This blog focuses more on the intersection of Governance, Information, and Compliance than on the implications of information security. But the topics do overlap.
So, what controls do you have in place to prevent from someone accessing your computer and changing the information there or, as important, changing how your computer operates? That’s an identified risk, right?
“Russia Hacks Its Way Into U.S. Utilities,” The Wall Street Journal, July 24, 2018 A3. Russian hackers gain access to sensitive information at utilities by compromising the utilities’ vendors and their access to the utilities’ systems. Can the hackers take control of those systems or shut them down?
Does anyone recall the name of the HVAC contractor that was the entry point for the Target hack several years ago? Contractors can be a massive IT security risk.
Is this part of Information Governance?
What duties do the directors of the utilities have to make sure processes are in place to prevent third parties from causing harm by accessing the company’s information and process control systems? And to control the third parties who do have that access? Is there a process?
Filed under Access, Board, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Internal controls, IT, Management, Oversight, Oversight, Protect, Protect assets, Protect information assets, Risk Assessment, Risk assessment, Security, Third parties, Vendors
“Theranos Settle Investor Suit As Firm Runs Low on Funds,” The Wall Street Journal, July 23, 2018 B3. Investors alleged Theranos had defrauded them by making false statements about the company’s technology.
This joins the long (and growing) list of people suing for harm caused by this company. Are the directors in the dock? The CEO and former president are.
False statements are information, in a sense. The is the kind of basic, bog standard stock fraud that led to the creation of the SEC.
Who’s going to get the last drop of blood out of this stone?
Filed under Board, Communications, Compliance, Compliance, Compliance (General), Controls, Corporation, Culture, Data quality, Definition, Directors, Duty, Duty of Care, Employees, Governance, Inform shareholders, Information, Internal controls, Investor relations, Oversight, Oversight, Protect information assets
“Ex-CEO at Oil Driller Settles SEC Inquiry On Undisclosed Loans,” The Wall Street Journal, July 17, 2018. CEO had taken more than $10 million in loans from vendors in return for awarding contracts.
He used the money to cover margin calls and to maintain an extravagant lifestyle. Also caught up in the scandal was a former portfolio manager who got a seat on the company’s board.
CEOs get hammered, too, for conflicts and poor ethics.
Filed under Compliance, Compliance (General), Controls, Corporation, Culture, Directors, Duty, Employees, Governance, Internal controls, Investor relations, Oversight, Policy, Third parties, Vendors
“Chips CEO Resigns Over Conduct,” The Wall Street Journal, July 18, 2018 B1. CEO of Texas Instruments fired/forced-to-resign after two months for violating company’s Code of Conduct. Probably no package, either. No details on the nature of the violation.
It’s nice when a company enforces its policies against the CEO. Sends a message to the worker bees.
Filed under Board, Communications, Compliance, Compliance, Compliance (General), Controls, Corporation, Culture, Directors, Duty, Employees, Governance, Internal controls, Oversight, Oversight, Policy
“Wells Refunds Millions to Clients,” The Wall Street Journal, July 20, 2018 B1. Wells Fargo refunds insurance premiums to hundreds of thousands of customers who bought “add-on” services such as pet insurance, identity theft, home warranties, debt protection, and legal services.
This comes amidst an investigation by the CFPB as to whether the way these products were marketed was legal.
The last two years have been tough for Wells Fargo. How deep did the cultural rot go?
File this one under (a) Governance and (b) Compliance. And I guess under (c) Information, as well, if you do business with Wells Fargo. Do the directors pay for this, too?
This blog looks at the intersection of Information, Governance, and Compliance. Normally, when one hears “Compliance,” one assumes it means compliance with law. But Compliance also extends to compliance with policy.
“Barnes & Noble Cites Policy In Firing,” The Wall Street Journal, July 5, 2016 B1. B&N CEO and a member of the board fired after a little more than a year for violation of a so-far-undisclosed company policy.. No severance package. Ouch.
What sort of message does that send to the rank and file when the CEO gets punished for violating company policy? Does that extend beyond the policy the CEO is accused of violating? Is that why the specific policy wasn’t mentioned?
I assume this was for a violation more serious than failing to follow the company’s Records Retention Policy. But aren’t all violations of company policy by the CEO equally serious? Aren’t all violations of policy equal, or are there capital “P” policies, and small “p” policies? How does an employee tell the difference?
And the company chose to publicize at least the basic reason for the firing; does it do that in all firings for policy non-compliance? Does the CEO have more or less privacy rights than the lowest-paid employee?
Filed under Board, Communications, Compliance, Compliance, Compliance (General), Controls, Corporation, Directors, Duty, Employees, Governance, Internal controls, Policy, Privacy
“Amazon Delves Into Health Data,” The Wall Street Journal, July 2, 2018 B3. Amazon buys a company with a bunch of personal health information.
It’s not like Amazon doesn’t have to deal with a whole host of privacy regulations, including the EU and, more recently, California. But personal medical information is different, and subject to different controls.
How does a company that lives on finding relationships in large bodies of information deal with information that can’t be used freely?
Filed under Access, Analytics, Compliance, Compliance (General), Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Internal controls, Oversight, Policy, Privacy, Third parties
People knew the shooter in Annapolis was a danger to the newspaper. Employees were warned. Police investigated his on-line comments, and determined he is not a threat. Employees were told to call 911 if they saw him.
Five years later, he kills 5 people with a shotgun.
“Newspaper Warned About Shooter,” The Wall Street Journal, June 30, 2018 A3.
Maybe that’s why the police got there in under a minute.
Filed under Controls, Corporation, Directors, Duty, Duty of Care, Governance, Government, Internal controls, Oversight, Third parties, To report
“Europe’s Privacy Law Fails to Stoke Demand for Cyber Insurance,” The Wall Street Journal, June 21, 2018 B10. Companies aren’t buying as much privacy insurance as people thought.
Certainly, in the wake of the GDPR rollout, the risk of a privacy law violation has increased. Apparently companies think that they have adequate controls in place, and don’t need the protection of insurance to backstop their controls. Insurance is a mitigation in case your controls aren’t totally effective.
Are these companies doing the same with other risks to other assets? Or is you private data somehow different?
Filed under Board, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Internal controls, IT, Management, Oversight, Ownership, Privacy, Protect, Protect assets, Protect information assets, Security, Third parties
“Tesla Accuses Former Employee of ‘Sabotage,'” The Wall Street Journal, June 21, 2018 B3. Did a former employee hack Tesla’s manufacturing software and trade secrets and transfer information outside the company? Was this for convenience, or was it theft? Or to give to the press?
Do you have adequate controls to prevent this? Or to discover it? Who’s responsible if your controls fail?
Will the directors or senior officers be punished? Did they fail in their obligations to protect the corporation’s assets? Or is it just the shareholders who pay? And pay, and pay.
Filed under Access, Board, Compliance, Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Information, Internal controls, Management, Oversight, Oversight, Protect, Protect assets, Protect information assets, Third parties, Value