Starting out the New Year with a story highlighting the three major aspects of this blog: the intersections between Governance, Compliance, and Information.
“Equifax Is Back in Washington’s Crosshairs,” The Wall Street Journal, January 2, 2019. Congress planning new legislation for credit-reporting companies after the Equifax hack affecting nearly 150 million people.
Governance and Compliance are linked here, as the government is planning new laws/regulations to control how companies manage “their” information about you. But also has aspects of Information, as the information at issue is information about you over which you have little control.
Will the government do a substantially better job than the existing legal remedies? Will improvement be possible without addressing the underlying lack of effective privacy protections?
Continuing from https://infogovnuggets.com/2019/01/04/catching-up-again/ and https://infogovnuggets.com/2019/01/04/catching-up-again-part-2/, and https://infogovnuggets.com/2019/01/04/catching-up-part-3/
- Conflicts with conflicts
“Justice Department Chides McKinsey in Another Bankruptcy Case,” The Wall Street Journal, December 17, 2018. McKinsey continues to fail to make what are viewed as adequate disclosures of conflicts when advising bankruptcy estates, and may not get paid for its work as a result.
- Voter data
“Fight Over Voter Data Roils Democrats Ahead of Election,” The Wall Street Journal, December 17, 2018. Have Republicans been better than the Democrats at collecting and storing information? What’s this worth?
- Your business partner wants you to call a shareholders’ meeting
“Renault Urges Nissan to Call for Shareholder Meeting Following Nissan Indictment,” The Wall Street Journal, December 17, 2018. Is this interfering with “your” governance? Is this a compliance matter, or a partnership matter, where your partner is concerned that you are keeping your CEO as CEO while he sits in jail?
- Is a dance move “information”?
“The ‘Fortnite’ Dance Move That Spawned a Lawsuit,” The Wall Street Journal, December 17, 2018. While longer dance routine can be protected by copyright law (which was a bit surprising to me), not so (so far) for “snippets.”
- Hiding risk information may be a problem
“Glencore-Controlled Miner to Be Fined by Canadian Authorities Over Congo Ops,” The Wall Street Journal, December 17, 2018. Fine of $22 million for company and some of its former directors and executives for hiding the risks of doing business with someone connected to Congolese president. Is a risk analysis information? Can you hide that from the shareholders?
- Warning signs
“Goldman Sachs Ignored 1MDB Warning Signs in Pursuit of Asian Business,.” The Wall Street Journal, December 18, 2018. Can chasing business too hard lead one to ignore important information and sidestep important controls? What controls can you put in place to avoid having this happen to you? Is this an oversight issue? Do criminal charges and huge fines lay ahead?
- VW vendor pleads
“Volkswagen Supplier to Plead Guilty to Conspiracy, Pay $35 Million Fine in Emissions-Cheating Probe,” The Wall Street Journal, December 19, 2018. Company that designed the software used to fool or, as some say, cheat, the emission test pleads guilty to crime and pays a fine to US. VW has paid more than $20 billion. Is this just compliance-related, or is there also an information hook here? Design a software to work around a government test.
- Looking for a whistleblower
“Barclays Fined $15 Million by New York Over CEO’s Anti-Whistleblower Push,” The Wall Street Journal, December 19, 2018. The CEO had tried to use the company’s security department to locate the writer of a letter critical of a recent hire. He pressecd on, despite advice from the head lawyer and the chief compliance officer (costing him £642,000 in fines and £500,000 of his bonus). So the shareholders pay more than the CEO did. Go figure.
- Hiding the names of the guilty
“Illinois Dioceses Withheld Names of Accused Priests, Report Says,” The Wall Street Journal, December 20, 2018. Can you legally not disclose the name of an employee or a contractor who was accused of sexual abuse? Is this a governance issue or a compliance issue or an information issue? Or a reputation problem?
Ethics and policies
“Is It Really Five Stars? How to Spot Fake Amazon Reviews,” The Wall Street Journal, December 21, 2018. How Amazon goes about trying to separate the wheat from the chaff. How does your company determine what’s a fake review and what’s the real deal?
- Information/price linkage
“Room for Improvement? New Hotelier Tests an Algorithmic Pricing System,” The Wall Street Journal, December 22, 2018. Using information about a customer and from a customer to establish the price for future sales to that customer. Interesting linkages at a new hotel chain.
Filed under Collect, Communications, Compliance, Compliance (General), Controls, Corporation, Definition, Directors, Duty, Duty of Care, Employees, Governance, Information, Investor relations, Management, Oversight, Ownership, Privacy, Records Management, Risk assessment, Supervision, Third parties, To report, Use, Value, Vendors
Continuing from https://infogovnuggets.com/2019/01/04/catching-up-again/
- Pot calling the kettle black
“Comey Tells House Panel He Suspected Giuliani Was Leaking FBI Information to Media,” The Wall Street Journal, December 10, 2018. Former FBI Director Comey, who admitted to leaking information to a reporter through a law school professor, complains that someone else did it, too.
