Category Archives: Duty of Care

Information delayed

“Advertisers Allege Facebook Put Off Disclosing Error,” The Wall Street Journal, October 17, 2018 B1.  Facebook sued two years ago for knowing the statistics on how long users were looking at videos were flawed, overstating the average time videos were viewed but failed to let the advertisers know.  So advertisers paid for posting videos based on inaccurate information from the seller (Facebook).

I guess one could comment on the culture at Facebook that would permit this behavior, or upon the Compliance implications of the apparent failure to punish anybody (employees, directors) for this apparent breach of customer trust. But instead one could focus on how much value Facebook derived from not disclosing information about known defects in its processes.  So, either (a) the definition of Information includes information you don’t disclose or (b) the value of information can include the value of not disclosing it.

The documents turned over in discovery are not favorable to FB.

Leave a comment

Filed under Accuracy, Communications, Compliance, Compliance (General), Controls, Corporation, Culture, Data quality, Definition, Directors, Duty, Duty of Care, Employees, Governance, Information, Internal controls, Oversight, Reliance, Supervision, Technology, To report, Value

Hiding another ball

“HSBC to Pay $765 Million in U.S. Pact,” The Wall Street Journal, October 10, 2018 B12.  Bank hid the risks of defective mortgages for at least 2 years.  Sold mortgaged-back securities in the meantime.

“Wells Fargo … [paid] $2.09 billion to settle similar claims.”  Four other banks also settled.

Why do we keep our money in banks?  Weren’t they supposed to be safe?  What does it say about the Boards of these companies?  Did the directors screw up?

Leave a comment

Filed under Communications, Compliance, Compliance (General), Controls, Corporation, Culture, Directors, Duty, Duty of Care, Employees, Governance, Information, Internal controls, Investor relations, Oversight, Protect assets, Supervision, To report

Hiding the ball

“Google Hid Data Breach for Months,” The Wall Street Journal, October 9, 2018 A1.  Alphabet hid or failed to disclose the breach of “hundreds of thousands of users” for six months, to avoid “regulatory scrutiny and … reputational damage.”  Data accessed between 2011 and 2018.

What did the delay in notification cost customers? Did Google care?  Who at Google knew, and are they still employed?  Why?

Don’t be evil.

Leave a comment

Filed under Communications, Compliance, Compliance (General), Controls, Corporation, Culture, Duty, Duty of Care, Governance, Information, Internal controls, IT, Privacy, Security, To report

FB in the news. Again.

“Facebook Hackers Access Nearly 50 Million Accounts,” The Wall Street Journal, September 29, 2018 A1.  Unknown hackers may have gotten access as early as July 2017 by exploiting flaws in the system’s code.  May have taken over your account and gotten to your posts and private messages, and may have the credentials to access other services, like Tinder and Spotify.

Is Facebook responsible for making sure its site is secure?  How did the executive in charge of safety and security miss this?  Does the Board at Facebook have liability?  Facebook no longer has a Chief Security Officer.

1 Comment

Filed under Access, Board, Compliance, Compliance (General), Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Internal controls, IT, Oversight, Oversight, Protect assets, Protect information assets, Security, Technology, Third parties

It’s not what you don’t say

“Hiring Hazard: Social Media,” The Wall Street Journal, August 6, 2018 B1.  What happens when you hire (or don’t hire) someone with a “history” of social media postings, some of which may now (or then, or both) be viewed as objectionable?

An editorial writer for a major newspaper is found to have written some racist comments.  A director gets booted from Disney for old tweets. Major league ball players get shamed.

Do the Europeans have it right?  Do you have a right to be forgotten?  Or are you stuck with what you said or wrote years ago, provided that it is preserved electronically?  You did say it, in preservable format.

Is this Governance (or self-governance)?  O the nature of Information?  Or Compliance with ever-evolving social mores?

Leave a comment

Filed under Access, Accuracy, Communications, Duty, Duty of Care, Governance, Ownership, Privacy

Gee, what could go wrong?

