One unique aspect of information is that it can be stolen, yet remain in the owner’s possession. Apparently, medical facilities are required to report if your medical information is stolen, but not if it is merely kidnapped and held for ransom.
“Some Cyberattacks Go Unreported,” The Wall Street Journal, June 19, 20127 B3. Whether hospitals need to report a ransomware attack of their files as a data breach is a “gray area,” and the federal government doesn’t require such reports, even if the government knows about them. Some hospitals don’t report ransomware attacks, so these attacks are not in the HHS statistics.
So, patients don’t know when hospitals have weak security protection. What value, then, are the government statistics? Do they need a big asterisk?
Filed under Controls, Corporation, Data quality, Duty, Government, Information, Internal controls, IT, Legal, Requirements, Security, Third parties, To report, Value
One might suppose accountability and responsibility apply to CEOs. Then, again ….
“Gymnastics Boss Paid Severance,” The Wall Street Journal, June 3, 2017 A9. The CEO, who was nominally in charge when the team doctor for the women’s gymnastics team allegedly abused female gymnasts, gets a $1 million severance package.
One wonders what the Board would have paid him if they fired him for cause. The gymnastics federation reportedly sat on the results of an internal investigation of the sexual abuse allegations for five weeks. The CEO said the federation didn’t have an obligation to report sexual abuse by its coaches to law enforcement. Didn’t the ex-president of Penn State just get sentenced to jail for similar acts or omissions?
One of the Board’s fundamental jobs is to hire the CEO; another is oversight. Everyone has a duty to report violations of law. It would appear either the Board or the CEO or the Federation wasn’t doing its or his job. Maybe the Board gets severance, too. What do the shareholders get?
Filed under Board, Compliance, Compliance, Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Internal controls, Oversight, Oversight, To report
Does your radar go wild when someone suggests delaying the report of information?
“Sunrun Sales Data Seen as Skewed,” The Wall Street Journal, May 23, 2017 B1. In the run-up to the company’s IPO, some managers were told by their managers to hold off on reporting a number of canceled contracts. Reporting this information would have reduced the sales numbers, as the canceled contracts were a large percentage of total orders.
What does it say about a culture where the bosses ask managers to do this type of thing? And no one says, “No”? Was no one bright enough to connect the dots? What else is suspect? Are employees clueless as to their common law duties to report wrong-doing or deviations from company processes?
Filed under Accuracy, Compliance, Compliance, Controls, Culture, Data quality, Duty, Employees, Governance, Internal controls, Management, Managers, Oversight, Supervision, To report
I was torn between four different pieces in the WSJ today:
“Big Pay Day for Mylan Chairman,” The Wall Street Journal, May 3, 2017 B3. What does it say when the company that charges $600 for a two-pack of a delivery mechanism for $1.25 worth of epinephrine pay its chairman $100 million? Guess what that culture’s like.
“Molina Healthcare Replaces Top 2 Executives,” The Wall Street Journal, May 3, 2017 B3. Company removes two family members after poor financial returns (but they’ll stay on the Board). Guess charity doesn’t begin at home. Removing someone for poor performance is one thing; next they’ll remove people for violating the law, or company policy. But Thanksgiving’s going to be a bear.
“Beijing Places Curbs On Online New Portals,” The Wall Street Journal, May 3, 2017 B4. Managing information includes denying access to it. So much for net neutrality.
But I decided to go with “Berkshire Faces Pressure Over Political Disclosure,” The Wall Street Journal, May 3, 2017 B5. Vote on whether the company should disclose the amount of political contributions it makes, and to whom. Were I a shareholder, I might ask whether those expenditures were for the benefit of the company or for the benefit of incumbent management. But shouldn’t shareholders be able to ask the question and get the answer? Citizens United is fine, but disclosure to the shareholders makes sense, so they can decide whether to stay invested.
Filed under Access, Board, Controls, Corporation, Culture, Culture, Duty, Employees, Governance, Inform shareholders, Internal controls, Investor relations, Ownership, To report
Without getting into the politics, there are a lot of lessons from the current kerfuffle over Susan Rice and the unmasking of names in security reports.
- one defines “Information Governance” as how an organization manages its information, and
- the names of the US citizen(s) are clearly information received in the course of the organization’s business, and
- Ms. Rice was clearly an employee (and therefore an agent) of the organization
Then we get insight into how the organization manages that information.
How does the organization restrict who can see what and how does it restrict and track the transfer of that information and how does it restrict or control the storage of that information? These restrictions are designed to make sure that agents of the organization comply with the applicable statutes and policies against disclosure and misuse. Who “owns” this information? Who (beyond the person who doesn’t follow the restrictions) in the organization is responsible (and accountable) if those restrictions are not followed? Can people injured by the breach (if any) sue the organization whose agent breached the law? How does the behavior here measure up against the ten-part measuring stick of compliance under Federal Sentencing Guidelines Manual, and if the answer is “not well,” then who gets penlaized? Who, if anyone, had a duty to report up when they saw that information had been unmasked and distributed (if indeed it was distributed)?
Interesting parallels to the Information Governance issue in the corporate environment.
“House Panel Wants Rice to Testify,” The Wall Street Journal, April 5, 2017 A1.
Filed under Access, Compliance, Compliance, Controls, Corporation, Duty, Employees, Governance, Government, Internal controls, Management, Oversight, Supervision, To report
No, not that President.
The former president of Penn State University was convicted of child endangerment connected with the Jerry Sandusky scandal, for not telling the authorities about a complaint of allegedly inappropriate conduct in order to preserve the university’s reputation. “Ex-College Head Guilty In Sandusky Case,” The Wall Street Journal, March 25, 2017 A2 (U.S. Watch).
A couple of points.
First, the president of a corporation is responsible for his or her own acts, even if the corporation hasn’t (yet) been held vicariously liable for the criminal act.
Second, the common law duty to report violations of law or policy applies to all employees, even the president. If the president had reported this to the Board (or it’s close friend, the Compliance Department), and the Board didn’t act (disclose to authorities), would criminal liability against the corporation be easier to establish?
Third, as far as I know, the corporation hasn’t been criminally charged. Why not?
“Former SunEdison Executives File Suit,” The Wall Street Journal, February 25, 23017 B3. Company allegedly told a different story to investors than it was discussing internally, and managers were instructed to make more optimistic projections. Two executives took their concerns to the Board, and were then replaced.
Employees have a duty to report concerns upwards. The company has a duty to its shareholders and to the market to disclose material information. Directors have a duty to the corporation and its shareholders to provide oversight and to handle reports of wrongdoing appropriately.
Watch this space. A chance for a Maryland court to look at Caremark, a Delaware case dealing with a director’s duty to provide oversight, and how derivative actions get decided.
Filed under Board, Compliance, Corporation, Directors, Duty, Employees, Governance, Inform market, Inform shareholders, Investor relations, Oversight, Supervision, To report