- Yes, we have no privacy
“Thieves Can Now Nab Your Data in a Few Minutes for a Few Bucks,” The Wall Street Journal, December 10, 2018. Following the series of major hacks of privacy data (e.g., Marriott, LinkedIn, Equifax, and Yahoo), “Every American person should assume all of their data is out there,” said one FBI agent. Comforting.
- Duty to report
“New Report Shows Olympics Executives Concealed Knowledge of Nassar Allegations,” The Wall Street Journal, December 11, 2018. Executives knew information about sexual abuse allegations, and failed to report. To whom did they breach a duty?
- Interesting intersection of the right to petition the government and your right to privacy
“U.S. Investigating Fake Comments on ‘Net Neutrality,’” The Wall Street Journal, December 11, 2018. “Earlier this year, the FCC said it would upgrade its website to try to prevent fakery. … Several federal agencies warn that it is a felony to send falsified comments to the federal government when posting on websites soliciting opinions on federal rulemaking.” What if the comments were anonymous?
- Lying or overspending on your expense account can get you canned
“Under Armour Ousts Two Executives After Review of Expenses,” The Wall Street Journal, December 11, 2018. Complying with company policy and procedures is sort of kind of like a job requirement. Even if you signed Jordan Spieth. But how were they to know how much was too much?
- Weakest link?
“Amazon, Amid Crackdown on Seller Scams, Fires Employees Over Data Leak,” The Wall Street Journal, December 11, 2018. Employees bribed for access to inside information. What’s your information worth to you? To the briber? To the (former) employee? Do you have a policy against taking bribes?
- Collateral impact
“Nissan-Renault Scandal Shows It’s Hard to Keep Car Alliances On Track,” The Wall Street Journal, December 12, 2018. A scandal at your business partner can affect your company’s relationships. Is that Governance?
- How do you deal with rumors? Are they “information,” too?
“Super Micro Finds No Malicious Hardware in Motherboards,” The Wall Street Journal, December 12, 2018. This contradicts a prior report from Bloomberg. How do you govern other sources of information? Is using a trusted third party to investigate just standard crisis management planning?
- Should Compliance be more congenial?
“Banks Get Kinder, Gentler Treatment Under Trump,” The Wall Street Journal, December 13, 2018. Regulators are urged to be more collegial with the banks they regulate. Is that better “Governance,” in the short term or in the long term?
- What does it say?
“Renault Sticks With Carlos Ghosn as Internal Probe Finds No Illegality,” The Wall Street Journal, December 13, 2018. What does it say to the rank-and-file when the Chairman gets arrested? And when he’s thereafter kept in place? The Board may have some explaining to do.
- What can your employer do with your information?
“U.S. Companies Asked to Disclose More About Their Workers,” The Wall Street Journal, December 14, 2018. Pension funds ask employers to disclose more information than the SEC currently requires. Whose decision is that? When and how can you object?
- Watch your contractors
“Chinese Hackers Breach U.S. Navy Contractors,” The Wall Street Journal, December 15, 2018. What’s this information worth, both to the US and to China? How much do you look at the security at your vendors who process or create information for you? Are they a weaker link than your employees? (See item 6, above.)
- Information and Governance and Compliance
“PG&E Falsified Gas Safety Records, California Claims,” The Wall Street Journal, December 15, 2018. From the explosion in San Bruno in 2010 (after which PG&E couldn’t find a bunch of inspection records relating to hundreds of miles of its pipelines) to more recent claims about fudging the records on pipeline locations, PG&E has had this problem for awhile. For now, these are just allegations. But what impact on every claim made against the company, and every claim made by it? If they falsify safety records, do they falsify bills, too? “The [state regulator] last month expanded a continuing probe of PG&E’s safety practices and said it would explore the way the company is structured and managed.” There seems to be a link between record-keeping and management and compliance and culture.
- Facebook, again
“Facebook Bug Potentially Exposed Unshared Photos of Up 6.8 Million Users,” The Wall Street Journal, December 15, 2018. One almost gets the idea that protecting your privacy is not a high priority for them.
