January 4, 2019 · 5:22 am
Continuing from https://infogovnuggets.com/2019/01/04/catching-up-again/
- Pot calling the kettle black
“Comey Tells House Panel He Suspected Giuliani Was Leaking FBI Information to Media,” The Wall Street Journal, December 10, 2018. Former FBI Director Comey, who admitted to leaking information to a reporter through a law school professor, complains that someone else did it, too.
- Yes, we have no privacy
“Thieves Can Now Nab Your Data in a Few Minutes for a Few Bucks,” The Wall Street Journal, December 10, 2018. Following the series of major hacks of privacy data (e.g., Marriott, LinkedIn, Equifax, and Yahoo), “Every American person should assume all of their data is out there,” said one FBI agent. Comforting.
- Duty to report
“New Report Shows Olympics Executives Concealed Knowledge of Nassar Allegations,” The Wall Street Journal, December 11, 2018. Executives knew information about sexual abuse allegations, and failed to report. To whom did they breach a duty?
- Interesting intersection of the right to petition the government and your right to privacy
“U.S. Investigating Fake Comments on ‘Net Neutrality,’” The Wall Street Journal, December 11, 2018. “Earlier this year, the FCC said it would upgrade its website to try to prevent fakery. … Several federal agencies warn that it is a felony to send falsified comments to the federal government when posting on websites soliciting opinions on federal rulemaking.” What if the comments were anonymous?
- Lying or overspending on your expense account can get you canned
“Under Armour Ousts Two Executives After Review of Expenses,” The Wall Street Journal, December 11, 2018. Complying with company policy and procedures is sort of kind of like a job requirement. Even if you signed Jordan Spieth. But how were they to know how much was too much?
- Weakest link?
“Amazon, Amid Crackdown on Seller Scams, Fires Employees Over Data Leak,” The Wall Street Journal, December 11, 2018. Employees bribed for access to inside information. What’s your information worth to you? To the briber? To the (former) employee? Do you have a policy against taking bribes?
- Collateral impact
“Nissan-Renault Scandal Shows It’s Hard to Keep Car Alliances On Track,” The Wall Street Journal, December 12, 2018. A scandal at your business partner can affect your company’s relationships. Is that Governance?
- How do you deal with rumors? Are they “information,” too?
“Super Micro Finds No Malicious Hardware in Motherboards,” The Wall Street Journal, December 12, 2018. This contradicts a prior report from Bloomberg. How do you govern other sources of information? Is using a trusted third party to investigate just standard crisis management planning?
- Should Compliance be more congenial?
“Banks Get Kinder, Gentler Treatment Under Trump,” The Wall Street Journal, December 13, 2018. Regulators are urged to be more collegial with the banks they regulate. Is that better “Governance,” in the short term or in the long term?
- What does it say?
“Renault Sticks With Carlos Ghosn as Internal Probe Finds No Illegality,” The Wall Street Journal, December 13, 2018. What does it say to the rank-and-file when the Chairman gets arrested? And when he’s thereafter kept in place? The Board may have some explaining to do.
- What can your employer do with your information?
“U.S. Companies Asked to Disclose More About Their Workers,” The Wall Street Journal, December 14, 2018. Pension funds ask employers to disclose more information than the SEC currently requires. Whose decision is that? When and how can you object?
- Watch your contractors
“Chinese Hackers Breach U.S. Navy Contractors,” The Wall Street Journal, December 15, 2018. What’s this information worth, both to the US and to China? How much do you look at the security at your vendors who process or create information for you? Are they a weaker link than your employees? (See item 6, above.)
- Information and Governance and Compliance
“PG&E Falsified Gas Safety Records, California Claims,” The Wall Street Journal, December 15, 2018. From the explosion in San Bruno in 2010 (after which PG&E couldn’t find a bunch of inspection records relating to hundreds of miles of its pipelines) to more recent claims about fudging the records on pipeline locations, PG&E has had this problem for awhile. For now, these are just allegations. But what impact on every claim made against the company, and every claim made by it? If they falsify safety records, do they falsify bills, too? “The [state regulator] last month expanded a continuing probe of PG&E’s safety practices and said it would explore the way the company is structured and managed.” There seems to be a link between record-keeping and management and compliance and culture.
