Category Archives: Duty of Care

January 4, 2019 · 7:19 am

Catching up, part 3

Continuing from https://infogovnuggets.com/2019/01/04/catching-up-again/ and https://infogovnuggets.com/2019/01/04/catching-up-again-part-2/, and https://infogovnuggets.com/2019/01/04/catching-up-part-3/

  1. Conflicts with conflicts

    “Justice Department Chides McKinsey in Another Bankruptcy Case,” The Wall Street Journal, December 17, 2018.  McKinsey continues to fail to make what are viewed as adequate disclosures of conflicts when advising bankruptcy estates, and may not get paid for its work as a result.

  2. Voter data

    “Fight Over Voter Data Roils Democrats Ahead of Election,” The Wall Street Journal, December 17, 2018. Have Republicans been better than the Democrats at collecting and storing information?  What’s this worth?

  3. Your business partner wants you to call a shareholders’ meeting

    “Renault Urges Nissan to Call for Shareholder Meeting Following Nissan Indictment,” The Wall Street Journal, December 17, 2018.  Is this interfering with “your” governance?  Is this a compliance matter, or a partnership matter, where your partner is concerned that you are keeping your CEO as CEO while he sits in jail?

  4. Is a dance move “information”?

    “The ‘Fortnite’ Dance Move That Spawned a Lawsuit,” The Wall Street Journal, December 17, 2018.  While longer dance routine can be protected by copyright law (which was a bit surprising to me), not so (so far) for “snippets.”

  5. Hiding risk information may be a problem

    “Glencore-Controlled Miner to Be Fined by Canadian Authorities Over Congo Ops,” The Wall Street Journal, December 17, 2018.  Fine of $22 million for company and some of its former directors and executives for hiding the risks of doing business with someone connected to Congolese president.  Is a risk analysis information?  Can you hide that from the shareholders?

  6. Warning signs

    “Goldman Sachs Ignored 1MDB Warning Signs in Pursuit of Asian Business,.” The Wall Street Journal, December 18, 2018.  Can chasing business too hard lead one to ignore important information and sidestep important controls?  What controls can you put in place to avoid having this happen to you?  Is this an oversight issue?  Do criminal charges and huge fines lay ahead?

  7. VW vendor pleads

    “Volkswagen Supplier to Plead Guilty to Conspiracy, Pay $35 Million Fine in Emissions-Cheating Probe,” The Wall Street Journal, December 19, 2018. Company that designed the software used to fool or, as some say, cheat, the emission test pleads guilty to crime and pays a fine to US.  VW has paid more than $20 billion.  Is this just compliance-related, or is there also an information hook here?  Design a software to work around a government test.

  8. Looking for a whistleblower

    “Barclays Fined $15 Million by New York Over CEO’s Anti-Whistleblower Push,” The Wall Street Journal, December 19, 2018.  The CEO had tried to use the company’s security department to locate the writer of a letter critical of a recent hire.  He pressecd on, despite advice from the head lawyer and the chief compliance officer (costing him £642,000 in fines and £500,000 of his bonus).  So the shareholders pay more than the CEO did.  Go figure.

  9. Hiding the names of the guilty

    “Illinois Dioceses Withheld Names of Accused Priests, Report Says,” The Wall Street Journal, December 20, 2018.  Can you legally not disclose the name of an employee or a contractor who was accused of sexual abuse?  Is this a governance issue or a compliance issue or an information issue?  Or a reputation problem?

  10. Ethics and policies
    “Is It Really Five Stars? How to Spot Fake Amazon Reviews,” The Wall Street Journal, December 21, 2018. How Amazon goes about trying to separate the wheat from the chaff.  How does your company determine what’s a fake review and what’s the real deal?

  11. Information/price linkage

    “Room for Improvement? New Hotelier Tests an Algorithmic Pricing System,” The Wall Street Journal, December 22, 2018.  Using information about a customer and from a customer to establish the price for future sales to that customer.  Interesting linkages at a new hotel chain.

1 Comment

Filed under Collect, Communications, Compliance, Compliance (General), Controls, Corporation, Definition, Directors, Duty, Duty of Care, Employees, Governance, Information, Investor relations, Management, Oversight, Ownership, Privacy, Records Management, Risk assessment, Supervision, Third parties, To report, Use, Value, Vendors

December 3, 2018 · 8:22 pm

Near-hits

It seems that several (most of?) the large privacy breaches have something in common: something smaller happened earlier that people didn’t pay enough attention to.