Filed under Board, Collect, Communicate, Communications, Compliance, Compliance (General), Controls, Corporation, Culture, Data quality, Directors, Duty, Employees, Governance, Information, Internal controls, Investor relations, IT, Management, Oversight, Oversight, Ownership, Privacy, Protect, Protect assets, Records Management, Security, Supervision, Technology, Third parties, To report, Use, Value, Vendors
I was otherwise engaged in December, what with the holidays and travel and our first grandchild, born in Hong Kong, and haven’t been posting. Here’s the month in review, in chronological order, in multiple parts:
- How to monetize your information
“Paywall for HuffPost? Verizon Hunt for Web Revenue Goes Beyond Ads,” The Wall Street Journal, December 3, 2018. Do you let people see content (plus ads) for “free,” or do you charge for access? Which one places the “correct” value on the information you are providing? What if you did both?
- Who’s in charge?
“Disney Raises the Bar Robert Iger Has to Clear to Win Bonus,” The Wall Street Journal, December 4, 2018. Shareholders push back on bonus compensation plan, demonstrating an unusual level of control (i.e., Governance) over their investment. See also, “Shell to Link Carbon Emissions Targets to Executive Pay,” The Wall Street Journal, December 4, 2018.
- How much is your view worth?
“Who’s Reading That News Story? Startup Will Help Marketers Find Out,” The Wall Street Journal, December 4, 2018. Linking the desire of publishers and advertisers to monitor what news stories you look at and for how long, a start-up fills the gap. The answer to the question,”Whose data is that?” is taking on multiple dimensions.
- It takes a village to prevent someone from getting top-secret information
“China Maneuvers to Snag Top-Secret Boeing Satellite Technology,” The Wall Street Journal, December 5, 2018. Boeing seemed unconcerned when a customer for one of its satellites told Boeing that the customer was being financed by Chinese interests, to whom sale of the top-secret technology involved was restricted. But after an alleged payment default, Boeing cancels order. “Boeing Backs Out of Global IP Satellite Order Financed by China, The Wall Street Journal, December 7, 2018. Did the press coverage have an impact?
- Law firms leak, too
“U.S. Prosecutors Charge Four People in Panama Papers Probe,” The Wall Street Journal, December 5, 2018. Action follow leak of law firm documents showing how wealthy people hid money from tax.
- Who owns (or controls) the Cloud?
“China’s Alibaba Takes On Amazon in European Cloud,” The Wall Street Journal, December 5, 2018. Chinese Cloud company challenges Amazon for control of the Cloud in Europe. Which (the US or China) will better protect the privacy of the users?
- Does your information governance program cover the content of the training provided to your customers?
“Boeing Omitted Safety-System Details, Minimized Training for Crashed Lion Air 737 Model,” The Wall Street Journal, December 6, 2018. Questions arise after 189 people killed in a crash and the crews hadn’t been trained on the new flight-control system.
- Facebook tried to monetize “your” data? Gadzooks!
“Facebook’s Zuckerberg at Center of Emails Released by U.K. Parliament,” The Wall Street Journal, December 6, 2018. Newly released emails show that Facebook apparently considered charging app developers for accessing “your” data held by Facebook, and suggest Facebook discounted the chance of developers sharing that data with others.
- Not “just-in-time” discipline
“Wells Fargo Firing Dozens of Regional Managers in Retail-Bank Cleanup,” The Wall Street Journal, December 6, 2018. More than two years after the account-cramming scandal, Wells Fargo starts to fire some regional managers for failure of oversight responsibilities. Sort of like punishing your full-grown dog for an accident she had as a puppy. And what about the executives who were overseeing those fired managers?
- Biometrics is/are information, too
“Microsoft Pushes Urgency of Regulating Facial-Recognition Technology,” The Wall Street Journal, December 7, 2018. Lack of worldwide restrictions on surveillance without a warrant leads Microsoft to urge restrictions on the technology. Is privacy when in public a basic human right?
- It’s not the crime, it’s the coverup?
“U.S. Alleges Huawei CFO Hid Ties to Telecom With Iran Business,” The Wall Street Journal, December 8, 2018. Did the CFO lie to hide from banks connections Huawei had with company that did business with Iran? What is the impact to the current state of trade relations with China?
Filed under Accuracy, Board, Compliance, Compliance, Compliance (General), Compliance Verification, Controls, Corporation, Definition, Directors, Duty, Governance, Information, Internal controls, Managers, Oversight, Oversight, Ownership, Privacy, Protect assets, Protect information assets, Technology, Third parties, To report, Value, Vendors, Who is in charge?
It seems that several (most of?) the large privacy breaches have something in common: something smaller happened earlier that people didn’t pay enough attention to.
“Marriott’s Starwood Missed Chance to Detect Huge Data Breach Years Earlier, Cybersecurity Specialists Say,” The Wall Street Journal, December 2, 2018 (online). There was a prior breach in 2015 that, some say, could have been investigated more thoroughly.
Might this happen in your business? Say there’s a relatively minor breach, affecting a single client’s information. Or a minor compliance issue. You discover it and take action. But does the breach itself indicate weaknesses in your system of controls that may have broader implications? Do you change your training or other controls to reflect this experience, or the experience of others in your industry?