- Facebook, again
“Facebook Bug Potentially Exposed Unshared Photos of Up 6.8 Million Users,” The Wall Street Journal, December 15, 2018. One almost gets the idea that protecting your privacy is not a high priority for them.
Filed under Board, Collect, Communicate, Communications, Compliance, Compliance (General), Controls, Corporation, Culture, Data quality, Directors, Duty, Employees, Governance, Information, Internal controls, Investor relations, IT, Management, Oversight, Oversight, Ownership, Privacy, Protect, Protect assets, Records Management, Security, Supervision, Technology, Third parties, To report, Use, Value, Vendors
December 3, 2018 · 8:22 pm
It seems that several (most of?) the large privacy breaches have something in common: something smaller happened earlier that people didn’t pay enough attention to.
“Marriott’s Starwood Missed Chance to Detect Huge Data Breach Years Earlier, Cybersecurity Specialists Say,” The Wall Street Journal, December 2, 2018 (online). There was a prior breach in 2015 that, some say, could have been investigated more thoroughly.
Might this happen in your business? Say there’s a relatively minor breach, affecting a single client’s information. Or a minor compliance issue. You discover it and take action. But does the breach itself indicate weaknesses in your system of controls that may have broader implications? Do you change your training or other controls to reflect this experience, or the experience of others in your industry?
This brings to mind a common finding in accident investigations. Something small happened that could/should have put you on notice. But it was ignored or downplayed.
How does your organization deal with near-hits in the compliance or information governance space? Is this part of oversight? Or a part of effective knowledge management?
Filed under Analytics, Collect, Compliance, Compliance (General), Controls, Corporation, Directors, Duty, Duty of Care, Governance, Information, Internal controls, IT, Knowledge Management, Management, Oversight, Privacy, Protect assets, Security, Third parties, Use
December 3, 2018 · 5:23 am
“Marriott Says Starwood Data Breach Affects Up to 500 Million People,” The Wall Street Journal, November 30, 2018 (online). Data breach potentially affecting passports and credit cards of as many as 500 million guests at Marriott’s Starwood properties, which were acquired in 2016. They knew about this in September, but reflects a breach that may go back to 2014.
So, two years after an acquisition, the target’s information security practices blow up in the acquiror’s face. What does that say about the acquiror’s duty to integrate the data practices and controls around information protection?
Does your M&A team think about information governance issues? Is that an identified risk, with an identified (and owned) action plan? Did the Board identify this as a risk? What the value of this information considered part of the transaction value? How was that reflected?
Filed under Board, Compliance, Compliance Verification, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Information, Internal controls, IT, Management, Oversight, Protect, Protect assets, Protect information assets, Risk Assessment, Risk assessment, Security, Value
November 19, 2018 · 9:14 am
“Trudeau Says Canadians Heard Khashoggi Tapes,” The Wall Street Journal, November 13, 2018 A7. Canadian intelligence officials hear audio tapes related to killing.
One assumes that this is a tape of some conversation picked up by intelligence folks after the killing, and not a recording of the killing itself. Unless someone wanted to have proof for the boss. Perhaps intelligence agencies spy on other governments or phone calls.
Often, people think information governance is all about the written word. But the spoken word is information, too, whether it is recorded or not. It’s just a problem of proof. Is someone listening or taping your conversation? Would it matter?
Filed under Access, Accuracy, Communications, Controls, Definition, Duty, Governance, Government, Information, Internal controls, Risk assessment, Security, Third parties
November 13, 2018 · 11:00 am
A Tesla employee is indicted for creating fake documents to cover up a fake-payment scheme. “Former Tesla Employee Is Indicted,” The Wall Street Journal, November 12, 2018 B5.