“Facebook Asks Banks for Customer Data,” The Wall Street Journal, August 7, 2018 A1. “[T]o offer new services to users,” Facebook asks banks for “detailed financial information about their customers.”

I can see what’s in it for Facebook, and maybe for the banks.  But isn’t this your information?  Shouldn’t you have some control what the banks do with it?  Are you comfortable with the controls the banks and Facebook will place on this information?  It might be convenient for you, but at what risk?

Do we remember Cambridge Analytica?  Will Facebook try to do this in Europe?

To whom do you complain?  Your elected representative?  Your bank?  The state or federal regulators?

1 Comment

Filed under Access, Controls, Corporation, Duty, Duty of Care, Governance, Information, Internal controls, Investor relations, IT, Oversight, Ownership, Privacy, Protect assets, Security, Third parties, Uncategorized, Who is in charge?

Oops.

“Vanguard Messes Up Messages To Clients,” The Wall Street Journal, July 26, 2018 B10.  Money manager with over $5 trillion in assets under management sends text messages to clients that the money manager had processed loans against their 401(k) accounts.  But the customers hadn’t requested the loans.

Imagine the customer reaction.

How important is it to get your client communications right the first time?  Are you in the trust business?  Is claiming a “systems issue” enough?

Leave a comment

Filed under Accuracy, Communications, Controls, Corporation, Data quality, Duty, Duty of Care, Governance, Information, Internal controls, Investor relations

Your vendors

This blog focuses more on the intersection of Governance, Information, and Compliance than on the implications of information security.  But the topics do overlap.

So, what controls do you have in place to prevent from someone accessing your computer and changing the information there or, as important, changing how your computer operates?  That’s an identified risk, right?

“Russia Hacks Its Way Into U.S. Utilities,” The Wall Street Journal, July 24, 2018 A3.  Russian hackers gain access to sensitive information at utilities by compromising the utilities’ vendors and their access to the utilities’ systems.  Can the hackers take control of those systems or shut them down?

Does anyone recall the name of the HVAC contractor that was the entry point for the Target hack several years ago?  Contractors can be a massive IT security risk.

Is this part of Information Governance?

What duties do the directors of the utilities have to make sure processes are in place to prevent third parties from causing harm by accessing the company’s information and process control systems?  And to control the third parties who do have that access?  Is there a process?

Leave a comment

Filed under Access, Board, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Internal controls, IT, Management, Oversight, Oversight, Protect, Protect assets, Protect information assets, Risk Assessment, Risk assessment, Security, Third parties, Vendors

Fraudster

“Theranos Settle Investor Suit As Firm Runs Low on Funds,” The Wall Street Journal, July 23, 2018 B3.  Investors alleged Theranos had defrauded them by making false statements about the company’s technology.

This joins the long (and growing) list of people suing for harm caused by this company.  Are the directors in the dock?  The CEO and former president are.

False statements are information, in a sense.  The is the kind of basic, bog standard stock fraud that led to the creation of the SEC.

Who’s going to get the last drop of blood out of this stone?

Leave a comment

Filed under Board, Communications, Compliance, Compliance, Compliance (General), Controls, Corporation, Culture, Data quality, Definition, Directors, Duty, Duty of Care, Employees, Governance, Inform shareholders, Information, Internal controls, Investor relations, Oversight, Oversight, Protect information assets

Protecting key information

“Hacker Allegedly Tried to Sell Drone Data,” The Wall Street Journal, July 12, 2018 A3.  Hacker tries to sell maintenance documents for a drone, documents stolen from a Air Force officer’s computer.

How well does the government protect sensitive information?  Apparently, the hack exploited the failure to properly configure a router.

What happened to the Air Force officer, who apparently failed to adequately protect classified information?  The IT guy who configured the router?

Leave a comment

Filed under Access, Compliance, Compliance (General), Controls, Duty, Duty of Care, Governance, Government, Information, Internal controls, IT, Policy, Protect assets, Security