Category Archives: Supervision

Facebook again. Plus or minus 20 million.

“Facebook Details Data Breach,” The Wall Street Journal, October 13, 2018 B1.  Data exposed between July 2017 and September 2018.  But thankfully only affected 30 million users, not the 50 million users originally feared.  It only took 2 days to stop it after it was discovered.  A flaw in the computer code opened a door.

The decrease in the number of affected users was reported in a blog post.

Does this mean that a defective product was released into commerce?  So who pays how much to whom?

Advertisements

Leave a comment

Filed under Compliance (General), Controls, Corporation, Duty, Governance, Information, Internal controls, IT, Oversight, Protect assets, Security, Supervision, Technology

Hiding another ball

“HSBC to Pay $765 Million in U.S. Pact,” The Wall Street Journal, October 10, 2018 B12.  Bank hid the risks of defective mortgages for at least 2 years.  Sold mortgaged-back securities in the meantime.

“Wells Fargo … [paid] $2.09 billion to settle similar claims.”  Four other banks also settled.

Why do we keep our money in banks?  Weren’t they supposed to be safe?  What does it say about the Boards of these companies?  Did the directors screw up?

Leave a comment

Filed under Communications, Compliance, Compliance (General), Controls, Corporation, Culture, Directors, Duty, Duty of Care, Employees, Governance, Information, Internal controls, Investor relations, Oversight, Protect assets, Supervision, To report

Self-policing?

“Report: Big Tech Needs Fixes,” The Wall Street Journal, September 25, 2018 B4.  Report from Harvard  concludes that Facebook, Google, Twitter, and Apple and similar tech giants “can’t be trusted to police themselves” and should be able to continue to swallow up smaller companies to get user data.

So, who governs the ungoverned?  Themselves?  Their shareholders?  These companies have and continue to acquire and control vast swaths of information belonging to others.

Do we care?

Leave a comment

Filed under Duty, Governance, Government, Oversight, Supervision, Who is in charge?

Who’s the boss?

To have governance, is a single point of accountability required?

“Workers Deal With Too Many Bosses,” The Wall Street Journal, August 21, 2018 B1.  According  to a recent poll, two-thirds of employees have more than one boss.  Some employees respond by trying to manage their bosses.

From a Governance perspective, if you have multiple bosses, who sets your priorities?  Who establishes the policies and procedures and instructions that you, as an employee, must follow?  How does one resolve conflicts?

And which one person in your organization bears responsibility/accountability for the overall Governance of your company’s Information?  Your company’s overall Compliance with law and with company policy and procedures?

Without such a single point of accountability/responsibility, who gets punished if things don’t go right?  If no one is held responsible/accountable at the C-suite level, do you really have a program-in-fact, as opposed to a program-on-paper?

 

Leave a comment

Filed under Compliance, Compliance (General), Controls, Corporation, Directors, Duty, Employees, Governance, Internal controls, Supervision, Who is in charge?

Poster boy for Information Governance

Years ago, while teaching a course to MBA students at Rice University, I used the Target credit card breach as a case study.  It touched a lot of bases.  Now we have a better one.

While there have been a lot of information governance-related stories in the news over the past two years, including Equifax and Facebook and VW and Wells Fargo, my nominee for the one name associated with the most significant teaching example in information governance and compliance is the former FBI Director, James Comey.

First, he gave us The Day That Information Governance Died, with his July 5, 2016 pronouncement that, notwithstanding her clear violations of several applicable legal laws dealing with the handling of confidential or secret information (and the destruction of information subject to a subpoena), Secretary Hillary Clinton’s use (and wiping) of a private server to store government email was not going to be prosecuted.  Such a pronouncement deviated “‘from well-established Department policies'” that the FBI does not comment about  ongoing criminal investigations.

Then he wrote a memo ostensibly commemorating a meeting he had with his boss on government business on a government computer (while in a government vehicle) during the work day, and declared that that was his personal correspondence that he could (and did) distribute as he pleased.

And now we learn that he conducted government business over his own private gmail account {that information does not appear in the WSJ article – Ed.}, and actively avoid his boss’ oversight (and his bosses failed to adequately supervise him).  “Report Blasts FBI Agents, Comey Over Clinton Probe,” The Wall Street Journal, June 15, 2018 A1. Inspector General releases his report on the Clinton Investigation.

Recap:

  • Violations of law are not enforced
  • Evidence is destroyed notwithstanding a subpoena
  • Senior employees ignore long-standing policy
  • Senior employees treat documents prepared by them in the course of business as their personal information
  • Senior employees use private email accounts to transact government business
  • Employees hide things from their bosses
  • Bosses failed to adequately supervise their reports

And this is at the FBI, by a lawyer.

Does anyone wonder why we have a hard time getting traction on information governance initiatives?  Certainly an argument for an Information Governance case study of just the Clinton email investigation and its aftermath.  Not sure you could cover it all in one semester, at both law schools and business schools.

 

Leave a comment

Filed under Communications, Compliance, Compliance (General), Controls, Culture, Discovery, Duty, Duty of Care, Employees, Governance, Government, Information, Internal controls, Lawyers, Managers, Oversight, Ownership, Ownership, Policy, Requirements, Supervision, Who is in charge?

Risk and Developers

After Hurricane Harvey, Houston residents could be heard asking, “What building developer would decide to build houses in a flood plain?” “Why would a City Official push such a project?” “Who would buy a house there?” “How would they ever get insurance?”  Similar discussions in flood-prone areas in Florida.

“Homes Were Built Despite Documented Lava Threat,” The Wall Street Journal, May 29, 2018 A3.  Affordable homes were built in an area with a history of lava risk.

Did we have any controls in place?  How were these controls implemented?  How many of them failed?  Who is responsible/accountable?

Next thing you know, we’ll rebuild houses in the same site.  Somebody else will pay for it.

If you always do what you’ve always done, you will always get what you always got.

Leave a comment

Filed under Communications, Controls, Corporation, Duty, Duty of Care, Governance, Government, Oversight, Supervision

Sniff test

What happens to compliance when the CEO and her boyfriend collaborate to create a culture of secrecy and fear?

“Partners in Blood,” The Wall Street Journal, May 19, 2018 C1.  Reports from the trenches at Theranos, which said it was able to run a range of tests from a few drops of blood; it couldn’t.  SEC charges company with fraud, and investors lose millions.

While the implications of a relationship of the CEO goes to Governance, are there also links to Compliance and Information?  What impact did the culture have on the company’s compliance?  How do investors know about the nature of a CEO’s personal relationships leaking into the corporate environment?

Who should have seen this and reported it to someone?  Why didn’t the directors smell a rat?

Leave a comment

Filed under Board, Compliance, Culture, Culture, Directors, Duty, Employees, Governance, Oversight, Oversight, Risk, Supervision, To report