Category Archives: Ownership

Privacy

“Alphabet, Apple Prodded On Privacy,” The Wall Street Journal, July 10, 2018 A3.  Congress asks how Google and Apple use “your” information, such as what you say and write and where you are.

Which is more interesting, the questions or the answers?

Leave a comment

Filed under Access, Controls, Corporation, Definition, Duty, Duty of Care, Governance, Information, Internal controls, Ownership, Policy, Privacy, Security, Technology, Third parties

Location information

Apparently, if you’re on Verizon, 75 companies know where your phone is.  Is that worth anything to anybody?  Who owns that information and who can sell/rent it?

“Third Parties Know Exactly Where You Are,” The Wall Street Journal, July 16, 2018 B4.

Well, I like to have Uber and Google Maps know where I am.  And FindMyPhone.  Who else?  Do I control that?

Leave a comment

Filed under Access, Controls, Corporation, Definition, Duty, Information, Ownership, Technology, Value

Same song, different verse

“App Developers Gain Access To Millions of Gmail Inboxes,” The Wall Street Journal, July 3, 2018 A1.  Depending what you signed up for, your Gmail inbox may be being viewed by hundreds of outside software developers.

Be careful what you agree to, and who you let see your information.

Leave a comment

Filed under Access, Controls, Information, Internal controls, IT, Ownership, Privacy, Security, Third parties

EU comes West

“Sweeping Privacy Bill Passes in California,” The Wall Street Journal, June 29, 2018 B1.  State law gives us the right to not share our data online, and to prohibit the sale of that information.  Downside: it may cost you more.

This will be hugely disruptive for online businesses.  But it does get to the question: “Who owns ‘your’ data?”

Leave a comment

Filed under Access, Compliance, Compliance (General), Controls, Corporation, Duty, Governance, Information, Ownership, Privacy, Value

What you have, where you have it

A common starting point to information governance projects is to determine what information you have and where you have it.  Then you can start to manage it. But what happens if you don’t know what you have nor where you have it?

“Facebook Struggles to Find User Data,” The Wall Street Journal, June 28, 2018 B1. “The company can’t track where much of the [user] data went after it left the platform or figure out where is it now.”

A lot of the information is or was with app developers that are now out of business.  What happened to your/Facebook’s/their data?

Sure is easier to figure this out going forward than it is to figure out what happened between 2007 and 2015.  Especially if disclosure of some of that information is blocked by the government in far-off lands.  Or if the app developers don’t fancy having Facebook root through their servers and discovering their business secrets.  Or if Facebook doesn’t have a contractual right to get this information.

Sure would be easier if they’d had the proper controls in place at the time.

Leave a comment

Filed under Access, Controls, Corporation, Duty, Duty of Care, Governance, Government, Information, Internal controls, Oversight, Ownership, Ownership, Privacy, Protect assets, Security, Third parties, Vendors

That clears that up

“Court Ruling Boosts Phone Privacy,” The Wall Street Journal, June 23, 2018 A1.  The Supremes’ rule that, in order to get your cell phone’s location data from your service provider, the government needs a warrant.

This raises several interesting Information-related points.  First, who owns that information?  Second, who (beyond the “owner”) has possession of that information? Third, who does the warrant get served on – the third party (also) in possession of this data, or the person who owns it and who doesn’t possess this data, and who in fact seldom knows that this data exists? Fourth, what else, beyond cell phone location data, is within this special zone of privacy, both today and in the future?  Fifth, what exactly are the exceptions?  Are they limited to bomb threats and shooters and child abductors?  Or is that somewhat flexible, too?  Does this hinge on “reasonableness,” which is somewhat loosy-goosey except in retrospect?  Does this apply to your Metro card?  Or your PayPal account?

And, then, as a Governance point, how does one justify this expansion of protection to things that are not “their persons, houses, papers, and effects …”?  Expanding a right to privacy that does not exist in the express language of the Constitution.

I haven’t read the decision and the dissents, just some news reports.  But didn’t a statute passed by Congress allow the government to access your data when stored with third parties? Is that statute (the Stored Communications Act) now valid or invalid?

Leave a comment

Filed under Access, Compliance, Duty, Governance, Government, Information, Ownership, Ownership, Privacy

Happy Birthday!

Vendors with whom you deal can (and do) capture lots of information about you.  They use that information.  Hopefully to improve customer service.  Can they disclose what they know to others?  What if your traveling companions don’t know it’s your birthday because you don’t want them to know?

