Category Archives: Security

Catching up

I was out of town for a bit, and am now catching up  So this will deviate from the usual one-story, one-post format.  19 squibs.

“ISS Opposes Five Equifax Directors,” The Wall Street Journal, April 17, 2018 B2.  A proxy advisor recommends against voting for members of the Board’s technology committee, who had responsibility for technology security.  Is that all that happens, they get fired?  157 millions accounts exposed and they get un-elected but not (yet) sued?  No claw-back of director’s fees?

“Facebook Data Dispute Embroils University of Cambridge,” The Wall Street Journal, April 16, 2018 B4. Cambridge says Facebook approved of the University’s use of Facebook data.  Or your data, if you wish.

“Fired FBI No.2 McCabe Misled Probe, Report Says,” The Wall Street Journal, April 14, 2018 A1.  Misleading an internal investigation into leak to the newspaper is not good.

“Volkswagen Prepares to Replace CEO, The Wall Street Journal, April 11, 2018 B1.  CEO who help VW survive the emissions scandal gets replaced. A palace coup after the company spent $25 billion+ on the scandal.  Is this more price for VW to pay?  And let’s not forget the shareholders, who foot the bill.  See also “VW Picks Chief After Boardroom Coup,” The Wall Street Journal, April 13, 2018 B1.

“Blunder Hits Samsung Securities,” The Wall Street Journal, April 11, 2018 B13. An employee’s mistake leads to mistaken issuance of $105 billion in shares, more than 30 times the company’s existing issued shares.  Do you have the right controls in place?  Is this an information governance issue?

“Facebook Hearings Put Regulation In Spotlight,” The Wall Street Journal, April 12, 2018 A1. Will the Facebook data leak/usage lead to new privacy regulation?

“Adviser Urges Shift On Board Of Equifax,” The Wall Street Journal, April 12, 2018 B10.  Does the company’s failure to avoid a cyber attack mean the board has to go?  Maybe.

“China’s Censors Zero In on Apps,” The Wall Street Journal, April 12, 2018 B4.  Chinese government extends control over a smartphone app that had crude jokes.  Now there’s enforcement of a policy, and a demonstration of what “governance” means.

“Zuckerberg Says Sorry for Harm Done,” The Wall Street Journal, April 10, 2018 B4.  Classic crisis management strategy:  admit you’re wrong?

“Sensing Urgency, Facebook Bolsters User Protections,” The Wall Street Journal, April 10, 2018 B5.  Locking the door after the horse bolted.

“Facebook Sets ‘Issue’ Ads Rule,” The Wall Street Journal, April 7, 2018 A1.  Does a background check on advertisers protect your privacy?

“YouTube Policies Stir Bitterness,” The Wall Street Journal, April 6, 2018 B1.  Following attack at YouTube HQ, taking a closer look at YouTube’s policies on filtering/restricting content.

“Facebook CEO: Lax Privacy a ‘Huge Mistake,'” The Wall Street Journal, April 5, 2018 A1.  Not focusing on privacy protections a “huge mistake.”  Really?

“Police Want to Send AI Into the Street,” The Wall Street Journal, April 4, 2018 A3.  Can body cams be used to collect “Person of Interest”-level information, real time?

“WPP’s Sorrell Faces Probe,” The Wall Street Journal, April 4, 2018 B1.  CEO of advertising company under internal investigation for misusing company assets.  It’s really just a question of duty.

“GM Scraps a Standard in Sales Reporting,” The Wall Street Journal, April 3, 2018 B1.  You manage what you measure.  So, no longer reporting this statistic will reportedly make it easier to measure performance.  Huh?

“Oracle Defeats Google In Court,” The Wall Street Journal, March 28, 2018 B1. Appeals court revives copyright infringement suit against Google.  $9 billion+ in damages alleged.

“Wedbush Accused Of Flawed Oversight,” The Wall Street Journal, March 28, 2018 B12.  SEC charges company with failure to properly supervise an employee involved in “long-running ‘pump-and-dump’ scheme.”



Leave a comment

Filed under Accuracy, Board, Communications, Compliance, Compliance, Compliance (General), Controls, Corporation, Culture, Directors, Duty, Duty of Care, Employees, Governance, Information, Internal controls, Investor relations, Oversight, Oversight, Ownership, Ownership, Policy, Privacy, Protect information assets, Security, Third parties, Value


When disaster hits one part of your industry, other members often get hit, too, especially when customers get upset.  And the media smells blood.

“Facebook and Google Confront Antagonism of Big Advertisers,” The Wall Street Journal, March 26, 2018 A1.  Major advertisers demand more detail and accountability around ads and cost following the revelations about the use/misuse of user data and the accuracy of the viewing statistics.

