Category Archives: Vendors

What you have, where you have it

A common starting point to information governance projects is to determine what information you have and where you have it.  Then you can start to manage it. But what happens if you don’t know what you have nor where you have it?

“Facebook Struggles to Find User Data,” The Wall Street Journal, June 28, 2018 B1. “The company can’t track where much of the [user] data went after it left the platform or figure out where is it now.”

A lot of the information is or was with app developers that are now out of business.  What happened to your/Facebook’s/their data?

Sure is easier to figure this out going forward than it is to figure out what happened between 2007 and 2015.  Especially if disclosure of some of that information is blocked by the government in far-off lands.  Or if the app developers don’t fancy having Facebook root through their servers and discovering their business secrets.  Or if Facebook doesn’t have a contractual right to get this information.

Sure would be easier if they’d had the proper controls in place at the time.


Leave a comment

Filed under Access, Controls, Corporation, Duty, Duty of Care, Governance, Government, Information, Internal controls, Oversight, Ownership, Ownership, Privacy, Protect assets, Security, Third parties, Vendors

What business are you in?

“Google Bans AI in Weapons,” The Wall Street Journal, June 8, 2018 B4. Google prohibits the use of certain of its artificial information technology in weapons systems.

Do you restrict how others can use your information?  How do you enforce that?  I thought Google was in the information business.

Leave a comment

Filed under Access, Controls, Duty, Governance, Information, Internal controls, Ownership, Policy, Third parties, Vendors

Equifax Hack went deeper

This is old news.  This post never made it out of “Drafts.”  But worthy of note.

The hack at Equifax that may have affected 145.5 million people went deeper than Equifax originally reported.

“Equifax:Hack Went Deeper,” The Wall Street Journal, February 10, 2018 B10.  In addition to names, addresses, driver’s license numbers, and Social Security Numbers, the hack may have reached tax id numbers, email addresses, and additional driver’s license information.

It’s comforting (?) to know that your personal email address isn’t considered either (a) yours or (b) “sensitive,” at least in the US.

Have any of the Equifax directors been sued by their shareholders?  The CEO retired.  The shareholders are paying for all this.

See, also, the post from February 11 about the spat between Equifax and Senator Warren about whether the hack reached passport numbers.

Leave a comment

Filed under Access, Board, Compliance, Compliance, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Information, Internal controls, Oversight, Oversight, Ownership, Protect assets, Protect information assets, Security, Value, Vendors

To the surprise of no one

“Wells Kept Client’s Fund Fee Rebates,” The Wall Street Journal, May 10, 2018 B1.  Wells Fargo apparently failed to pass on fee rebates that Wells Fargo had received for a pension fund for which Wells Fargo acted as a trustee.

Whether it’s a process issue or a culture issue, lack of supervision, general incompetence, or a way of doing business, is anyone surprised?  Is it only at one pension fund?  Who knows?

Leave a comment

Filed under Accuracy, Compliance, Compliance (General), Controls, Corporation, Culture, Duty, Governance, Internal controls, Oversight, Supervision, Third parties, To report, Vendors

Barriers to entry

“Europe’s New Consumer Privacy Law Gives Edge to Tech Giants,” The Wall Street Journal April 24, 2018 A1.  The General Data Protection Regulation, which goes into effect next month, protects consumers but also gives Google and Facebook an advantage.

By wielding their power over advertisers and taking a strict interpretation of the law, Facebook and Google can make it really difficult for competitors to establish competing platforms.

Is this what the European regulators anticipated?

Leave a comment

Filed under Access, Compliance, Controls, Corporation, Duty, Governance, Privacy, Requirements, Third parties, Vendors

Privacy is dead; suspect under arrest

I don’t know what the record is for consecutive days on which one company’s screw-up was on the front page of The Wall Street  Journal, but Facebook is in the running.

“U.S., States Step Up Pressure on Facebook,” The Wall Street Journal, March 27, 2018 A1.  “[F]ederal regulators [including the FTC] … and 37 state attorneys general demanding explanations for [Facebook’s privacy] practices.” Stock price up 0.4% (when the market was up 669.40 points).  Demands/invitations that Zuckerberg (and Google and Twitter) testify before Congress.  And Europe hasn’t weighted in yet.

There is also a pop-up that describes FB’s practice of logging some calls and texts from Android phones.  Did you (we) know that?  Do you know what companies are doing with “your” data?  Do you care?  Privacy is dead; Facebook investigated as person of interest.

I guess that answers the question of who’s in charge:  the Feds and the states.  I guess I missed the outrage when essentially the same data was collected and used quite effectively by the Obama campaign.

Leave a comment

Filed under Compliance, Compliance (General), Controls, Corporation, Duty, Duty of Care, Governance, Government, Information, Internal controls, Legal, Oversight, Ownership, Privacy, Protect assets, Requirements, Third parties, Vendors, Who is in charge?


When disaster hits one part of your industry, other members often get hit, too, especially when customers get upset.  And the media smells blood.

“Facebook and Google Confront Antagonism of Big Advertisers,” The Wall Street Journal, March 26, 2018 A1.  Major advertisers demand more detail and accountability around ads and cost following the revelations about the use/misuse of user data and the accuracy of the viewing statistics.

Is the business model of selling access to data that isn’t really yours finally breaking down?

In a related piece, Facebook took out a full-page ad on page B12 in The Wall Street Journal that says, in part, “We have a responsibility to protect your information.  If we can’t, we don’t deserve it.”  Interesting admission that it’s your information, not theirs.  Still noodling on how that works through the courts.

Where to file this?  What does non-compliance with your information policies cost you?

Leave a comment

Filed under Access, Accuracy, Compliance, Compliance (General), Controls, Corporation, Duty, Governance, Information, Oversight, Ownership, Protect assets, Security, Third parties, Value, Vendors