Continuing from https://infogovnuggets.com/2019/01/04/catching-up-again/
- Pot calling the kettle black
“Comey Tells House Panel He Suspected Giuliani Was Leaking FBI Information to Media,” The Wall Street Journal, December 10, 2018. Former FBI Director Comey, who admitted to leaking information to a reporter through a law school professor, complains that someone else did it, too.
- Yes, we have no privacy
“Thieves Can Now Nab Your Data in a Few Minutes for a Few Bucks,” The Wall Street Journal, December 10, 2018. Following the series of major hacks of privacy data (e.g., Marriott, LinkedIn, Equifax, and Yahoo), “Every American person should assume all of their data is out there,” said one FBI agent. Comforting.
- Duty to report
“New Report Shows Olympics Executives Concealed Knowledge of Nassar Allegations,” The Wall Street Journal, December 11, 2018. Executives knew information about sexual abuse allegations, and failed to report. To whom did they breach a duty?
- Interesting intersection of the right to petition the government and your right to privacy
“U.S. Investigating Fake Comments on ‘Net Neutrality,’” The Wall Street Journal, December 11, 2018. “Earlier this year, the FCC said it would upgrade its website to try to prevent fakery. … Several federal agencies warn that it is a felony to send falsified comments to the federal government when posting on websites soliciting opinions on federal rulemaking.” What if the comments were anonymous?
- Lying or overspending on your expense account can get you canned
“Under Armour Ousts Two Executives After Review of Expenses,” The Wall Street Journal, December 11, 2018. Complying with company policy and procedures is sort of kind of like a job requirement. Even if you signed Jordan Spieth. But how were they to know how much was too much?
- Weakest link?
“Amazon, Amid Crackdown on Seller Scams, Fires Employees Over Data Leak,” The Wall Street Journal, December 11, 2018. Employees bribed for access to inside information. What’s your information worth to you? To the briber? To the (former) employee? Do you have a policy against taking bribes?
- Collateral impact
“Nissan-Renault Scandal Shows It’s Hard to Keep Car Alliances On Track,” The Wall Street Journal, December 12, 2018. A scandal at your business partner can affect your company’s relationships. Is that Governance?
- How do you deal with rumors? Are they “information,” too?
“Super Micro Finds No Malicious Hardware in Motherboards,” The Wall Street Journal, December 12, 2018. This contradicts a prior report from Bloomberg. How do you govern other sources of information? Is using a trusted third party to investigate just standard crisis management planning?
- Should Compliance be more congenial?
“Banks Get Kinder, Gentler Treatment Under Trump,” The Wall Street Journal, December 13, 2018. Regulators are urged to be more collegial with the banks they regulate. Is that better “Governance,” in the short term or in the long term?
- What does it say?
“Renault Sticks With Carlos Ghosn as Internal Probe Finds No Illegality,” The Wall Street Journal, December 13, 2018. What does it say to the rank-and-file when the Chairman gets arrested? And when he’s thereafter kept in place? The Board may have some explaining to do.
- What can your employer do with your information?
“U.S. Companies Asked to Disclose More About Their Workers,” The Wall Street Journal, December 14, 2018. Pension funds ask employers to disclose more information than the SEC currently requires. Whose decision is that? When and how can you object?
- Watch your contractors
“Chinese Hackers Breach U.S. Navy Contractors,” The Wall Street Journal, December 15, 2018. What’s this information worth, both to the US and to China? How much do you look at the security at your vendors who process or create information for you? Are they a weaker link than your employees? (See item 6, above.)
- Information and Governance and Compliance
“PG&E Falsified Gas Safety Records, California Claims,” The Wall Street Journal, December 15, 2018. From the explosion in San Bruno in 2010 (after which PG&E couldn’t find a bunch of inspection records relating to hundreds of miles of its pipelines) to more recent claims about fudging the records on pipeline locations, PG&E has had this problem for awhile. For now, these are just allegations. But what impact on every claim made against the company, and every claim made by it? If they falsify safety records, do they falsify bills, too? “The [state regulator] last month expanded a continuing probe of PG&E’s safety practices and said it would explore the way the company is structured and managed.” There seems to be a link between record-keeping and management and compliance and culture.
- Facebook, again
“Facebook Bug Potentially Exposed Unshared Photos of Up 6.8 Million Users,” The Wall Street Journal, December 15, 2018. One almost gets the idea that protecting your privacy is not a high priority for them.
Filed under Board, Collect, Communicate, Communications, Compliance, Compliance (General), Controls, Corporation, Culture, Data quality, Directors, Duty, Employees, Governance, Information, Internal controls, Investor relations, IT, Management, Oversight, Oversight, Ownership, Privacy, Protect, Protect assets, Records Management, Security, Supervision, Technology, Third parties, To report, Use, Value, Vendors
It seems that several (most of?) the large privacy breaches have something in common: something smaller happened earlier that people didn’t pay enough attention to.
“Marriott’s Starwood Missed Chance to Detect Huge Data Breach Years Earlier, Cybersecurity Specialists Say,” The Wall Street Journal, December 2, 2018 (online). There was a prior breach in 2015 that, some say, could have been investigated more thoroughly.
Might this happen in your business? Say there’s a relatively minor breach, affecting a single client’s information. Or a minor compliance issue. You discover it and take action. But does the breach itself indicate weaknesses in your system of controls that may have broader implications? Do you change your training or other controls to reflect this experience, or the experience of others in your industry?
This brings to mind a common finding in accident investigations. Something small happened that could/should have put you on notice. But it was ignored or downplayed.
How does your organization deal with near-hits in the compliance or information governance space? Is this part of oversight? Or a part of effective knowledge management?
