Category Archives: Who is in charge?

Gee, what could go wrong?

“Facebook Asks Banks for Customer Data,” The Wall Street Journal, August 7, 2018 A1. “[T]o offer new services to users,” Facebook asks banks for “detailed financial information about their customers.”

I can see what’s in it for Facebook, and maybe for the banks.  But isn’t this your information?  Shouldn’t you have some control what the banks do with it?  Are you comfortable with the controls the banks and Facebook will place on this information?  It might be convenient for you, but at what risk?

Do we remember Cambridge Analytica?  Will Facebook try to do this in Europe?

To whom do you complain?  Your elected representative?  Your bank?  The state or federal regulators?

1 Comment

Filed under Access, Controls, Corporation, Duty, Duty of Care, Governance, Information, Internal controls, Investor relations, IT, Oversight, Ownership, Privacy, Protect assets, Security, Third parties, Uncategorized, Who is in charge?

It’s not just VW

Often, a corporation’s violation of law don’t result in a conviction of the senior officers or directors.  Sometimes it does, and when it does, that’s a powerful compliance message.

“Audi CEO Is Arrested In Emissions Scandal,” The Wall Street Journal, June 19, 2018 A1. Executive jailed in Germany to prevent obstruction of ongoing investigation into emissions testing scandal at VW.

This goes to Governance, Compliance, and Information.

Leave a comment

Filed under Compliance, Compliance (General), Controls, Corporation, Culture, Directors, Duty, Employees, Governance, Oversight, To report, Who is in charge?

Poster boy for Information Governance

Years ago, while teaching a course to MBA students at Rice University, I used the Target credit card breach as a case study.  It touched a lot of bases.  Now we have a better one.

While there have been a lot of information governance-related stories in the news over the past two years, including Equifax and Facebook and VW and Wells Fargo, my nominee for the one name associated with the most significant teaching example in information governance and compliance is the former FBI Director, James Comey.

First, he gave us The Day That Information Governance Died, with his July 5, 2016 pronouncement that, notwithstanding her clear violations of several applicable legal laws dealing with the handling of confidential or secret information (and the destruction of information subject to a subpoena), Secretary Hillary Clinton’s use (and wiping) of a private server to store government email was not going to be prosecuted.  Such a pronouncement deviated “‘from well-established Department policies'” that the FBI does not comment about  ongoing criminal investigations.

Then he wrote a memo ostensibly commemorating a meeting he had with his boss on government business on a government computer (while in a government vehicle) during the work day, and declared that that was his personal correspondence that he could (and did) distribute as he pleased.

And now we learn that he conducted government business over his own private gmail account {that information does not appear in the WSJ article – Ed.}, and actively avoid his boss’ oversight (and his bosses failed to adequately supervise him).  “Report Blasts FBI Agents, Comey Over Clinton Probe,” The Wall Street Journal, June 15, 2018 A1. Inspector General releases his report on the Clinton Investigation.

Recap:

  • Violations of law are not enforced
  • Evidence is destroyed notwithstanding a subpoena
  • Senior employees ignore long-standing policy
  • Senior employees treat documents prepared by them in the course of business as their personal information
  • Senior employees use private email accounts to transact government business
  • Employees hide things from their bosses
  • Bosses failed to adequately supervise their reports

And this is at the FBI, by a lawyer.

Does anyone wonder why we have a hard time getting traction on information governance initiatives?  Certainly an argument for an Information Governance case study of just the Clinton email investigation and its aftermath.  Not sure you could cover it all in one semester, at both law schools and business schools.

 

Leave a comment

Filed under Communications, Compliance, Compliance (General), Controls, Culture, Discovery, Duty, Duty of Care, Employees, Governance, Government, Information, Internal controls, Lawyers, Managers, Oversight, Ownership, Ownership, Policy, Requirements, Supervision, Who is in charge?

Compelled speech

“HHS Probes Rules on Giving Abortion Information,” The Wall Street Journal, June 1, 2018 A4.  HHS Office for Civil Rights investigates state requirements that crisis pregnancy centers must advise women about abortion services.

Leave the political/moral issues aside, and look at this from an information governance perspective.  Who mandates what information you must provide to your customers?  And are they (the mandaters) allowed to require that?

What are the limits on the government’s ability to require you to provide information to third parties? Is the U.S. Constitution a law or a policy?  Or is it Governance?

Leave a comment

Filed under Communications, Compliance, Compliance (General), Controls, Corporation, Duty, Governance, Government, Internal controls, Third parties, Who is in charge?

Bait and switch?

You make some promises, or strong indications, to a star performer that he or she is so above average, next year you will get ___ a year early.  [Fill in the blank]

How do you handle a change in direction?

“Goldman’s Rising Stars Told to Hold,” The Wall Street Journal, May 26, 2018 B9.  Two years ago, a group of high-potential employees were told they were on the fast track and would get promoted before the rest of their class.  Now they are told there is no fast track this year.

