Category Archives: IT


It’s one thing when an insurance company asks you to install an appliance that tracks your driving habits.  You can qualify for rate discounts.  But what if the car manufacturer installs an app that sends the data to the insurer?

“App Tracks Driving Habits,” The Wall Street Journal, July 6, 2018 B3.  Mitsubishi installs app and offers to arrange to send data to insurers.

Again, this looks like someone else stepping in and trying to make money from sharing your data, not theirs.  Will this, as this article says, lead to insurers economically forcing you to share this information?  How you drive is one thing; but this would also include where you go, and when.  And can be tied to your credit rating, ZIP code, age, gender, etc.

What’s this data worth to you?  More or less than what it is worth to Mitsubishi and the insurance companies?  What will they do with this data once they have it?  Will they keep it secure?  Do they do this on cars sold in Europe or, for that matter, Japan?  Both countries have significantly stronger privacy protections than the US.


Leave a comment

Filed under Access, Analytics, Controls, Information, Privacy, Security, Technology, Third parties, Value


“Cheap Phones Grab User Data,” The Wall Street Journal, July 6, 2018 B1. Cell phones sold in developing countries with limited privacy protections loaded with programs that harvest data.

While the phone give free access to the Internet, they are loaded with apps that track the user’s location, run targeted ads, and send usage data to the phone manufacturers.  But the users aren’t given a choice, beyond whether they want a phone or not.

Is this similar to the Faustian bargain already made in developing countries, trading our privacy for access to Facebook or Google or Amazon?  At least we were given the choice.  Sort of.  And we have privacy laws.  Sort of.




Leave a comment

Filed under Access, Controls, Privacy, Security, Technology, Third parties, Value

Same song, different verse

“App Developers Gain Access To Millions of Gmail Inboxes,” The Wall Street Journal, July 3, 2018 A1.  Depending what you signed up for, your Gmail inbox may be being viewed by hundreds of outside software developers.

Be careful what you agree to, and who you let see your information.

Leave a comment

Filed under Access, Controls, Information, Internal controls, IT, Ownership, Privacy, Security, Third parties

Encryption, point-to-point

“Emails Add to the Turmoil at WPP,” The Wall Street Journal, June 29, 2018 B2. A company technician recovered  WhatsApp messages from the phone of a former employee; these messages were then sent by encrypted email to a few employees.  Technician who recovered the messages has also left the company. [BTW, messages on WhatsApp are encrypted point-to-point, but are recoverable from a device that received them.]

What happens to messages on your company phone when you leave?  Do you care?  Do you use encryption  to send messages anonymously?  Why?

These messages were in an account used to coordinate the former CEO’s travel.  And maybe for other stuff.  The CEO already resigned.


Leave a comment

Filed under Access, Communications, Controls, Corporation, Duty, Duty of Care, Employees, Governance, Information, Internal controls, IT, Policy, Privacy, Protect assets, Security

What you have, where you have it

A common starting point to information governance projects is to determine what information you have and where you have it.  Then you can start to manage it. But what happens if you don’t know what you have nor where you have it?

“Facebook Struggles to Find User Data,” The Wall Street Journal, June 28, 2018 B1. “The company can’t track where much of the [user] data went after it left the platform or figure out where is it now.”

A lot of the information is or was with app developers that are now out of business.  What happened to your/Facebook’s/their data?

Sure is easier to figure this out going forward than it is to figure out what happened between 2007 and 2015.  Especially if disclosure of some of that information is blocked by the government in far-off lands.  Or if the app developers don’t fancy having Facebook root through their servers and discovering their business secrets.  Or if Facebook doesn’t have a contractual right to get this information.

Sure would be easier if they’d had the proper controls in place at the time.

Leave a comment

Filed under Access, Controls, Corporation, Duty, Duty of Care, Governance, Government, Information, Internal controls, Oversight, Ownership, Ownership, Privacy, Protect assets, Security, Third parties, Vendors

Verrry interesting

“Europe’s Privacy Law Fails to Stoke Demand for Cyber Insurance,” The Wall Street Journal, June 21, 2018 B10.  Companies aren’t buying as much privacy insurance as people thought.

Certainly, in the wake of the GDPR rollout, the risk of a privacy law violation has increased.  Apparently companies think that they have adequate controls in place, and don’t need the protection of insurance to backstop their controls.  Insurance is a mitigation in case your controls aren’t totally effective.

Are these companies doing the same with other risks to other assets?  Or is you private data somehow different?

Leave a comment

Filed under Board, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Internal controls, IT, Management, Oversight, Ownership, Privacy, Protect, Protect assets, Protect information assets, Security, Third parties

Apple ≠ Facebook ≠ Google

Apple seems to be taking a different approach than Facebook or Google.

“iPhone Change To Block Police,” The Wall Street Journal, June 14, 2018 B1.  Apple “fixes” the technical hole that allows the authorities to break into the iPhone of a criminal or suspected criminal.

Is Apple more or less concerned about privacy of its users than either Google or Facebook is concerned about the privacy of their customers?  What about Apple’s demonstrated desire to block government access?  Is that more like Google (use of Google AI in weapons systems) or like Facebook (oh, heck, we’ll let just about anyone see our users’ data)?

Is controlling access to user data Governance?  Or is it a feature?  Whom do you trust more?

Leave a comment

Filed under Access, Controls, Corporation, Culture, Duty, Duty of Care, Governance, Government, Internal controls, IT, Oversight, Policy, Privacy, Protect assets, Security, Third parties