Filed under Analytics, Collect, Compliance, Compliance (General), Controls, Corporation, Directors, Duty, Duty of Care, Governance, Information, Internal controls, IT, Knowledge Management, Management, Oversight, Privacy, Protect assets, Security, Third parties, Use
In the prior post, I expressed some shock and amazement that Amazon would meddle with the patient-doctor relationship. See www.infogovnuggets.com/2018/12/03/these-folks-have-lost-the-plot/.
Apparently I am not alone in raising some questions about the antitrust implications of some of Amazon’s behavior. “Germany Opens Amazon Antitrust Probe, Adding to European Scrutiny,” The Wall Street Journal, November 30, 2018 (online). Is Amazon hindering other sellers on their website?
This is primarily a Compliance issue. I note, however, that the types of behavior at issue here are basic antitrust blocking and tackling. If you get to a certain size, you can no longer get away with behavior that would be acceptable by a smaller player. Sometimes this isn’t part of the Compliance education package.
“Marriott Says Starwood Data Breach Affects Up to 500 Million People,” The Wall Street Journal, November 30, 2018 (online). Data breach potentially affecting passports and credit cards of as many as 500 million guests at Marriott’s Starwood properties, which were acquired in 2016. They knew about this in September, but reflects a breach that may go back to 2014.
So, two years after an acquisition, the target’s information security practices blow up in the acquiror’s face. What does that say about the acquiror’s duty to integrate the data practices and controls around information protection?
Does your M&A team think about information governance issues? Is that an identified risk, with an identified (and owned) action plan? Did the Board identify this as a risk? What the value of this information considered part of the transaction value? How was that reflected?
Filed under Board, Compliance, Compliance Verification, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Information, Internal controls, IT, Management, Oversight, Protect, Protect assets, Protect information assets, Risk Assessment, Risk assessment, Security, Value
“Trudeau Says Canadians Heard Khashoggi Tapes,” The Wall Street Journal, November 13, 2018 A7. Canadian intelligence officials hear audio tapes related to killing.
One assumes that this is a tape of some conversation picked up by intelligence folks after the killing, and not a recording of the killing itself. Unless someone wanted to have proof for the boss. Perhaps intelligence agencies spy on other governments or phone calls.
Often, people think information governance is all about the written word. But the spoken word is information, too, whether it is recorded or not. It’s just a problem of proof. Is someone listening or taping your conversation? Would it matter?
Filed under Access, Accuracy, Communications, Controls, Definition, Duty, Governance, Government, Information, Internal controls, Risk assessment, Security, Third parties
A Tesla employee is indicted for creating fake documents to cover up a fake-payment scheme. “Former Tesla Employee Is Indicted,” The Wall Street Journal, November 12, 2018 B5.
Companies have a lot of controls to prevent fraud by employees, and often these controls work. Why are there more such controls to prevent financial fraud than to prevent violations of other company procedures, such as those related to document creation, retention, and storage?
One wonders whether, in the aggregate, companies lose more money through poor document management and control than they lose through financial fraud. How would one conduct such a study?
Filed under Accuracy, Compliance, Compliance (General), Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Information, Internal controls, Oversight, Protect assets, Records Management, Security, Third parties, Value, Vendors
“Wall Street Analysts Are Selling More Data,” The Wall Street Journal, November 8, 2018 B11. Analysts are searching and make available a bunch of information on your information, including “social media sentiment … and geospatial mapping.” Think of it as expanded research reports.
Well, they are in the business of reviewing data and offering opinions (for a price). Is it much of a disintermediation for them to start selling the information directly? I guess there’s money in it. Or service.
Filed under Access, Analytics, Collect, Controls, Corporation, Duty, Information, IT, Management, Operations, Ownership, Security, Third parties, Use, Use, Value
“Wells Fargo Technology Under Scrutiny,” The Wall Street Journal, November 8, 2018 B11. Questions being raised about the technology the bank uses for cybersecurity and risk management.
Do you have the right technology to effectuate the controls you have placed around information? Will your regulators agree? If you are already on the regulator’s radar screen, will your controls measure up?
Filed under Controls, Corporation, Duty, Governance, Internal controls, IT, Oversight, Protect, Protect assets, Risk assessment, Security, Technology
“U.S. Charges Agents Of China Hacked Aviation Firms,” The Wall Street Journal, November 1, 2018 B4. Agents of the Chinese government indicted for trying to steal airline industry technology.
This is getting to be rather routine. One part of this is the value of Information, and the importance of information security. One part of this is Compliance, of course, as the US government is trying to protect the US information assets (although the company at issue probably had some responsibility for this as well, as well as their board of directors). And, of course, Governance, as the US government is prosecuting.
We all know the business case for cyber-security.
Filed under Access, Compliance, Compliance (General), Controls, Corporation, Duty, Duty of Care, Governance, Government, Information, Interconnections, Internal controls, IT, Oversight, Protect assets, Security, Third parties
“U.K. Plans to Introduce Digital Tax on Tech Firms,” The Wall Street Journal, October 30, 2018 A9. Rather than further regulating firms like Google and Facebook, the UK now tried to tax their locally generate revenue.
The lack of a universal taxing methodology may cause the big players some headaches. Compare the patchwork of privacy obligations if you operate in different countries (or states).
Look at this from two different views. First, how does a large multi-national comply with all the different laws around the world? Second, how does your company deal with the overlapping laws and your own corporate policies and procedures, which may apply differently to different parts of your company?
While one-size-fits-all makes sense at one level (if you’re on top of the Governance pyramid), does this process require a bit more granular differentiation (if you are on the bottom)?