Category Archives: Communications


This blog looks at the intersection of Information, Governance, and Compliance.  Normally, when one hears “Compliance,” one assumes it means compliance with law.  But Compliance also extends to compliance with policy.

“Barnes & Noble Cites Policy In Firing,” The Wall Street Journal, July 5, 2016 B1.  B&N CEO and a member of the board fired after a little more than a year for violation of a so-far-undisclosed company policy..  No severance package.  Ouch.

What sort of message does that send to the rank and file when the CEO gets punished for violating company policy?  Does that extend beyond the policy the CEO is accused of violating?  Is that why the specific policy wasn’t mentioned?

I assume this was for a violation more serious than failing to follow the company’s Records Retention Policy.  But aren’t all violations of company policy by the CEO equally serious? Aren’t all violations of policy equal, or are there capital “P” policies, and small “p” policies?  How does an employee tell the difference?

And the company chose to publicize at least the basic reason for the firing; does it do that in all firings for policy non-compliance?  Does the CEO have more or less privacy rights than the lowest-paid employee?


Leave a comment

Filed under Board, Communications, Compliance, Compliance, Compliance (General), Controls, Corporation, Directors, Duty, Employees, Governance, Internal controls, Policy, Privacy

Telling the truth is a journey

“Facebook Details Data Sharing,” The Wall Street Journal, July 2, 2018 A1.  Facebook “expands” its answer to the question, “Who else saw our data?”  Apparently, a lot more people than Facebook said originally.  A bunch of special deals and exemptions from Facebook’s “policy.”

So, apparently Facebook does not have a personal relationship with the truth, but they sure have your information.

One expects further revelations in the months ahead.


  • Lying is not an effective communications strategy
  • When you’re being investigated, either tell the truth or say “I don’t know.”
  • The only person who can grant an exception to a policy is the person who issued the policy (or their superior)
  • Strictly enforce your company policies, or they won’t help much
  • Treat my data with as much care as you treat your data

Leave a comment

Filed under Accuracy, Communications, Compliance, Controls, Corporation, Culture, Duty, Governance, Internal controls, Investor relations, Oversight, Policy, Privacy, To report

Compliance incentives

“CFPB Decides Not to Fine Citi on Overcharges,” The Wall Street Journal, June 30, 2018 B12.  Company failed to lower credit card interest rates for some customers when it should have.  It will refund the overcharges and fix its practices, but won’t pay a fine.

Citi self-reported, and proposed full restitution.

Would this have happened under the prior Director at the CFPB?  Or would the offense have led to a large fine as well?  To what purpose?

Leave a comment

Filed under Accuracy, Communications, Compliance, Compliance (General), Controls, Corporation, Duty, Duty of Care, Governance, Internal controls, Oversight, To report

Encryption, point-to-point

“Emails Add to the Turmoil at WPP,” The Wall Street Journal, June 29, 2018 B2. A company technician recovered  WhatsApp messages from the phone of a former employee; these messages were then sent by encrypted email to a few employees.  Technician who recovered the messages has also left the company. [BTW, messages on WhatsApp are encrypted point-to-point, but are recoverable from a device that received them.]

What happens to messages on your company phone when you leave?  Do you care?  Do you use encryption  to send messages anonymously?  Why?

These messages were in an account used to coordinate the former CEO’s travel.  And maybe for other stuff.  The CEO already resigned.


Leave a comment

Filed under Access, Communications, Controls, Corporation, Duty, Duty of Care, Employees, Governance, Information, Internal controls, IT, Policy, Privacy, Protect assets, Security

Poster boy for Information Governance

Years ago, while teaching a course to MBA students at Rice University, I used the Target credit card breach as a case study.  It touched a lot of bases.  Now we have a better one.

While there have been a lot of information governance-related stories in the news over the past two years, including Equifax and Facebook and VW and Wells Fargo, my nominee for the one name associated with the most significant teaching example in information governance and compliance is the former FBI Director, James Comey.

First, he gave us The Day That Information Governance Died, with his July 5, 2016 pronouncement that, notwithstanding her clear violations of several applicable legal laws dealing with the handling of confidential or secret information (and the destruction of information subject to a subpoena), Secretary Hillary Clinton’s use (and wiping) of a private server to store government email was not going to be prosecuted.  Such a pronouncement deviated “‘from well-established Department policies'” that the FBI does not comment about  ongoing criminal investigations.

Then he wrote a memo ostensibly commemorating a meeting he had with his boss on government business on a government computer (while in a government vehicle) during the work day, and declared that that was his personal correspondence that he could (and did) distribute as he pleased.

And now we learn that he conducted government business over his own private gmail account {that information does not appear in the WSJ article – Ed.}, and actively avoid his boss’ oversight (and his bosses failed to adequately supervise him).  “Report Blasts FBI Agents, Comey Over Clinton Probe,” The Wall Street Journal, June 15, 2018 A1. Inspector General releases his report on the Clinton Investigation.


  • Violations of law are not enforced
  • Evidence is destroyed notwithstanding a subpoena
  • Senior employees ignore long-standing policy
  • Senior employees treat documents prepared by them in the course of business as their personal information
  • Senior employees use private email accounts to transact government business
  • Employees hide things from their bosses
  • Bosses failed to adequately supervise their reports

And this is at the FBI, by a lawyer.

Does anyone wonder why we have a hard time getting traction on information governance initiatives?  Certainly an argument for an Information Governance case study of just the Clinton email investigation and its aftermath.  Not sure you could cover it all in one semester, at both law schools and business schools.


Leave a comment

Filed under Communications, Compliance, Compliance (General), Controls, Culture, Discovery, Duty, Duty of Care, Employees, Governance, Government, Information, Internal controls, Lawyers, Managers, Oversight, Ownership, Ownership, Policy, Requirements, Supervision, Who is in charge?

What politically sensitive information do you have on your phone?

“Spies Make Push Into Phone-Hacking,” The Wall Street Journal, June 8, 2018 B4. Governments increase attempts to hack mobile phone to access the vast troves of data there.

Well, of course they wouldn’t do that in the US.  Would they?

Leave a comment

Filed under Access, Communications, Controls, Duty, Governance, Government, Internal controls, IT, Oversight, Privacy, Security, Third parties

Details matter

“New Math: Firms Repair CEO Pay Flubs,” The Wall Street Journal, May 31, 2018 B4. Lots of mistakes being made in disclosure about how much money the CEO really makes.

Curious as to why all the mistakes are reports that are too low rather than too high?  Except for Warren Buffett, who gets paid $100,000 a year, but also gets ~$400,000 in security services at his home, where he works a lot.

What does it say when the even the company doesn’t know what the CEO gets paid?  Isn’t this information that they should manage a bit better?

Leave a comment

Filed under Accuracy, Communications, Compliance (General), Controls, Corporation, Data quality, Duty, Governance, Internal controls, Oversight, To report