“Marriott Says Starwood Data Breach Affects Up to 500 Million People,” The Wall Street Journal, November 30, 2018 (online). Data breach potentially affecting passports and credit cards of as many as 500 million guests at Marriott’s Starwood properties, which were acquired in 2016. They knew about this in September, but reflects a breach that may go back to 2014.
So, two years after an acquisition, the target’s information security practices blow up in the acquiror’s face. What does that say about the acquiror’s duty to integrate the data practices and controls around information protection?
Does your M&A team think about information governance issues? Is that an identified risk, with an identified (and owned) action plan? Did the Board identify this as a risk? What the value of this information considered part of the transaction value? How was that reflected?
Filed under Board, Compliance, Compliance Verification, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Information, Internal controls, IT, Management, Oversight, Protect, Protect assets, Protect information assets, Risk Assessment, Risk assessment, Security, Value
A Tesla employee is indicted for creating fake documents to cover up a fake-payment scheme. “Former Tesla Employee Is Indicted,” The Wall Street Journal, November 12, 2018 B5.
Companies have a lot of controls to prevent fraud by employees, and often these controls work. Why are there more such controls to prevent financial fraud than to prevent violations of other company procedures, such as those related to document creation, retention, and storage?
One wonders whether, in the aggregate, companies lose more money through poor document management and control than they lose through financial fraud. How would one conduct such a study?
Filed under Accuracy, Compliance, Compliance (General), Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Information, Internal controls, Oversight, Protect assets, Records Management, Security, Third parties, Value, Vendors
“Former Goldman Bankers Charged,” The Wall Street Journal, November 2, 2018 A1. “Two senior … bankers allegedly paid bribes and stole and laundered money … [in] one of the biggest financial frauds in history.”
What does it say when two of your 435 partners and one of your managing directors commits a fraud? Failures in systems/controls? Bad culture? Do you have a “cowboy atmosphere” in Asia? Poor training? Are these rogue employees? What’s the impact on your reputation? What was the tone at the top?
This is primarily a Governance point. How will the new CEO handle?
Filed under Compliance, Compliance (General), Controls, Corporation, Culture, Directors, Duty, Duty of Care, Employees, Governance, Oversight, Policy, Supervision, Who is in charge?
One of the consequences of non-compliance is a higher level of scrutiny from the regulators.
“Wells Fargo Places Two Executives On Leave,” The Wall Street Journal, October 25, 2018 B10. The Comptroller of the Currency sent letters to two WF executives about their failures of oversight at the bank in connection with WF’s sales practices. Execs (chief administrative officer and chief auditor) placed on leave and removed from operating committee.
Boy, does that ever not look good on your resume.
Why did the regulator have to do this? One reason is that WF didn’t do it itself. Would your compliance system do better? Do the directors still have their jobs?
Filed under Board, Compliance, Compliance (General), Corporation, Culture, Directors, Duty, Employees, Governance, Government, Oversight, Supervision, To report
That’s a catchy headline.
“Facebook Thinks Hack Was Set by Spammers,” The Wall Street Journal, October 18, 2018 B1. FB says recent breach of ~30 million accounts was by spammers wanting to make profits, and not by nation states with evil motives. FB will likely never find who took the information.
This raises a whole host of issues about information ownership and the duty of companies who handle and store your data. And IT security, or insecurity. Which is your favorite? I personally favor what this says about the culture at FB; with these issues, the FB communication to the market and its shareholders and its customers speaks volumes about how FB views the risks of its business. So now a denial is Information, by definition.
Filed under Access, Communications, Compliance, Compliance (General), Controls, Corporation, Culture, Definition, Directors, Duty, Duty of Care, Employees, Governance, Information, Interconnections, Internal controls, Investor relations, IT, Oversight, Ownership, Privacy, Protect assets, Security, Technology, Third parties, Who is in charge?
“Advertisers Allege Facebook Put Off Disclosing Error,” The Wall Street Journal, October 17, 2018 B1. Facebook sued two years ago for knowing the statistics on how long users were looking at videos were flawed, overstating the average time videos were viewed but failed to let the advertisers know. So advertisers paid for posting videos based on inaccurate information from the seller (Facebook).
I guess one could comment on the culture at Facebook that would permit this behavior, or upon the Compliance implications of the apparent failure to punish anybody (employees, directors) for this apparent breach of customer trust. But instead one could focus on how much value Facebook derived from not disclosing information about known defects in its processes. So, either (a) the definition of Information includes information you don’t disclose or (b) the value of information can include the value of not disclosing it.
The documents turned over in discovery are not favorable to FB.
Filed under Accuracy, Communications, Compliance, Compliance (General), Controls, Corporation, Culture, Data quality, Definition, Directors, Duty, Duty of Care, Employees, Governance, Information, Internal controls, Oversight, Reliance, Supervision, Technology, To report, Value
“HSBC to Pay $765 Million in U.S. Pact,” The Wall Street Journal, October 10, 2018 B12. Bank hid the risks of defective mortgages for at least 2 years. Sold mortgaged-back securities in the meantime.
“Wells Fargo … [paid] $2.09 billion to settle similar claims.” Four other banks also settled.
Why do we keep our money in banks? Weren’t they supposed to be safe? What does it say about the Boards of these companies? Did the directors screw up?
Filed under Communications, Compliance, Compliance (General), Controls, Corporation, Culture, Directors, Duty, Duty of Care, Employees, Governance, Information, Internal controls, Investor relations, Oversight, Protect assets, Supervision, To report