This blog often deals with Compliance, both compliance with law and compliance with company policy. But another aspect of Compliance is the corporation’s compliance with its own contracts.
“Professor Wins College-Freedom Case in Wisconsin,” The Wall Street Journal, July 7, 2018 A3. Private university penalizes professor for posting a factual post online, despite academic freedom protections he had in his contract; professor wins back pay and reinstatement.
So, does your compliance program cover your organization’s compliance with its own contracts? Does your compliance training mention that point? Is contract compliance more or less important than ethics? Or is it part of ethics? How strong are your processes around contract compliance?
I just ask the questions.
Filed under Compliance, Compliance, Compliance (General), Controls, Corporation, Duty, Employees, Governance, Internal controls, Management, Third parties
It’s one thing when an insurance company asks you to install an appliance that tracks your driving habits. You can qualify for rate discounts. But what if the car manufacturer installs an app that sends the data to the insurer?
“App Tracks Driving Habits,” The Wall Street Journal, July 6, 2018 B3. Mitsubishi installs app and offers to arrange to send data to insurers.
Again, this looks like someone else stepping in and trying to make money from sharing your data, not theirs. Will this, as this article says, lead to insurers economically forcing you to share this information? How you drive is one thing; but this would also include where you go, and when. And can be tied to your credit rating, ZIP code, age, gender, etc.
What’s this data worth to you? More or less than what it is worth to Mitsubishi and the insurance companies? What will they do with this data once they have it? Will they keep it secure? Do they do this on cars sold in Europe or, for that matter, Japan? Both countries have significantly stronger privacy protections than the US.
“Cheap Phones Grab User Data,” The Wall Street Journal, July 6, 2018 B1. Cell phones sold in developing countries with limited privacy protections loaded with programs that harvest data.
While the phone give free access to the Internet, they are loaded with apps that track the user’s location, run targeted ads, and send usage data to the phone manufacturers. But the users aren’t given a choice, beyond whether they want a phone or not.
Is this similar to the Faustian bargain already made in developing countries, trading our privacy for access to Facebook or Google or Amazon? At least we were given the choice. Sort of. And we have privacy laws. Sort of.
“App Developers Gain Access To Millions of Gmail Inboxes,” The Wall Street Journal, July 3, 2018 A1. Depending what you signed up for, your Gmail inbox may be being viewed by hundreds of outside software developers.
Be careful what you agree to, and who you let see your information.
“Amazon Delves Into Health Data,” The Wall Street Journal, July 2, 2018 B3. Amazon buys a company with a bunch of personal health information.
It’s not like Amazon doesn’t have to deal with a whole host of privacy regulations, including the EU and, more recently, California. But personal medical information is different, and subject to different controls.
How does a company that lives on finding relationships in large bodies of information deal with information that can’t be used freely?
Filed under Access, Analytics, Compliance, Compliance (General), Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Internal controls, Oversight, Policy, Privacy, Third parties
People knew the shooter in Annapolis was a danger to the newspaper. Employees were warned. Police investigated his on-line comments, and determined he is not a threat. Employees were told to call 911 if they saw him.
Five years later, he kills 5 people with a shotgun.
“Newspaper Warned About Shooter,” The Wall Street Journal, June 30, 2018 A3.
Maybe that’s why the police got there in under a minute.
Filed under Controls, Corporation, Directors, Duty, Duty of Care, Governance, Government, Internal controls, Oversight, Third parties, To report
A common starting point to information governance projects is to determine what information you have and where you have it. Then you can start to manage it. But what happens if you don’t know what you have nor where you have it?
“Facebook Struggles to Find User Data,” The Wall Street Journal, June 28, 2018 B1. “The company can’t track where much of the [user] data went after it left the platform or figure out where is it now.”
A lot of the information is or was with app developers that are now out of business. What happened to your/Facebook’s/their data?
Sure is easier to figure this out going forward than it is to figure out what happened between 2007 and 2015. Especially if disclosure of some of that information is blocked by the government in far-off lands. Or if the app developers don’t fancy having Facebook root through their servers and discovering their business secrets. Or if Facebook doesn’t have a contractual right to get this information.
Sure would be easier if they’d had the proper controls in place at the time.
Filed under Access, Controls, Corporation, Duty, Duty of Care, Governance, Government, Information, Internal controls, Oversight, Ownership, Ownership, Privacy, Protect assets, Security, Third parties, Vendors