Those of us familiar with the EU are familiar with government agencies placing and enforcing restrictions on the collection of personal information, to protect the privacy rights of its citizens.
“CFPB Curbs Data Collection,” The Wall Street Journal, December 5, 2017 B5. The Consumer Financial Protection Bureau stops collecting personal information (including data on credit cards and mortgages) until adequate cybersecurity protections are in place.
Delicate balance between protecting privacy and protecting your credit? Or the recognition by the government of their duty to protect our information?
Filed under Controls, Duty, Duty of Care, Governance, Government, Information, Internal controls, IT, Ownership, Privacy, Protect assets, Security
“Police See Social Media Fuel Crime,” The Wall Street Journal, November 25, 2017 A3. Immediate access to information “played a major role in escalating disputes….”
One assumes that this is true whether the information spread on social media is or isn’t true. Is a lie halfway around the world before the truth gets its shoes on?
What are the social implications of so much (unfiltered and unverified) information being made available to so many so fast? Who has a duty to verify or filter it? How do you control this within the confines of your business? Do you have a duty to? Is the control only common sense?
“Facebook to Tell Users If They Followed or Liked Russian Pages,” The Wall Street Journal, November 24, 2017 B3. Facebook will tell users if they accessed the 290 Facebook and Instagram pages that the Russians allegedly used in the misinformation campaign.
Who owns the information about what sites you visited? Apparently, Facebook. Does Facebook have a duty to let you know that you accessed “bad” sites? Does doing so make it more or less likely that you will (a) use Facebook or (b) believe what you see on Facebook?
Keeping a hack of your enterprise should be difficult. Some find it easy.
“Uber CEO Knew of Hack for Months,” The Wall Street Journal, November 24, 2017 A1. Uber was hacked in October 2016 (they say), affecting 57 million accounts. Less than Yahoo’s 3 billion, and Equifax’s 145 million. The CEO learned of the breach in September 2017, shortly before taking the top job. Uber also paid the hackers $100,000 to destroy some of the stolen data.
Would they have disclosed it at all if they weren’t seeking outside financing?
What’s your obligation to disclose to your customers that their information may have been stolen from you?
Filed under Communications, Compliance, Controls, Corporation, Directors, Duty, Employees, Governance, Information, Internal controls, Investor relations, IT, Legal, Oversight, Ownership, Requirements, Security, To report
“Hackers Target Schools,” The Wall Street Journal, October 24, 2017 A3. Cyberthefts and ransomware attacks at a whole host of schools, targeting data on students, as well as the normal financial stuff.
So, how much money should schools spend to prevent hacking and subsequent release of student data? And isn’t it nice of the news media to report how much ransom the attackers got?
So, whose data is it, anyway? And who’s the custodian?
Filed under Access, Compliance, Controls, Duty, Duty of Care, Governance, Government, Information, Interconnections, Internal controls, IT, Oversight, Ownership, Protect assets, Security, Third parties, Value
“After Equifax, a New Way Forward,” The Wall Street Journal, October 17, 2017 B4. How to replace the Social Security Number as the common way to identify us and authenticate our transactions to lots of organizations, both public and government.
Who decided to take the risk of using the SSN for this? Should the same people (i.e., banks) pay for the cost of their chosen course of action, or for using someone else’s information? Or your doctor/insurance company? Sure, it’s easy(ier) for the banks.
Who owns your SSN? You? The government? Did you consent to this use of your information? Did the government? If you didn’t, I guess getting a mortgage would be difficult.
“New York Investigates Deloitte Cyberbreach,” The Wall Street Journal, October 13, 2017 B10. New York AG investigates breach, which “compromised information on a small number of clients.” The breach started a year ago and wasn’t detected until April 2017. The information compromised may have been limited to access credentials and the like, rather than account information. Sort of like Equifax.
Who else has been attacked and (a) knows about it but is still keeping it quiet, or (b) doesn’t know about it yet?
Filed under Access, Board, Compliance, Compliance, Controls, Corporation, Duty, Duty of Care, Governance, Information, Internal controls, IT, Oversight, Oversight, Ownership, Protect assets, Protect information assets, Security, Value