“Former Equifax Manager Is Charged,” The Wall Street Journal, June 29, 2018 B3. To respond to the huge privacy breach at Equifax last year, the company set up a website to help some of those affected. The former software manager setting up that website bought some options, betting that Equifax’s stock would go down once the breach was discovered. He faces criminal and civil charges.
Who would have thought a software engineer needed insider trading education?
Filed under Access, Compliance, Compliance (General), Controls, Culture, Duty, Duty of Care, Employees, Governance, Internal controls, Legal, Oversight, Policy, Protect assets, Requirements
“Emails Add to the Turmoil at WPP,” The Wall Street Journal, June 29, 2018 B2. A company technician recovered WhatsApp messages from the phone of a former employee; these messages were then sent by encrypted email to a few employees. Technician who recovered the messages has also left the company. [BTW, messages on WhatsApp are encrypted point-to-point, but are recoverable from a device that received them.]
What happens to messages on your company phone when you leave? Do you care? Do you use encryption to send messages anonymously? Why?
These messages were in an account used to coordinate the former CEO’s travel. And maybe for other stuff. The CEO already resigned.
Filed under Access, Communications, Controls, Corporation, Duty, Duty of Care, Employees, Governance, Information, Internal controls, IT, Policy, Privacy, Protect assets, Security
A common starting point to information governance projects is to determine what information you have and where you have it. Then you can start to manage it. But what happens if you don’t know what you have nor where you have it?
“Facebook Struggles to Find User Data,” The Wall Street Journal, June 28, 2018 B1. “The company can’t track where much of the [user] data went after it left the platform or figure out where is it now.”
A lot of the information is or was with app developers that are now out of business. What happened to your/Facebook’s/their data?
Sure is easier to figure this out going forward than it is to figure out what happened between 2007 and 2015. Especially if disclosure of some of that information is blocked by the government in far-off lands. Or if the app developers don’t fancy having Facebook root through their servers and discovering their business secrets. Or if Facebook doesn’t have a contractual right to get this information.
Sure would be easier if they’d had the proper controls in place at the time.
Filed under Access, Controls, Corporation, Duty, Duty of Care, Governance, Government, Information, Internal controls, Oversight, Ownership, Ownership, Privacy, Protect assets, Security, Third parties, Vendors
“Europe’s Privacy Law Fails to Stoke Demand for Cyber Insurance,” The Wall Street Journal, June 21, 2018 B10. Companies aren’t buying as much privacy insurance as people thought.
Certainly, in the wake of the GDPR rollout, the risk of a privacy law violation has increased. Apparently companies think that they have adequate controls in place, and don’t need the protection of insurance to backstop their controls. Insurance is a mitigation in case your controls aren’t totally effective.
Are these companies doing the same with other risks to other assets? Or is you private data somehow different?
Filed under Board, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Internal controls, IT, Management, Oversight, Ownership, Privacy, Protect, Protect assets, Protect information assets, Security, Third parties
Sometimes tracking is a good thing.
“Tech to Track Errant Kegs,” The Wall Street Journal, June 21, 2018 B4. Sensors installed to reduce 10% shrinkage rate from theft or misplacement of beer kegs. Could also track temperature.
Do you track similar information? Is this more or less valuable than knowing what records you have and where you have them?
“Tesla Accuses Former Employee of ‘Sabotage,'” The Wall Street Journal, June 21, 2018 B3. Did a former employee hack Tesla’s manufacturing software and trade secrets and transfer information outside the company? Was this for convenience, or was it theft? Or to give to the press?
Do you have adequate controls to prevent this? Or to discover it? Who’s responsible if your controls fail?
Will the directors or senior officers be punished? Did they fail in their obligations to protect the corporation’s assets? Or is it just the shareholders who pay? And pay, and pay.
Filed under Access, Board, Compliance, Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Information, Internal controls, Management, Oversight, Oversight, Protect, Protect assets, Protect information assets, Third parties, Value
Apple seems to be taking a different approach than Facebook or Google.
“iPhone Change To Block Police,” The Wall Street Journal, June 14, 2018 B1. Apple “fixes” the technical hole that allows the authorities to break into the iPhone of a criminal or suspected criminal.
Is Apple more or less concerned about privacy of its users than either Google or Facebook is concerned about the privacy of their customers? What about Apple’s demonstrated desire to block government access? Is that more like Google (use of Google AI in weapons systems) or like Facebook (oh, heck, we’ll let just about anyone see our users’ data)?
Is controlling access to user data Governance? Or is it a feature? Whom do you trust more?
Filed under Access, Controls, Corporation, Culture, Duty, Duty of Care, Governance, Government, Internal controls, IT, Oversight, Policy, Privacy, Protect assets, Security, Third parties