It seems that several (most of?) the large privacy breaches have something in common: something smaller happened earlier that people didn’t pay enough attention to.
“Marriott’s Starwood Missed Chance to Detect Huge Data Breach Years Earlier, Cybersecurity Specialists Say,” The Wall Street Journal, December 2, 2018 (online). There was a prior breach in 2015 that, some say, could have been investigated more thoroughly.
Might this happen in your business? Say there’s a relatively minor breach, affecting a single client’s information. Or a minor compliance issue. You discover it and take action. But does the breach itself indicate weaknesses in your system of controls that may have broader implications? Do you change your training or other controls to reflect this experience, or the experience of others in your industry?
This brings to mind a common finding in accident investigations. Something small happened that could/should have put you on notice. But it was ignored or downplayed.
How does your organization deal with near-hits in the compliance or information governance space? Is this part of oversight? Or a part of effective knowledge management?
Filed under Analytics, Collect, Compliance, Compliance (General), Controls, Corporation, Directors, Duty, Duty of Care, Governance, Information, Internal controls, IT, Knowledge Management, Management, Oversight, Privacy, Protect assets, Security, Third parties, Use
What impact has technology had on the flow of information in your industry, including the flow of information to and from competitors? Are your controls keeping pace?
“Fashion Industry Gossip Was Once Whispered. Now It’s on Instagram.,” The Wall Street Journal, December 2, 2018 (online). Instagram used to track fashion statements that are strikingly similar.
Underlying this is the point that copying someone else’s creative expression is frowned upon. (Compliance) And that public shaming may be a more effective (and less expensive) control than copyright litigation. (Governance) And a photo of a jacket (or the jacket itself) is as much information as an email. (Information)
Filed under Compliance, Compliance (General), Controls, Definition, Duty, Governance, Information, Internal controls, Ownership, Protect assets, Technology, Third parties
In the prior post, I expressed some shock and amazement that Amazon would meddle with the patient-doctor relationship. See www.infogovnuggets.com/2018/12/03/these-folks-have-lost-the-plot/.
Apparently I am not alone in raising some questions about the antitrust implications of some of Amazon’s behavior. “Germany Opens Amazon Antitrust Probe, Adding to European Scrutiny,” The Wall Street Journal, November 30, 2018 (online). Is Amazon hindering other sellers on their website?
This is primarily a Compliance issue. I note, however, that the types of behavior at issue here are basic antitrust blocking and tackling. If you get to a certain size, you can no longer get away with behavior that would be acceptable by a smaller player. Sometimes this isn’t part of the Compliance education package.
You may not be old enough or nerdy enough to remember the Romulan cloaking device from the original Star Trek. But I do/am.
“Fake Signals and Illegal Flags: How North Korea Uses Clandestine Shipping to Fund Regime,” The Wall Street Journal, November 29, 2018 (online). How do shipments still arrive in and leave from North Korea, notwithstanding the various sanctions on the regime there? Apparently, it’s blue smoke and mirrors.
I raise this here for two reasons. First, in the North Korean story this is a bunch of information being generated that is deliberately false, and the compliance types struggle to deal with it in order to enforce the applicable rules. The enforcers use satellites and data analytics; the shippers use deception and semi-legal and illegal stratagems.
Second, what extremes might your employees go to to avoid being detected when they are doing something they know is wrong, and how well prepared are you to deal with it? Do you have the proper controls and investigative procedures? What should you look at to confirm that what you’re being told is true?
Filed under Collect, Compliance, Compliance, Compliance (General), Controls, Corporation, Data quality, Directors, Duty, Employees, Governance, Information, Internal controls, Management, Oversight, Policy, Supervision, Third parties, To report, Use
“Mueller Accuses Paul Manafort of Lying to FBI After Plea Agreement, The Wall Street Journal, November 26, 2018 (online). Did Manafort lie after he reached a plea deal?
Information is not limited to what you write in a document or an email. It includes verbal utterances. How do you control your “verbal utterances” when the penalty for lying to the FBI can result in 20 years in prison, regardless of what happened prior to your plea deal?
So, this involves Information (verbal statements are information), Compliance (lying to the FBI exposes you to 20 years’ in prison for each offense), and Governance (how do you avoid making an untrue utterance?). Do your policies and controls address verbal information, and, generally, not lying to the FBI? Need they?
This blog tends to mention cases where senior executives get (or don’t get) punished for their alleged misdeeds. The spin is often that the seniors don’t get punished as hard as the worker bees.
But what happens when the CEO gets put in jail for his or her alleged misdeeds, which may have led to under-reporting in the company’s financials for the past five years?
“Carlos Ghosn’s Arrest Rocks Auto Empire,” The Wall Street Journal, November 21, 2018 (online). Nissan’s CEO jailed for allegedly under-reporting his earnings by several tens of millions of dollars.
How do you explain this to the worker bees? What’s the culture at the top? How did the Board not catch this? Were there not controls in place? Might the shareholders be a bit upset?
More a Governance and a Compliance issue, perhaps, although if one looks, one could find some information-related failures.
Filed under Board, Compliance, Compliance (General), Compliance Verification, Controls, Corporation, Culture, Culture, Data quality, Directors, Duty, Duty of Care, Governance, Internal controls, Oversight, Oversight
“Rebuke at Wells Shows Clash,” The Wall Street Journal, November 15, 2018 B1. Chief administrative officer (and former head of HR) at Wells placed on leave after the Office of the Comptroller of the Currency criticizes the oversight that she and the bank’s chief auditor provided.
If your company interacts with government regulators (and whose doesn’t?), is the government effectively a part of your governance structure? Or is government a separate component of Governance, whether that is Compliance Governance or Information Governance? Or just “Governance”?
And what does it say about communications when the government holds up a senior official for poor oversight? What about the board? Highly visible to the worker bees.
Filed under Board, Communications, Compliance, Compliance, Compliance (General), Controls, Corporation, Duty, Employees, Governance, Government, Internal controls, Management, Oversight, Oversight, Third parties, To report