Category Archives: Third parties

Snitches get stitches

Apparently, keeping the identities of confidential informants secret poses some challenges.  Are there information governance lessons to be learned?

“Inmates Targeting Informants,” The Wall Street Journal, June 21, 2017 A3. “[C]lose to 700 witnesses and informants believed to have cooperated with the government have been threatened, wounded or killed” over three years.  One source of information: online court records that provide clues as to who cooperated with the prosecutors.  Some inmates may be posting their sentencing files to establish their bona fides.

Hard to classify this in this blog.  Does this pertain to

  • the value of accurate and complete information
  • the risk in making information widely available
  • the government’s duty to protect informants
  • the government’s duty to have a transparent criminal justice system
  • a defendant’s right to confront his/her accusers
  • the need for security and the difficulty in providing it
  • the proactive value of disclosure
  • the fact that information can be misused
  • the difficulty in creating effective controls
  • other?

 

Leave a comment

Filed under Access, Accuracy, Communications, Compliance, Controls, Data quality, Duty, Duty of Care, Governance, Government, Information, Internal controls, Oversight, Privacy, Protect assets, Risk, Third parties, Value

Contractors and the Cloud

Do you have contractors who analyze your data for you?  Do they use cloud storage?  Do you know?  How secure it that?  Is that prohibited by your service contract?

“Data on 198 Million Votes Exposed Online,” The Wall Street Journal, June 20, 2017 A4. Deep Root Analytics, a Republican party consultant, used an online storage system that was reportedly open to the world for several days.  Most/some of the information exposed was publicly available information on voters.  A lot of voters.

Well, at least the Russians (or the DNC) didn’t hack it.  Or did they?

What controls do you have that protect information your consultants are using and the opinions you are paying them to provide you?  Do you care?  It’s not like it’s money or anything.

Leave a comment

Filed under Access, Board, Controls, Corporation, Duty, Governance, IT, Management, Oversight, Protect, Protect assets, Protect information assets, Security, Third parties, Vendors

Kidnapping v. stealing information

One unique aspect of information is that it can be stolen, yet remain in the owner’s possession.  Apparently, medical facilities are required to report if your medical information is stolen, but not if it is merely kidnapped and held for ransom.

“Some Cyberattacks Go Unreported,” The Wall Street Journal, June 19, 20127 B3.  Whether hospitals need to report a ransomware attack of their files as a data breach is a “gray area,” and the federal government doesn’t require such reports, even if the government knows about them.  Some hospitals don’t report ransomware attacks, so these attacks are not in the HHS statistics.

So, patients don’t know when hospitals have weak security protection.  What value, then, are the government statistics?  Do they need a big asterisk?

 

Leave a comment

Filed under Controls, Corporation, Data quality, Duty, Government, Information, Internal controls, IT, Legal, Requirements, Security, Third parties, To report, Value

The Day that Information Governance Died, the Sequel

Last July, after the July 5 new conference, I wrote about the consequences of James Comey’s decision not to prosecute, https://infogovnuggets.com/2016/07/12/sounds-of-silence/.  I view that as The Day Information Governance Died.

This week, we had the sequel.

If you create a document in the normal course of your duties for your employer, about a conversation held in the course of your employer’s business, using the employer’s computer, then that document is the property of your employer.  It’s “proprietary.”  You can’t take that document with you when you’re fired and then give it to others.  Even if it doesn’t contain privileged information.  Or your purported recollections of a conversation in your official capacity with the President, subject to executive privilege.

But Mr. Comey seems to be above (or maybe beside) the Law, generally.  And he is (until the ethics people get a hold of this) a lawyer.

“The ‘Close Friend’ Behind Memo Leak,” The Wall Street Journal, June 9, 2017 A4.   Comey leaks a memo he wrote while a government employee to a friend, in order to leak it to the press.

And we wonder why we have a hard time getting traction on information governance.

Leave a comment

Filed under Controls, Duty, Employees, Information, Internal controls, Lawyers, Ownership, Privilege, Third parties

We have a Winner

What do you do when you discover who violated the law by leaking a classified document?  You arrest them.

“Contractor Charged in Leak,” The Wall Street Journal, June 6, 2017 A4.  Reality Winner, an employee of a contractor for the NSA, was arrested and charged for leaking a classified document to the news media.  A criminal offense.

Interesting story of how the government found out.  A news agency provided a copy of the document and requested the government to confirm its accuracy.  The government could tell from looking at the copy that it had been folded, and concluded someone printed it out and sneaked it out.  IT logs showed six people had printed it out.  The computer of one of them showed email contact with a news agency.  When questioned, Ms. Winner fessed up.

Common themes:  the NSA needs to watch the employees of its contractors carefully; IT has a record, somewhere; criminals get arrested; a newspaper can inadvertently disclose confidential sources.

 

Leave a comment

Filed under Access, Controls, Corporation, Duty, Employees, Governance, Government, Information, Internal controls, IT, Oversight, Ownership, Protect assets, Security, Third parties, Vendors

Shareholder revolt

What can a shareholder do if the Board pays excessive executive compensation?  He/She/They push a vote against the directors’ reelection.

“Pension Funds Decry Mylan Pay Packages,” The Wall Street Journal, May 31, 2017 B1.  Four major pension funds band together, trying to oust six directors at the troubled maker of EpiPens over the executive pay packages they approved.

Lesson: to exert shareholder power, it helps to hold a lot of shares (even tough less than 1%).  Did Mylan defraud the government in the years that led to the huge bonuses?  Is there a derivative action coming?

Leave a comment

Filed under Board, Controls, Directors, Duty, Governance, Investor relations, Oversight, Protect assets, Third parties

The self-governing company

Uber fired the executive at the heart of the dispute with Google over self-driving cars.  The exec failed to meet a deadline to comply with a court order to turn over documents in a trade secret case over self-driving cars. “Uber Fires Executive At Center Of Suit,” The Wall Street Journal, May 31, 2017 A1.

Lesson?  If you hire an employee from a competitor and he’s accused of stealing his former employer’s trade secrets, try your best to look good.

What’s your process for keeping new employees, especially from competitors, from damaging your business and your reputation by bringing in your competitor’s trade secrets?  Did you follow it, or is it just there for show?

Leave a comment

Filed under Communications, Compliance, Controls, Corporation, Duty, Employees, Governance, Information, Internal controls, Management, Managers, Oversight, Ownership, Policy, Protect, Third parties, Value