“Marriott’s Starwood Missed Chance to Detect Huge Data Breach Years Earlier, Cybersecurity Specialists Say,” The Wall Street Journal, December 2, 2018 (online).  There was a prior breach in 2015 that, some say, could have been investigated more thoroughly.

Might this happen in your business?  Say there’s a relatively minor breach, affecting a single client’s information.  Or a minor compliance issue.  You discover it and take action.  But does the breach itself indicate weaknesses in your system of controls that may have broader implications?  Do you change your training or other controls to reflect this experience, or the experience of others in your industry?

This brings to mind a common finding in accident investigations.  Something small happened that could/should have put you on notice.  But it was ignored or downplayed.

How does your organization deal with near-hits in the compliance or information governance space?  Is this part of oversight?  Or a part of effective knowledge management?

Leave a comment

Filed under Analytics, Collect, Compliance, Compliance (General), Controls, Corporation, Directors, Duty, Duty of Care, Governance, Information, Internal controls, IT, Knowledge Management, Management, Oversight, Privacy, Protect assets, Security, Third parties, Use

December 3, 2018 · 7:50 am

Did your consultant mislead the bankruptcy court?

That’s a serious charge.

“U.S. Watchdog Says McKinsey Misled Bankruptcy Court,” The Wall Street Journal, December 1, 2018 (online).  Did McKinsey make misleading disclosures about  what conflicts of interest it might have had?  Was a related investment unit truly separate?

The point of this post is to highlight what can happen when one of your agents (and a consultant is an agent) makes an inadequate disclosure to a court about potential conflicts in connection with your case.  Are you liable?  Is your reputation damaged?  What’s that worth?  What controls do you have to prevent conflicts of interest by your consultants, and how do you police those controls?

Of course, you wouldn’t fail to disclose such a conflict yourself.

Leave a comment

Filed under Controls, Corporation, Duty, Duty of Care, Governance, Information, Internal controls, Third parties, To report, Vendors

December 3, 2018 · 7:13 am

Making a list and checking it twice

So, you have a baby coming.  You establish a baby registry online, and list the items/gifts you want to receive.  And then the host of the registry accepts payments from vendors of baby products to add certain items to “your” list.

Is nothing sacred?

“New Parents Complain Amazon Baby-Registry Ads Are Deceptive,” The Wall Street Journal, November 29, 2018 (online).  Amazon accepts money from major companies to put “sponsored ads” on your list; there’s a small gray box saying “Sponsored.”  Nothing descriptive like, “Similar to things the mother-to-be actually wants.”

I guess you have to check to make sure that you check “your” list at least twice, to make sure that Amazon hasn’t made it theirs.  No bait, just switch.

Where’s the FTC on this? Would you buy from a company that paid to advertise on someone else’s gift registry, without asking?  Are they a bit scummy?  These aren’t small-time companies; advertisers buying the ads include Kimberly-Clark and Johnson & Johnson.  To sell baby products!

Next thing, they’ll be posting billboards on your roof and on your car. Without so much as a by-your-leave.

Leave a comment

Filed under Accuracy, Compliance, Controls, Corporation, Culture, Data quality, Duty, Duty of Care, Governance, Information, Internal controls, Oversight, Ownership, Third parties, Value

December 3, 2018 · 6:47 am

Selling what isn’t yours

One profit model that seems to be working well is selling stuff that doesn’t belong to you.  Cuts your cost-of-goods-sold dramatically.

“Facebook Considered Charging for Access to User Data,” The Wall Street Journal, November 29, 2018 (online).  Facebook considered charging people to access user data.

Now, I guess that’s marginally different than letting third parties see the “Facebook” user data (i.e., the data of the users of Facebook) for free, in order to develop apps or whatever.  But isn’t it still the users’ information?  Oh, and it might be somewhat contrary to what the CEO said to Congress about Facebook’s policy of never selling user data.

Leave a comment

Filed under Access, Collect, Compliance, Controls, Corporation, Culture, Duty, Duty of Care, Governance, Information, Internal controls, Management, Oversight, Ownership, Ownership, Third parties, To report, Use, Value

December 3, 2018 · 5:47 am

What happens when the boss gets jailed?

This blog tends to mention cases where senior executives get (or don’t get) punished for their alleged misdeeds.  The spin is often that the seniors don’t get punished as hard as the worker bees.

