Category Archives: Government

Poster boy for Information Governance

Years ago, while teaching a course to MBA students at Rice University, I used the Target credit card breach as a case study.  It touched a lot of bases.  Now we have a better one.

While there have been a lot of information governance-related stories in the news over the past two years, including Equifax and Facebook and VW and Wells Fargo, my nominee for the one name associated with the most significant teaching example in information governance and compliance is the former FBI Director, James Comey.

First, he gave us The Day That Information Governance Died, with his July 5, 2016 pronouncement that, notwithstanding her clear violations of several applicable legal laws dealing with the handling of confidential or secret information (and the destruction of information subject to a subpoena), Secretary Hillary Clinton’s use (and wiping) of a private server to store government email was not going to be prosecuted.  Such a pronouncement deviated “‘from well-established Department policies'” that the FBI does not comment about  ongoing criminal investigations.

Then he wrote a memo ostensibly commemorating a meeting he had with his boss on government business on a government computer (while in a government vehicle) during the work day, and declared that that was his personal correspondence that he could (and did) distribute as he pleased.

And now we learn that he conducted government business over his own private gmail account {that information does not appear in the WSJ article – Ed.}, and actively avoid his boss’ oversight (and his bosses failed to adequately supervise him).  “Report Blasts FBI Agents, Comey Over Clinton Probe,” The Wall Street Journal, June 15, 2018 A1. Inspector General releases his report on the Clinton Investigation.


  • Violations of law are not enforced
  • Evidence is destroyed notwithstanding a subpoena
  • Senior employees ignore long-standing policy
  • Senior employees treat documents prepared by them in the course of business as their personal information
  • Senior employees use private email accounts to transact government business
  • Employees hide things from their bosses
  • Bosses failed to adequately supervise their reports

And this is at the FBI, by a lawyer.

Does anyone wonder why we have a hard time getting traction on information governance initiatives?  Certainly an argument for an Information Governance case study of just the Clinton email investigation and its aftermath.  Not sure you could cover it all in one semester, at both law schools and business schools.



Leave a comment

Filed under Communications, Compliance, Compliance (General), Controls, Culture, Discovery, Duty, Duty of Care, Employees, Governance, Government, Information, Internal controls, Lawyers, Managers, Oversight, Ownership, Ownership, Policy, Requirements, Supervision, Who is in charge?

Apple ≠ Facebook ≠ Google

Apple seems to be taking a different approach than Facebook or Google.

“iPhone Change To Block Police,” The Wall Street Journal, June 14, 2018 B1.  Apple “fixes” the technical hole that allows the authorities to break into the iPhone of a criminal or suspected criminal.

Is Apple more or less concerned about privacy of its users than either Google or Facebook is concerned about the privacy of their customers?  What about Apple’s demonstrated desire to block government access?  Is that more like Google (use of Google AI in weapons systems) or like Facebook (oh, heck, we’ll let just about anyone see our users’ data)?

Is controlling access to user data Governance?  Or is it a feature?  Whom do you trust more?

Leave a comment

Filed under Access, Controls, Corporation, Culture, Duty, Duty of Care, Governance, Government, Internal controls, IT, Oversight, Policy, Privacy, Protect assets, Security, Third parties

What politically sensitive information do you have on your phone?

“Spies Make Push Into Phone-Hacking,” The Wall Street Journal, June 8, 2018 B4. Governments increase attempts to hack mobile phone to access the vast troves of data there.

Well, of course they wouldn’t do that in the US.  Would they?

Leave a comment

Filed under Access, Communications, Controls, Duty, Governance, Government, Internal controls, IT, Oversight, Privacy, Security, Third parties

Current, accurate, and complete

When decision-makers want information upon which to make decisions, they would like to that that information be current, accurate, and complete.  Don’t we all?

“Court Backs Purge of Voter Rolls,” The Wall Street Journal, June 12, 2018 A3.  Supreme Court allows Ohio to prune its voter rolls of people who haven’t voted in a long time and who don’t reply to an inquiry as to their status.

One would expect the government would take some care in maintaining its voter rolls.  Helps provide some integrity to the process.  Is that information governance?  But we want to make sure there’s a robust process to prevent inappropriate pruning.

Is this an analog for defensible deletion?

Leave a comment

Filed under Records Management, Governance, Controls, Third parties, Internal controls, Oversight, Duty, Accuracy, Government

Compelled speech

“HHS Probes Rules on Giving Abortion Information,” The Wall Street Journal, June 1, 2018 A4.  HHS Office for Civil Rights investigates state requirements that crisis pregnancy centers must advise women about abortion services.

Leave the political/moral issues aside, and look at this from an information governance perspective.  Who mandates what information you must provide to your customers?  And are they (the mandaters) allowed to require that?

What are the limits on the government’s ability to require you to provide information to third parties? Is the U.S. Constitution a law or a policy?  Or is it Governance?

Leave a comment

Filed under Communications, Compliance, Compliance (General), Controls, Corporation, Duty, Governance, Government, Internal controls, Third parties, Who is in charge?

Too candid camera

“Spy Squad Fights Hidden Cameras,” The Wall Street Journal, June 4, 2018 A8. A team of 50 sweeps public restrooms in Seoul, Korea, searching for hidden cameras.

Yes, there are laws against placing such cameras in restrooms.  But as a part of Governance, don’t you need to check that people are complying?  The technology is widely available at low prices.  Does your company sweep “common rooms” for “surveillance devices”?  Should they?  What about hotels and locker rooms?  Or Air B&B’s?

This seems to fall somewhere between Privacy and Hacking.  Or somewhere.

Leave a comment

Filed under Access, Compliance, Compliance (General), Controls, Duty, Governance, Government, IT, Oversight, Privacy, Security, Technology

Risk and Developers

After Hurricane Harvey, Houston residents could be heard asking, “What building developer would decide to build houses in a flood plain?” “Why would a City Official push such a project?” “Who would buy a house there?” “How would they ever get insurance?”  Similar discussions in flood-prone areas in Florida.

“Homes Were Built Despite Documented Lava Threat,” The Wall Street Journal, May 29, 2018 A3.  Affordable homes were built in an area with a history of lava risk.

Did we have any controls in place?  How were these controls implemented?  How many of them failed?  Who is responsible/accountable?

Next thing you know, we’ll rebuild houses in the same site.  Somebody else will pay for it.

If you always do what you’ve always done, you will always get what you always got.

Leave a comment

Filed under Communications, Controls, Corporation, Duty, Duty of Care, Governance, Government, Oversight, Supervision