This brings to mind a common finding in accident investigations. Something small happened that could/should have put you on notice. But it was ignored or downplayed.
How does your organization deal with near-hits in the compliance or information governance space? Is this part of oversight? Or a part of effective knowledge management?
Filed under Analytics, Collect, Compliance, Compliance (General), Controls, Corporation, Directors, Duty, Duty of Care, Governance, Information, Internal controls, IT, Knowledge Management, Management, Oversight, Privacy, Protect assets, Security, Third parties, Use
I was gobsmacked by the prior piece that described Amazon taking money to place sponsored ads on someone else’s baby gift registry. But Amazon doesn’t stop there.
“Amazon Makes Inroads Selling Medical Supplies to the Sick,” The Wall Street Journal, November 30, 2018 (online). Doctors are putting lists of products to buy in your medical records, with a link to where you can buy them on Amazon.
What could go wrong? No behavior going on here to create or extend a monopoly; drive on by.
Who owns your medical record? Who owns the relationship with your doctor? Who gets any money from leveraging your doctor’s recommendations? Who has a moral compass, or an ethics and compliance policy?
In the macro sense, one of the bits of information that we own, manage, and hopefully control is who we are. How does the government control and manage this?
“Banks Find Solutions for ID Fraud at DMV,” The Wall Street Journal, November 13, 2018 B10. Banks may use DMV databases to verify your online identity, because how you have to establish your identity to get a driver’s license normally involves you appearing in person and providing supporting documents.
Key to the process at the DMV is the trained person who checks your supporting documents. The banks want to leverage that person’s knowledge and experience, rather than relying on a bank manager to do it.
Where else in our lives do we rely on government employees rather than ourselves as a critical control?
Filed under Access, Accuracy, Controls, Data quality, Definition, Duty of Care, Governance, Information, Internal controls, Knowledge Management, Operations, Oversight, Privacy, Protect assets, Third parties, Use
“Facebook Draws U.K. Fine Over Sharing Data,” The Wall Street Journal, October 26, 2018 B4. Facebook fined half a million Pounds ($645,000) for allowing Cambridge Analytica for letting them see and use user data. This is separate and apart from any fines the EU may impose.
Part of the problem is that Facebook didn’t do enough (i.e., anything) after it found out about Cambridge Analytica having accessed the data.
So, some points to consider:
- Whose information was it?
- Whose (and how many) rules (EU, UK, US, other) apply to (i.e., govern) a data breach?
- Why didn’t FB do anything after learning of the problem? Did it not have a process for handling a vendor that accessed data inappropriately? Doesn’t Governance require you to have such a process? Does Compliance entail requiring your vendors to follow a process, and penalizing them when they don’t?
- The fine here won’t go to the UK residents whose privacy was invaded. Is this a fine or a tax? It certainly isn’t damages.
Filed under Access, Compliance, Compliance (General), Controls, Corporation, Duty, Duty of Care, Governance, Internal controls, IT, Oversight, Privacy, Protect assets, Security, Third parties, Vendors
“Apple CEO Urges Action on Data Misuse,” The Wall Street Journal, October 25, 2018 B1. Tim Cook wants GDPR-style privacy protections in the US. Claims “[o]ur own information … is being weaponized against us with military efficiency.”
He went on to suggest that the data collection practices of some online advertising companies are the equivalent of government surveillance.
How do we wrest control of our information back again? Or is privacy dead? And do we believe that our federal legislature is competent to develop the necessary (and effective) legal controls and protections that true Governance requires?
Filed under Access, Accuracy, Analytics, Controls, Corporation, Duty, Duty of Care, Governance, Government, Information, Oversight, Ownership, Ownership, Policy, Privacy, Technology, Third parties, Value
That’s a catchy headline.
“Facebook Thinks Hack Was Set by Spammers,” The Wall Street Journal, October 18, 2018 B1. FB says recent breach of ~30 million accounts was by spammers wanting to make profits, and not by nation states with evil motives. FB will likely never find who took the information.
This raises a whole host of issues about information ownership and the duty of companies who handle and store your data. And IT security, or insecurity. Which is your favorite? I personally favor what this says about the culture at FB; with these issues, the FB communication to the market and its shareholders and its customers speaks volumes about how FB views the risks of its business. So now a denial is Information, by definition.
Filed under Access, Communications, Compliance, Compliance (General), Controls, Corporation, Culture, Definition, Directors, Duty, Duty of Care, Employees, Governance, Information, Interconnections, Internal controls, Investor relations, IT, Oversight, Ownership, Privacy, Protect assets, Security, Technology, Third parties, Who is in charge?