Is the business model of selling access to data that isn’t really yours finally breaking down?

In a related piece, Facebook took out a full-page ad on page B12 in The Wall Street Journal that says, in part, “We have a responsibility to protect your information.  If we can’t, we don’t deserve it.”  Interesting admission that it’s your information, not theirs.  Still noodling on how that works through the courts.

Where to file this?  What does non-compliance with your information policies cost you?

Leave a comment

Filed under Access, Accuracy, Compliance, Compliance (General), Controls, Corporation, Duty, Governance, Information, Oversight, Ownership, Protect assets, Security, Third parties, Value, Vendors

It’s all about networks

“Facebook Breaks Its Silence, Admits to ‘Mistakes,'” The Wall Street Journal, March 22, 2018 A1.  Facebook takes fire for use of Facebook’s data on 50 million users by outside app developers and others.  One analyst points to “systemic mismanagement.”  Stock value has dropped 10% ($50 billion).

Well, that’s your data, isn’t it?  Data about who your friends and interests are, and other data generated by your use of Facebook.  What are your networks worth?  Who says privacy is dead?

The common crisis management three-step.  Crisis, government outrage/testimony and heartfelt (albeit delayed) apologies, and more regulation/lawsuits.

Lots of questions about who owns what data and who has what responsibilities with respect to that data.  Are your personal networks information?  What’s the information worth? When FB holds the information, is it no longer yours?  Did you accept this risk?  Was this really just a problem with FB’s vendors not controlling things?  The list goes on.

Leave a comment

Filed under Access, Analytics, Communications, Controls, Corporation, Definition, Duty, Governance, Information, Internal controls, Oversight, Ownership, Privacy, Protect assets, Security, Third parties, Value, Vendors

Who governs the Internet?

ICANN, which oversees domain names on the Internet, keeps track of who owns which website, and until now has made a lot of that information publicly available.  In order to comply with new EU privacy rules, ICANN is going to reduce the amount of information available to all but as- yet-to-be-determined accredited group.

“Group to Tighten Web Privacy Rules,” The Wall Street Journal, March 16, 2018 B4.

Good luck tracking down the source of hacking or intellectual property theft, which isn’t easy even now.  On the other hand, won’t keeping secret who owns a website in a country with less press freedoms increase the amount of governmental transparency?  Who decides these issues?


Leave a comment

Filed under Access, Compliance, Compliance (General), Controls, Governance, Internal controls, IT, Oversight, Policy, Privacy, Security, Technology, Third parties

Routine teaching case

“Insider Trade Alleged After Equifax Breach,” The Wall Street Journal, March 15, 2018 B1.  The CIO of an Equifax unit indicted for insider trading after learning of the Equifax hack, but before that information was disclosed.  Sold nearly $1 million in stock 10 days before the disclosure.

This reminds me of the lawyer who approved the sale by some Equifax execs of some stock after the breach but before disclosure.  See post here.  Those executives have since been cleared, as they didn’t know of the breach at the time of the sale.

The company said it had cooperated in the investigation (no doubt having re-read a copy of the Yates memo).  The defendant had been promoted to be Equifax’s CIO before the trading was discovered, at which time the offer was “rescinded.”  He hadn’t been told about the breach, but figured it out.  Avoided $117,000 in losses.  But not getting fired and indicted.


Leave a comment

Filed under Access, Compliance, Controls, Duty, Employees, Governance, Internal controls, IT, Oversight, Security, Uncategorized

Build it and they will come

It was bad when the Office of Personnel Management got hacked.  Worse, perhaps, overseas.

“German Government Network Was Breached,” The Wall Street Journal, March 1, 2018 A9.  Multiple ministries were breached. May have been the Russians.  May have been the Chinese.  Was it the super-secret stuff?  No one knows.

What does it say when the government can’t protect its own information, much less yours?

Leave a comment

Filed under Access, Controls, Duty, Governance, Government, Interconnections, Internal controls, IT, Protect assets, Security


“You’re Being Tracked, and Hackers Loom,” The Wall Street Journal, March 5, 2018 B1.  If an app can track your location, the app can sell that data to others.  This explains why the ads you get are context-appropriate.

Who owns the data of where you are?  Who get’s paid for selling it?  Is there a connection between the two?

If you wanted to share information with an app for your own convenience (like knowing what the local weather is), are you agreeing to receive ads from nearby merchants?  Do you know you’re making this bargain?  Do you read the terms and conditions?


Leave a comment

Filed under Access, Definition, Information, IT, Ownership, Security, Value