“Amazon Delves Into Health Data,” The Wall Street Journal, July 2, 2018 B3. Amazon buys a company with a bunch of personal health information.
It’s not like Amazon doesn’t have to deal with a whole host of privacy regulations, including the EU and, more recently, California. But personal medical information is different, and subject to different controls.
How does a company that lives on finding relationships in large bodies of information deal with information that can’t be used freely?
Filed under Access, Analytics, Compliance, Compliance (General), Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Internal controls, Oversight, Policy, Privacy, Third parties
People knew the shooter in Annapolis was a danger to the newspaper. Employees were warned. Police investigated his on-line comments, and determined he is not a threat. Employees were told to call 911 if they saw him.
Five years later, he kills 5 people with a shotgun.
“Newspaper Warned About Shooter,” The Wall Street Journal, June 30, 2018 A3.
Maybe that’s why the police got there in under a minute.
Filed under Controls, Corporation, Directors, Duty, Duty of Care, Governance, Government, Internal controls, Oversight, Third parties, To report
“CFPB Decides Not to Fine Citi on Overcharges,” The Wall Street Journal, June 30, 2018 B12. Company failed to lower credit card interest rates for some customers when it should have. It will refund the overcharges and fix its practices, but won’t pay a fine.
Citi self-reported, and proposed full restitution.
Would this have happened under the prior Director at the CFPB? Or would the offense have led to a large fine as well? To what purpose?
Filed under Accuracy, Communications, Compliance, Compliance (General), Controls, Corporation, Duty, Duty of Care, Governance, Internal controls, Oversight, To report
“Former Equifax Manager Is Charged,” The Wall Street Journal, June 29, 2018 B3. To respond to the huge privacy breach at Equifax last year, the company set up a website to help some of those affected. The former software manager setting up that website bought some options, betting that Equifax’s stock would go down once the breach was discovered. He faces criminal and civil charges.
Who would have thought a software engineer needed insider trading education?
Filed under Access, Compliance, Compliance (General), Controls, Culture, Duty, Duty of Care, Employees, Governance, Internal controls, Legal, Oversight, Policy, Protect assets, Requirements
“Emails Add to the Turmoil at WPP,” The Wall Street Journal, June 29, 2018 B2. A company technician recovered WhatsApp messages from the phone of a former employee; these messages were then sent by encrypted email to a few employees. Technician who recovered the messages has also left the company. [BTW, messages on WhatsApp are encrypted point-to-point, but are recoverable from a device that received them.]
What happens to messages on your company phone when you leave? Do you care? Do you use encryption to send messages anonymously? Why?
These messages were in an account used to coordinate the former CEO’s travel. And maybe for other stuff. The CEO already resigned.
Filed under Access, Communications, Controls, Corporation, Duty, Duty of Care, Employees, Governance, Information, Internal controls, IT, Policy, Privacy, Protect assets, Security
A common starting point to information governance projects is to determine what information you have and where you have it. Then you can start to manage it. But what happens if you don’t know what you have nor where you have it?
“Facebook Struggles to Find User Data,” The Wall Street Journal, June 28, 2018 B1. “The company can’t track where much of the [user] data went after it left the platform or figure out where is it now.”
A lot of the information is or was with app developers that are now out of business. What happened to your/Facebook’s/their data?
Sure is easier to figure this out going forward than it is to figure out what happened between 2007 and 2015. Especially if disclosure of some of that information is blocked by the government in far-off lands. Or if the app developers don’t fancy having Facebook root through their servers and discovering their business secrets. Or if Facebook doesn’t have a contractual right to get this information.
Sure would be easier if they’d had the proper controls in place at the time.
Filed under Access, Controls, Corporation, Duty, Duty of Care, Governance, Government, Information, Internal controls, Oversight, Ownership, Ownership, Privacy, Protect assets, Security, Third parties, Vendors
A simple compliance case. An employee shares confidential information with a few friends and they trade stocks based on that information. The employee (now suspended) and the two friends were arrested on criminal insider trading charges. The employer is cooperating with the SEC’s investigation. Civil charges pending, too.
“Analyst Arrested On Insider Charges,” The Wall Street Journal, June 27, 2018 B12. S&P Global Ratings employee allegedly disclosed information about acquisition of Valspar by Sherwin-Williams.
What separates this from the other run of the mill insider trading cases is the fact that the employee apparently denied knowing his two life-long friends.
Lying to the Feds is not a good strategy.