How do you handle it when you have to tell your star performer that she/he’s not going to get what you told them they were going to get?  Have you just put your crown jewels into play?  How do you rebuild trust and confidence in your best and brightest?

Is this Information or Governance or just bad management?  Does it matter whether you told them in writing or not?  Is that a risk that was considered?

 

Leave a comment

Filed under Definition, Duty of Care, Governance, Information, Protect assets, Risk, Who is in charge?

Private speech v. public speech

Can your employer restrict what political statements you make in the course of your employment, when you’re getting paid to wear your company shirt on television?

Maybe.

“NFL Adopts New Anthem Policy,” The Wall Street Journal, May 24, A14. Teams (but not players) can be fined if NFL players on the field do not stand for the National Anthem.

Governance

  • Who has the power to make what rules governing whom, and how violations of those rules will be enforced?
  • The League has the power to govern teams, but not players?  (See reference to collective bargaining agreement below.)
  • Will this redirect any fan displeasure away from the NFL and onto the individual teams or players?

Information

  • Is an employee’s political speech information?
  • If information is received, created, or distributed by a company’s employees during the workday in the workplace, is that information company information?
  • If it’s company information, can’t the company limit that distribution?

Compliance

  • Does enforcing rules against the teams and not the players work?
  • Does this comply with the collective bargaining agreement?  Is that why the policy doesn’t apply to the actual players, and just the teams?

 

Leave a comment

Filed under Compliance, Compliance (General), Controls, Corporation, Definition, Duty, Employees, Governance, Information, Internal controls, Oversight, Policy, Risk assessment, Third parties, Who is in charge?

When does one use or disclose information?

Often, one has information but doesn’t act immediately, or require others to act on it immediately.  But there have been several instances of the government sitting on information that later turns out was really important.  Is this just not recognizing the risk?  Would they have done anything differently?

“FAA Was Slow to Act On Engine Warning,” The Wall Street Journal, May 21, 2018 B1.  FAA (and the airline industry)  knew of the potential for engine blades to crack for 2 years.  The manufacturer increased inspections. Then one blade cracked, destroying an engine and killing a passenger on the Southwest airlines flight in April.

This seems to link Governance (Who was responsible for deciding that the risk was adequately managed?) and Information (Did everyone have the same level of information?).  Is there also a Compliance vector?  The airlines were complying with government directions.

And how much does the flying public rely on the government to take care of such things?

Leave a comment

Filed under Governance, Protect assets, Reliance, Risk assessment, Who is in charge?

Which is the tail and which is the dog?

“CBS Board Defies Shari Redstone,” The Wall Street Journal, May 18, 2018 B1.  Board tries to reduce the control exercised by an 80% shareholder.

This is going to be fun to watch (if you’re not one of the other shareholders).  Interesting question on what the controlling shareholder (and the Board) can and cannot do.

Here’s a subsequent post from another source, if you want background.  Caution – heavily legal.

Leave a comment

Filed under Board, Controls, Corporation, Directors, Duty, Governance, Internal controls, Investor relations, Oversight, Shareholders, Who is in charge?

Tell me it ain’t so, Joe!

“EU Presses Tech Firms on Search Results, Fake News,” The Wall Street Journal, April 27, 2018 B5.  The EU looks into how Google and Facebook control what EU residents see, requiring more transparency as to how they filter what we see.

Wonder if the US Congress will follow suit, or develop its own solution.

From a Governance perspective, how can a government control this?  Are Google and Facebook something other than private businesses?  Utilities?  Media?  What rules apply and who makes (and enforces) them?  Maybe you can require all information to be searchable, but then how do you limit and group the number of responses?

From a Compliance perspective, how will Google and Facebook be able to comply with different controls imposed by different governments, some of which don’t have the same press protections as the US has (assuming Google and Facebook are “the press”).  Do we need a squad of fact-checkers?  And who would govern them?  Oops.  There’s a link to Governance.

From an Information perspective, we’re all drowning from the fire hose of information overload.  We want and need filters.  But we need trustworthy and reputable filters, don’t we?  And a space without filters?

Yes, I know.  Question, not answers.

Leave a comment

Filed under Access, Accuracy, Analytics, Compliance (General), Controls, Culture, Data quality, Duty, Governance, Government, Information, Oversight, Policy, Technology, Third parties, Who is in charge?

Can you censor?

“China Censors Spark Uproar In Quashing Student Activist,” The Wall Street Journal, April 25, 2018 A7.  Students make a request for open records from the Peking University about 20-year old rape allegations. The government rejects it. And then slams a student who circulated a letter telling her story through social media.  And that story circulates.

It sure is hard to put the genie back in the bottle after information gets to the Internet.  Are your controls adequate?  How do you enforce them?  Even if you have a command and control culture?

Leave a comment

Filed under Access, Compliance, Controls, Duty, Governance, Government, Interconnections, Internal controls, IT, Oversight, Third parties, Who is in charge?