Companies have a lot of controls to prevent fraud by employees, and often these controls work. Why are there more such controls to prevent financial fraud than to prevent violations of other company procedures, such as those related to document creation, retention, and storage?
One wonders whether, in the aggregate, companies lose more money through poor document management and control than they lose through financial fraud. How would one conduct such a study?
Filed under Accuracy, Compliance, Compliance (General), Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Information, Internal controls, Oversight, Protect assets, Records Management, Security, Third parties, Value, Vendors
November 13, 2018 · 9:44 am
“Wall Street Analysts Are Selling More Data,” The Wall Street Journal, November 8, 2018 B11. Analysts are searching and make available a bunch of information on your information, including “social media sentiment … and geospatial mapping.” Think of it as expanded research reports.
Well, they are in the business of reviewing data and offering opinions (for a price). Is it much of a disintermediation for them to start selling the information directly? I guess there’s money in it. Or service.
Filed under Access, Analytics, Collect, Controls, Corporation, Duty, Information, IT, Management, Operations, Ownership, Security, Third parties, Use, Use, Value
November 13, 2018 · 9:36 am
“Wells Fargo Technology Under Scrutiny,” The Wall Street Journal, November 8, 2018 B11. Questions being raised about the technology the bank uses for cybersecurity and risk management.
Do you have the right technology to effectuate the controls you have placed around information? Will your regulators agree? If you are already on the regulator’s radar screen, will your controls measure up?
Filed under Controls, Corporation, Duty, Governance, Internal controls, IT, Oversight, Protect, Protect assets, Risk assessment, Security, Technology
November 7, 2018 · 1:22 pm
“U.S. Charges Agents Of China Hacked Aviation Firms,” The Wall Street Journal, November 1, 2018 B4. Agents of the Chinese government indicted for trying to steal airline industry technology.
This is getting to be rather routine. One part of this is the value of Information, and the importance of information security. One part of this is Compliance, of course, as the US government is trying to protect the US information assets (although the company at issue probably had some responsibility for this as well, as well as their board of directors). And, of course, Governance, as the US government is prosecuting.
We all know the business case for cyber-security.
Filed under Access, Compliance, Compliance (General), Controls, Corporation, Duty, Duty of Care, Governance, Government, Information, Interconnections, Internal controls, IT, Oversight, Protect assets, Security, Third parties
October 28, 2018 · 11:40 am
“Facebook Draws U.K. Fine Over Sharing Data,” The Wall Street Journal, October 26, 2018 B4. Facebook fined half a million Pounds ($645,000) for allowing Cambridge Analytica for letting them see and use user data. This is separate and apart from any fines the EU may impose.
Part of the problem is that Facebook didn’t do enough (i.e., anything) after it found out about Cambridge Analytica having accessed the data.
So, some points to consider:
- Whose information was it?
- Whose (and how many) rules (EU, UK, US, other) apply to (i.e., govern) a data breach?
- Why didn’t FB do anything after learning of the problem? Did it not have a process for handling a vendor that accessed data inappropriately? Doesn’t Governance require you to have such a process? Does Compliance entail requiring your vendors to follow a process, and penalizing them when they don’t?
- The fine here won’t go to the UK residents whose privacy was invaded. Is this a fine or a tax? It certainly isn’t damages.
Filed under Access, Compliance, Compliance (General), Controls, Corporation, Duty, Duty of Care, Governance, Internal controls, IT, Oversight, Privacy, Protect assets, Security, Third parties, Vendors
October 25, 2018 · 3:29 pm
“On Hunt for Disinformation,” The Wall Street Journal, October 18, 2018 A3. Digital detective for the Vietnam Veterans of America tracks down fake Facebook pages used to scam veterans.
Is protecting your customers from fraud part of your offering? Are you concerned about someone else using your logo? Do you expect Facebook to care that much (hint: it doesn’t)?
Filed under Accuracy, Compliance, Controls, Corporation, Duty, Duty of Care, Employees, Governance, IT, Oversight, Protect assets, Security, Third parties