“Chicago Sues Uber For Lag in Reporting Data Hack,” The Wall Street Journal, November 28, 2017 B4. Following the disclosure of the year-old breach of 57 million accounts, Uber is sued for consumer fraud and deceptive business practices, among other things.
There is the breach. And then your response to the breach. And then the regulators’ and the customers’ and the shareholders’ response to the breach.
Filed under Communications, Compliance, Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Information, Internal controls, Investor relations, IT, Oversight, Protect assets, Security, Supervision, To report, Value
“Wells Fargo Fires A Top Official, The Wall Street Journal, November 18, 2017 B1. Head of commercial lending canned because he said bad things to a fellow employee about regulators (and how they were affecting golden parachute payments) .
Think about that. He didn’t write it down; he just said it. Not outside the company, even.
True, his firing may have been expedited by all the other legal issues Wells Fargo has been having. But he may not have gotten much of a parachute.
Information controls apply to unwritten information, too.
Filed under Communicate, Communications, Compliance, Controls, Culture, Definition, Duty, Employees, Governance, Information, Internal controls, Management
“Russian Firm Was Long Seen as Threat,” The Wall Street Journal, November 18, 2017 A2. Questions as to the Kaspersky antivirus software company were raised by military intelligence in 2004, well before the 2013 threat assessment issued Pentagon-wide.
Who dropped the ball? Did the Russians have an inside track?
Filed under Access, Communications, Controls, Duty, Duty of Care, Governance, Government, Information, IT, Oversight, Security, Supervision, Value
“SEC Accuses Long Island Town of Fraud,” The Wall Street Journal, November 24, 2017 B11. SEC alleges town failed to tell bondholders about special loan deals. Town feels victimized, as the town board didn’t know of the special deals.
If you have a duty to disclose certain information, and don’t disclose it, that is called either “failure to disclose” or “fraud.” Or a failure of management. There are certain things that, as a director, you are supposed to know.
Board members are fiduciaries.
Filed under Accuracy, Board, Communications, Compliance, Compliance, Corporation, Data quality, Directors, Duty, Duty of Care, Governance, Inform market, Inform shareholders, Investor relations, Oversight, Supervision, To report, Value
“Whistleblower Alert Scrutinized,” The Wall Street Journal, November 24, 2017 B6. A year ago, the CEO gets a letter from an employee saying the company is committing fraud by overstating some metrics. Investors are later told the allegations are without merit, and invest $500 million. Now the investors are suing. We’re told that that suit is without merit, even though it looks like some metrics were overstated.
How do you handle continuing to operate your business after a whistleblower puts you on notice of potential wrongdoing? What audiences do you need to communicate with? Shareholders, government regulators, lenders, employees, others? What can you say without stumbling over an inconvenient truth or two?
Filed under Accuracy, Board, Communications, Compliance, Compliance, Corporation, Data quality, Directors, Duty, Duty of Care, Employees, Governance, Inform market, Inform shareholders, Investor relations, Lawyers, Protect assets, To report
Keeping a hack of your enterprise should be difficult. Some find it easy.
“Uber CEO Knew of Hack for Months,” The Wall Street Journal, November 24, 2017 A1. Uber was hacked in October 2016 (they say), affecting 57 million accounts. Less than Yahoo’s 3 billion, and Equifax’s 145 million. The CEO learned of the breach in September 2017, shortly before taking the top job. Uber also paid the hackers $100,000 to destroy some of the stolen data.
Would they have disclosed it at all if they weren’t seeking outside financing?
What’s your obligation to disclose to your customers that their information may have been stolen from you?
Filed under Communications, Compliance, Controls, Corporation, Directors, Duty, Employees, Governance, Information, Internal controls, Investor relations, IT, Legal, Oversight, Ownership, Requirements, Security, To report
How do you protect against intrusions (including hacking and viruses and ransomware)? Policies and technology, mainly. How do you protect against internal breaches (phishing, etc.)? Policies, training, and a bit of technology. How do you respond to an actual breach? Policies and procedures, training, and technology.
In the response, keep the notice requirements in mind. The rules vary from state to state.
“States Quiz Equifax on Disclosure,” The Wall Street Journal, October 30, 2017 B1. Several states initiate investigations into by Equifax’s delay in reporting after the hack that may have compromised the records of 145.5 million credit accounts. What did they know, when did they know it, and when did they report it, and to whom? Notice to the state, to the fed, to the consumers, and to investors? What’s reasonable, or what’s required by statute?
It’s all about notice. Given the business, should the directors have been on top of this?
Filed under Communications, Compliance, Controls, Corporation, Directors, Duty, Governance, Information, Interconnections, Internal controls, IT, Legal, Oversight, Requirements, Security, To report, Value