I hesitated to discuss the Kavanaugh hearings as an information governance teaching case, due to the raw political nerves. Another case presented itself.
“A Sexual-Assault Claim Spotlights National Dilemma,” The Wall Street Journal, October 15, 2018 A1. A state employee in New Jersey promptly reported an assault to the police, and even wrote to the governor and his wife. The alleged assailant also works for the state. The matter was investigated, but the state did not prosecute the alleged assailant.
How does the victim document and prove an assault? What evidence, beyond her word, is required to secure a conviction? Immediate outcry? DNA results? Video? Is the absence of information itself information?
How does the alleged assailant establish his or her innocence? How does the state investigate and how does it decide whether to prosecute? How does the judge or the jury decide, based on what evidence? What documents and policies govern the process? How do we protect the privacy of the complainant and the defendant until a verdict is rendered (and beyond)?
I know this may seem to have wandered rather far afield from the focus of this blog. But this involves serious questions around Information, and Compliance, and Governance. If we agree the system isn’t working, how do we propose to fix it? What controls can we put in place, beyond talking to our sons and daughters? How do we establish a process that protects the rights of everyone?
“Google Hid Data Breach for Months,” The Wall Street Journal, October 9, 2018 A1. Alphabet hid or failed to disclose the breach of “hundreds of thousands of users” for six months, to avoid “regulatory scrutiny and … reputational damage.” Data accessed between 2011 and 2018.
What did the delay in notification cost customers? Did Google care? Who at Google knew, and are they still employed? Why?
Don’t be evil.
Filed under Communications, Compliance, Compliance (General), Controls, Corporation, Culture, Duty, Duty of Care, Governance, Information, Internal controls, IT, Privacy, Security, To report
“Yahoo, Bucking Industry, Scans Emails for Data to Sell,” The Wall Street Journal, August 29, 2018 A1. Unlike its competition, Verizon scans your Yahoo and AOL emails and shares the data with advertisers trying to sell you stuff.
This blog focuses in part on Compliance with law and company policy and procedures. Does one need to comply with the practices of others in the industry, even where that is not required? Do “market forces” act as part of the Governance structure?
We already know that Yahoo feels it owns the data you exchange over their platform. But telling others what sites you’ve visited is a bit different than telling them what you may have been mentioned in your email.
Appliances we use often capture data about how we use them. Who owns that data, where is it stored, and what is it used for (and by whom)?
“What Your Car Knows About You,” The Wall Street Journal, August 18, 2018 B4. Large of amounts of data being collected from on-board devices, and used by car makers and others.
Will this lead to more targeted advertising? May be worth $750 billion by 2030. How much of that will the car owners get?
Sure, currently you have to opt in to this service. You will read (and understand) the terms and conditions, won’t you? And this will all be stored securely, with your privacy protected, won’t it? Not that anyone could use your location or your driving habits against you.
“Hiring Hazard: Social Media,” The Wall Street Journal, August 6, 2018 B1. What happens when you hire (or don’t hire) someone with a “history” of social media postings, some of which may now (or then, or both) be viewed as objectionable?
An editorial writer for a major newspaper is found to have written some racist comments. A director gets booted from Disney for old tweets. Major league ball players get shamed.
Do the Europeans have it right? Do you have a right to be forgotten? Or are you stuck with what you said or wrote years ago, provided that it is preserved electronically? You did say it, in preservable format.
Is this Governance (or self-governance)? O the nature of Information? Or Compliance with ever-evolving social mores?
The value of information can be calculated in multiple ways, from multiple viewpoints.
“My Boss Makes What? (Employees Work Harder If They Know),” The Wall Street Journal, August 6, 2018 R1. Salary transparency makes people work harder.
Is what you make “private”? Should it be? Whose interests are served by keeping this information private? Who owns it, you or your employer? Do anyone have a duty to keep this private? Why would your employer want this kept quiet? To avoid Sally complaining that she works harder/better/faster/quieter than Sue, and should be paid more? Or to keep a competitor enticing Sally away?
Ask yourself why you want to keep your salary private. Sure, you don’t want marketing agencies targeting you because you’re wealthy, but they probably can approximate your salary anyway.
Filed under Access, Accuracy, Communications, Controls, Corporation, Culture, Duty, Employees, Governance, Information, Internal controls, Managers, Ownership, Privacy, Third parties, Value
“Facebook Asks Banks for Customer Data,” The Wall Street Journal, August 7, 2018 A1. “[T]o offer new services to users,” Facebook asks banks for “detailed financial information about their customers.”
I can see what’s in it for Facebook, and maybe for the banks. But isn’t this your information? Shouldn’t you have some control what the banks do with it? Are you comfortable with the controls the banks and Facebook will place on this information? It might be convenient for you, but at what risk?
Do we remember Cambridge Analytica? Will Facebook try to do this in Europe?
To whom do you complain? Your elected representative? Your bank? The state or federal regulators?
Filed under Access, Controls, Corporation, Duty, Duty of Care, Governance, Information, Internal controls, Investor relations, IT, Oversight, Ownership, Privacy, Protect assets, Security, Third parties, Uncategorized, Who is in charge?
Knowledge, or lack thereof, is often a good defense.
“Fiat Says It Didn’t Know CEO was Ill,” The Wall Street Journal, July 27, 2018 B1. Company says privacy of health care information meant they didn’t know that their CEO had been sick for a year.
Who knew or should have known? Was this insider information that would affect the value of investments?
Should the Board have known? Did the CEO have a duty to disclose? For more than a year!
Governance, Compliance, and Information. All in one. Add a dash of privacy.
Filed under Access, Accuracy, Board, Communications, Compliance, Compliance (General), Compliance Verification, Controls, Corporation, Directors, Duty, Employees, Governance, Inform market, Inform shareholders, Internal controls, Investor relations, Oversight, Privacy, To report, Uncategorized
Today, with surveillance cameras everywhere, it’s good to remember that everything you say may be recorded. Even by someone you trust. And those recordings turn up.
“Cohen Recorded Talk With Trump,” The Wall Street Journal, July 21, 2018 A1. Trump’s then-personal lawyer recorded a conversation with then-private-citizen Trump about a story about a Playboy model.
Several different layers of onion involving this tape its creation, its collection by the FBI under a warrant, its production after a court-ordered review, its release to the press, and its impact. And who owns it, at each stage of the process? Did Trump know he was being taped? Was this privileged? Was the privilege waived? How and by whom?
I just ask the questions.
Filed under Access, Controls, Discovery, Duty, Government, Internal controls, Lawyers, Legal, Ownership, Privacy, Privilege, Third parties
“SEC Takes Close Look At Facebook Data Lapse,” The Wall Street Journal, July 13, 2018 B1. SEC looks at whether Facebook responded appropriately after learning that user data was being used inappropriately.
Is keeping investors apprised of violations of contracts or policies part of your crisis response process? Even when it wasn’t “your” data that was breached? Would you have caught this in time to avoid an SEC inquiry?
Filed under Access, Compliance, Compliance (General), Controls, Corporation, Duty, Duty of Care, Governance, Internal controls, Investor relations, Oversight, Ownership, Privacy, Protect assets, Security, Third parties, To report