But what happens when the CEO gets put in jail for his or her alleged misdeeds, which may have led to under-reporting in the company’s financials for the past five years?

“Carlos Ghosn’s Arrest Rocks Auto Empire,” The Wall Street Journal, November 21, 2018 (online).  Nissan’s CEO jailed for allegedly under-reporting his earnings by several tens of millions of dollars.

How do you explain this to the worker bees?  What’s the culture at the top?  How did the Board not catch this?  Were there not controls in place?  Might the shareholders be a bit upset?

More a Governance and a Compliance issue, perhaps, although if one looks, one could find some information-related failures.

 

Leave a comment

Filed under Board, Compliance, Compliance (General), Compliance Verification, Controls, Corporation, Culture, Culture, Data quality, Directors, Duty, Duty of Care, Governance, Internal controls, Oversight, Oversight

December 3, 2018 · 5:23 am

Coming up to speed

Marriott Says Starwood Data Breach Affects Up to 500 Million People,” The Wall Street Journal, November 30, 2018 (online).  Data breach potentially affecting passports and credit cards of as many as 500 million guests at Marriott’s Starwood properties, which were acquired in 2016.  They knew about this in September, but reflects a breach that may go back to 2014.

So, two years after an acquisition, the target’s information security practices blow up in the acquiror’s face.  What does that say about the acquiror’s duty to integrate the data practices and controls around information protection?

Does your M&A team think about information governance issues?  Is that an identified risk, with an identified (and owned) action plan?  Did the Board identify this as a risk?  What the value of this information considered part of the transaction value?  How was that reflected?

Leave a comment

Filed under Board, Compliance, Compliance Verification, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Information, Internal controls, IT, Management, Oversight, Protect, Protect assets, Protect information assets, Risk Assessment, Risk assessment, Security, Value

November 19, 2018 · 9:01 am

Too much information?

“Boeing Withheld Data On Potential Hazards,” The Wall Street Journal, November 13, 2018 A1.  Did Boeing fail to disclose potential problems with its new flight-control feature?  Was that a factor in the Lion Air crash in Indonesia, killing 189 people?

Maybe this feature didn’t factor into the crash; we’ll have to wait for the cockpit voice recorder and the flight data recorder.  But if you know something and don’t tell other people who would like to know — well, that’s bad.  Even if you didn’t want to confuse them by providing them too much information.  Was it better “marketing” to tell their customers that they wouldn’t need as much training?

How do you decide how much information to provide your customers?  Are there problems you don’t mention?  Why?

Leave a comment

Filed under Access, Accuracy, Communicate, Communications, Controls, Corporation, Data quality, Duty, Duty of Care, Governance, Information, Internal controls, Management, Risk assessment, Third parties

November 19, 2018 · 8:48 am

The government does it better

In the macro sense, one of the bits of information that we own, manage, and hopefully control is who we are. How does the government control and manage this?

“Banks Find Solutions for ID Fraud at DMV,” The Wall Street Journal, November 13, 2018 B10.  Banks may use DMV databases to verify your online identity, because how you have to establish your identity to get a driver’s license normally involves you appearing in person and providing supporting documents.

Key to the process at the DMV is the trained person who checks your supporting documents.  The banks want to leverage that person’s knowledge and experience, rather than relying on a bank manager to do it.

Where else in our lives do we rely on government employees rather than ourselves as a critical control?

Leave a comment

Filed under Access, Accuracy, Controls, Data quality, Definition, Duty of Care, Governance, Information, Internal controls, Knowledge Management, Operations, Oversight, Privacy, Protect assets, Third parties, Use

November 13, 2018 · 11:00 am

Indicted

A Tesla employee is indicted for creating fake documents to cover up a fake-payment scheme.  “Former Tesla Employee Is Indicted,” The Wall Street Journal, November 12, 2018 B5.

Companies have a lot of controls to prevent fraud by employees, and often these controls work.  Why are there more such controls to prevent financial fraud than to prevent violations of other company procedures, such as those related to document creation, retention, and storage?

One wonders whether, in the aggregate, companies lose more money through poor document management and control than they lose through financial fraud.  How would one conduct such a study?

Leave a comment

Filed under Accuracy, Compliance, Compliance (General), Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Information, Internal controls, Oversight, Protect assets, Records Management, Security, Third parties, Value, Vendors