Category Archives: Privacy

Too much sharing

“Facebook Draws U.K. Fine Over Sharing Data,” The Wall Street Journal, October 26, 2018 B4. Facebook fined half a million Pounds ($645,000) for allowing Cambridge Analytica for letting them see and use user data.  This is separate and apart from any fines the EU may impose.

Part of the problem is that Facebook didn’t do enough (i.e., anything) after it found out about Cambridge Analytica having accessed the data.

So, some points to consider:

  1. Whose information was it?
  2. Whose (and how many) rules (EU, UK, US, other) apply to (i.e., govern) a data breach?
  3. Why didn’t FB do anything after learning of the problem?  Did it not have a process for handling a vendor that accessed data inappropriately?  Doesn’t Governance require you to have such a process?  Does Compliance entail requiring your vendors to follow a process, and penalizing them when they don’t?
  4. The fine here won’t go to the UK residents whose privacy was invaded.  Is this a fine or a tax?  It certainly isn’t damages.



Leave a comment

Filed under Access, Compliance, Compliance (General), Controls, Corporation, Duty, Duty of Care, Governance, Internal controls, IT, Oversight, Privacy, Protect assets, Security, Third parties, Vendors


“Apple CEO Urges Action on Data Misuse,” The Wall Street Journal, October 25, 2018 B1.  Tim Cook wants GDPR-style privacy protections in the US.  Claims “[o]ur own information … is being weaponized against us with military efficiency.”

He went on to suggest that the data collection practices of some online advertising companies are the equivalent of government surveillance.

How do we wrest control of our information back again?  Or is privacy dead?  And do we believe that our federal legislature is competent to develop the necessary (and effective) legal controls and protections that true Governance requires?

Leave a comment

Filed under Access, Accuracy, Analytics, Controls, Corporation, Duty, Duty of Care, Governance, Government, Information, Oversight, Ownership, Ownership, Policy, Privacy, Technology, Third parties, Value

Hackers look to make money

That’s a catchy headline.

“Facebook Thinks Hack Was Set by Spammers,” The Wall Street Journal, October 18, 2018 B1. FB says recent breach of ~30 million accounts was by spammers wanting to make profits, and not by nation states with evil motives.  FB will likely never find who took the information.

This raises a whole host of issues about information ownership and the duty of companies who handle and store your data.   And IT security, or insecurity.  Which is your favorite?  I personally favor what this says about the culture at FB; with these issues, the FB communication to the market and its shareholders and its customers speaks volumes about how FB views the risks of its business.  So now a denial is Information, by definition.

Leave a comment

Filed under Access, Communications, Compliance, Compliance (General), Controls, Corporation, Culture, Definition, Directors, Duty, Duty of Care, Employees, Governance, Information, Interconnections, Internal controls, Investor relations, IT, Oversight, Ownership, Privacy, Protect assets, Security, Technology, Third parties, Who is in charge?

Sexual assault

I hesitated to discuss the Kavanaugh hearings as an information governance teaching case, due to the raw political nerves.  Another case presented itself.

“A Sexual-Assault Claim Spotlights National Dilemma,” The Wall Street Journal, October 15, 2018 A1.  A state employee in New Jersey promptly reported an assault to the police, and even wrote to the governor and his wife.  The alleged assailant also works for the state.  The matter was investigated, but the state did not prosecute the alleged assailant.

How does the victim document and prove an assault?  What evidence, beyond her word, is required to secure a conviction?  Immediate outcry?  DNA results?  Video?  Is the absence of information itself information?

How does the alleged assailant establish his or her innocence?  How does the state investigate and how does it decide whether to prosecute?  How does the judge or the jury decide, based on what evidence?  What documents and policies govern the process?  How do we protect the privacy of the complainant and the defendant until a verdict is rendered (and beyond)?

I know this may seem to have wandered rather far afield from the focus of this blog.  But this involves serious questions around Information, and Compliance, and Governance.  If we agree the system isn’t working, how do we propose to fix it?  What controls can we put in place, beyond talking to our sons and daughters?  How do we establish a process that protects the rights of everyone?


Leave a comment

Filed under Compliance (General), Controls, Definition, Duty, Governance, Information, Internal controls, Privacy, Third parties

Hiding the ball

“Google Hid Data Breach for Months,” The Wall Street Journal, October 9, 2018 A1.  Alphabet hid or failed to disclose the breach of “hundreds of thousands of users” for six months, to avoid “regulatory scrutiny and … reputational damage.”  Data accessed between 2011 and 2018.

What did the delay in notification cost customers? Did Google care?  Who at Google knew, and are they still employed?  Why?

Don’t be evil.

Leave a comment

Filed under Communications, Compliance, Compliance (General), Controls, Corporation, Culture, Duty, Duty of Care, Governance, Information, Internal controls, IT, Privacy, Security, To report


“Yahoo, Bucking Industry, Scans Emails for Data to Sell,” The Wall Street Journal, August 29, 2018 A1.  Unlike its competition, Verizon scans your Yahoo and AOL emails and shares the data with advertisers trying to sell you stuff.

This blog focuses in part on Compliance with law and company policy and procedures.  Does one need to comply with the practices of others in the industry, even where that is not required?  Do “market forces” act as part of the Governance structure?

We already know that Yahoo feels it owns the data you exchange over their platform.  But telling others what sites you’ve visited is a bit different than telling them what you may have been mentioned in your email.

Leave a comment

Filed under Access, Compliance, Compliance (General), Controls, Governance, Information, Ownership, Ownership, Privacy


Appliances we use often capture data about how we use them.  Who owns that data, where is it stored, and what is it used for (and by whom)?

“What Your Car Knows About You,” The Wall Street Journal, August 18, 2018 B4. Large of amounts of data being collected from on-board devices, and used by car makers and others.

Will this lead to more targeted advertising?  May be worth $750 billion by 2030.  How much of that will the car owners get?

Sure, currently you have to opt in to this service.  You will read (and understand) the terms and conditions, won’t you?  And this will all be stored securely, with your privacy protected, won’t it?  Not that anyone could use your location or your driving habits against you.

Leave a comment

Filed under Access, Accuracy, Analytics, Controls, Information, Ownership, Privacy, Security, Technology, Value