google Team Cracks Web Security Shield,” The Wall Street Journal, February 24, 2017 B4. The SHA-1 algorithm was cracked, allowing the creation of two different  documents with the same hash value.

Alternatives in the works.  Watch this space.

Leave a comment

Filed under Access, Accuracy, Business Case, Controls, Duty of Care, Governance, Internal controls, IT, New Implications, Oversight, Protect assets, Risk, Security, Third parties

A Higher Duty

A lawyer for a company has a duty under company law to protect the company’s confidential information.  As a lawyer, he or she has a professional ethical obligation to preserve the confidentiality of materials submitted to the lawyer in order to secure or provide legal advice.

But what happens if the lawyer learns information that indicates the client has broken or is breaking US criminal law?  Is there a duty to blow the whistle outside the company?  To whom is that duty owed?  Which controls, state legal ethics rules or federal law?

“Trial to Focus on In-House Lawyers,” The Wall Street Journal, January 17, 2017 B2.  A company’s general counsel is fired.  The company says he was fired because he messed up security filings and failed to detect bribery that led to $55 million in fines.  He says he was fired because he blew the whistle on the company’s “possible” bribery in China.  The judge ruled in December that the lawyer can use privileged information to support his claim.

Will this case eviscerate attorney-client privilege or force attorneys to become unwilling participants in criminal activity?

Leave a comment

Filed under Access, Business Case, Compliance, Controls, Duty, Employees, Governance, Internal controls, Legal, New Implications, Privilege, Risk, Third parties, To report