“What  the Airline Knows About The Guy in Seat 12A,” The Wall Street Journal, June 20, 2018 A11.  What information on you do airlines collect and how do they use it?

If the information is correct and used positively, that’s one thing.  What if it’s wrong, or used negatively?  What if it leaks?  What if it’s sold?

Leave a comment

Filed under Access, Accuracy, Collect, Controls, Corporation, Duty, Duty of Care, Governance, Information, Management, Oversight, Ownership, Privacy, Protect, Use

Car 54, Where Are You?

Is where you are “information”?  If so, who owns it?  Can one piece of information be owned by more than one person, at the same time?  Is this something unique about “information” generally?

“Phone Giants Cut Off Two Location Services,” The Wall Street Journal, June 20, 2018, A1.  Verizon, AT&T, and Sprint will stop selling your location to two middlemen.

This decision wasn’t a recognition that your location is your information.  Rather, it was because one middleman allowed law enforcement agencies to see location data without a warrant. So, the phone companies are protecting your privacy from the government, but not from the phone companies.

One would hope that you could decide how and when your location data could be used by someone else.  But that is your decision, on your information.

Toody and Muldoon, where are you?

 

Leave a comment

Filed under Access, Controls, Corporation, Definition, Duty, Information, Internal controls, Ownership, Privacy, Third parties

Information – Use

In a robbery investigation, the victim gave police an Instagram photo of the suspect and the police ran that photo through a facial recognition system and the state’s drivers license database, and a driver’s license photo was identified.  The driver was arrested.

Is it okay for police to use (a) the Instagram photo or (b) the driver’s license photo to identify a robbery suspect?  Who’s information is it?  Is this an invasion of privacy?  As long as the suspect can contest the accuracy of the facial recognition software, do his rights count more than the victim’s?  Do restrictions on the use of biometrics in some states (Texas, Illinois, and Washington that I know of) change the calculus?

“Police Use of Driver Photos Stirs Debate,” The Wall Street Journal, June 18, 2018 A3.

Leave a comment

Filed under Controls, Duty, Duty of Care, Governance, Government, Information, Internal controls, Ownership, Privacy, Third parties

Poster boy for Information Governance

Years ago, while teaching a course to MBA students at Rice University, I used the Target credit card breach as a case study.  It touched a lot of bases.  Now we have a better one.

While there have been a lot of information governance-related stories in the news over the past two years, including Equifax and Facebook and VW and Wells Fargo, my nominee for the one name associated with the most significant teaching example in information governance and compliance is the former FBI Director, James Comey.

First, he gave us The Day That Information Governance Died, with his July 5, 2016 pronouncement that, notwithstanding her clear violations of several applicable legal laws dealing with the handling of confidential or secret information (and the destruction of information subject to a subpoena), Secretary Hillary Clinton’s use (and wiping) of a private server to store government email was not going to be prosecuted.  Such a pronouncement deviated “‘from well-established Department policies'” that the FBI does not comment about  ongoing criminal investigations.

Then he wrote a memo ostensibly commemorating a meeting he had with his boss on government business on a government computer (while in a government vehicle) during the work day, and declared that that was his personal correspondence that he could (and did) distribute as he pleased.

And now we learn that he conducted government business over his own private gmail account {that information does not appear in the WSJ article – Ed.}, and actively avoid his boss’ oversight (and his bosses failed to adequately supervise him).  “Report Blasts FBI Agents, Comey Over Clinton Probe,” The Wall Street Journal, June 15, 2018 A1. Inspector General releases his report on the Clinton Investigation.

Recap:

  • Violations of law are not enforced
  • Evidence is destroyed notwithstanding a subpoena
  • Senior employees ignore long-standing policy
  • Senior employees treat documents prepared by them in the course of business as their personal information
  • Senior employees use private email accounts to transact government business
  • Employees hide things from their bosses
  • Bosses failed to adequately supervise their reports

And this is at the FBI, by a lawyer.

Does anyone wonder why we have a hard time getting traction on information governance initiatives?  Certainly an argument for an Information Governance case study of just the Clinton email investigation and its aftermath.  Not sure you could cover it all in one semester, at both law schools and business schools.

 

Leave a comment

Filed under Communications, Compliance, Compliance (General), Controls, Culture, Discovery, Duty, Duty of Care, Employees, Governance, Government, Information, Internal controls, Lawyers, Managers, Oversight, Ownership, Ownership, Policy, Requirements, Supervision, Who is in charge?