Category Archives: Information

Poster boy for Information Governance

Years ago, while teaching a course to MBA students at Rice University, I used the Target credit card breach as a case study.  It touched a lot of bases.  Now we have a better one.

While there have been a lot of information governance-related stories in the news over the past two years, including Equifax and Facebook and VW and Wells Fargo, my nominee for the one name associated with the most significant teaching example in information governance and compliance is the former FBI Director, James Comey.

First, he gave us The Day That Information Governance Died, with his July 5, 2016 pronouncement that, notwithstanding her clear violations of several applicable legal laws dealing with the handling of confidential or secret information (and the destruction of information subject to a subpoena), Secretary Hillary Clinton’s use (and wiping) of a private server to store government email was not going to be prosecuted.  Such a pronouncement deviated “‘from well-established Department policies'” that the FBI does not comment about  ongoing criminal investigations.

Then he wrote a memo ostensibly commemorating a meeting he had with his boss on government business on a government computer (while in a government vehicle) during the work day, and declared that that was his personal correspondence that he could (and did) distribute as he pleased.

And now we learn that he conducted government business over his own private gmail account {that information does not appear in the WSJ article – Ed.}, and actively avoid his boss’ oversight (and his bosses failed to adequately supervise him).  “Report Blasts FBI Agents, Comey Over Clinton Probe,” The Wall Street Journal, June 15, 2018 A1. Inspector General releases his report on the Clinton Investigation.


  • Violations of law are not enforced
  • Evidence is destroyed notwithstanding a subpoena
  • Senior employees ignore long-standing policy
  • Senior employees treat documents prepared by them in the course of business as their personal information
  • Senior employees use private email accounts to transact government business
  • Employees hide things from their bosses
  • Bosses failed to adequately supervise their reports

And this is at the FBI, by a lawyer.

Does anyone wonder why we have a hard time getting traction on information governance initiatives?  Certainly an argument for an Information Governance case study of just the Clinton email investigation and its aftermath.  Not sure you could cover it all in one semester, at both law schools and business schools.



Leave a comment

Filed under Communications, Compliance, Compliance (General), Controls, Culture, Discovery, Duty, Duty of Care, Employees, Governance, Government, Information, Internal controls, Lawyers, Managers, Oversight, Ownership, Ownership, Policy, Requirements, Supervision, Who is in charge?

What’s your word worth?

Gosh, it happened again!

“Facebook Gave Out User Data Despite Pledge,” The Wall Street Journal, June 9, 2018 A1. Notwithstanding a commitment not to do so, Facebook continued to give some companies access to user information.

How many times can you lie before people call you a liar?  Or take judicial notice?  What is the culture at Facebook?  Who’s responsible?  Accountable?

Leave a comment

Filed under Access, Board, Compliance, Compliance (General), Controls, Corporation, Culture, Culture, Duty, Duty of Care, Governance, Information, Internal controls, Oversight, Ownership, Privacy, Protect assets

What business are you in?

“Google Bans AI in Weapons,” The Wall Street Journal, June 8, 2018 B4. Google prohibits the use of certain of its artificial information technology in weapons systems.

Do you restrict how others can use your information?  How do you enforce that?  I thought Google was in the information business.

Leave a comment

Filed under Access, Controls, Duty, Governance, Information, Internal controls, Ownership, Policy, Third parties, Vendors

Crying “Wolf”?

“Facebook Exposed Postings, The Wall Street Journal, June 8, 2018 B1.  Posts for 14 million Facebook users made public for 10 days, regardless of their default preferences.  Software bug blamed.

Whose information is it and what rules apply?  What happens when you introduce a defective product into commerce?

Leave a comment

Filed under Access, Controls, Corporation, Culture, Duty, Duty of Care, Governance, Internal controls, IT, Oversight, Ownership, Privacy, Protect assets, Security, Third parties

Old dogs, new tricks

“Old Spy Plane Tries to Learn New Tricks,” The Wall Street Journal, June 8, 2018 A3. Using new data analytical techniques to harvest more information from U2 spy photos taken from 70,000 feet, freeing up human viewers for other duties.

What old information do you have that you could process differently with newly available technology?  What value could you harvest?


Leave a comment

Filed under Analytics, Collect, Data quality, Information, Management, Operations, Technology, Use, Value

Tracking who sees what

“Goldman Employee Is Arrested,” The Wall Street Journal, June 1, 2018 B8. A banker now on leave from his job at Goldman Sachs charged with insider trading.  He allegedly accessed information about upcoming mergers and acquisitions and then traded stocks.

‘The bank’s internal records show he accessed information about the deals when he placed his trades….”

Your company no doubt tracks who accesses what information on your computer systems, right?  And connects the dots when you buy stock later?

Leave a comment

Filed under Access, Compliance, Compliance (General), Controls, Corporation, Duty, Employees, Governance, Information, Interconnections, Internal controls, IT, Oversight

Down under

Banks normally monitor (i.e., manage) money transfers (i.e., information), in part to make sure that nefarious people are not transferring money to other nefarious people.  Apparently, they needed to monitor (i.e., manage) who their customers are (i.e., information).

“Australia’s Biggest Bank Faces Record Fine,” The Wall Street Journal, June 5, 2018 B10. Fine of $530 million proposed for bank who failed to catch transfers of money in and out of an account owned by someone who left the country (Australia) in 1999 (and who “had also been charged in Lebanon in 2004 with belonging to a terrorist organization…”).

So, does “information” include who your customers are and whether they are charged as terrorists in another country?  How do you monitor that?  Just ask your customers to notify you if they are charged with terrorism?  Have them sign a form annually stating that they haven’t been charged as a terrorist?

Leave a comment

Filed under Compliance, Compliance (General), Controls, Corporation, Definition, Duty, Governance, Information, Internal controls, Requirements, Third parties