Category Archives: Legal


This is a straight compliance piece, where a corporation is held liable for the misdeeds of its employees (agents).

“Wells Fargo to Pay $3.4 Million Over Advisers’ Flub,” The Wall Street Journal, October 17, 2017 B10.  Apparently, some of the bank’s financial advisers recommended volatility ETFs when they shouldn’t have.  The advisers also didn’t have adequate training.

This is straightforward.  Should some manager be fired or disciplined?  Maybe.  This would not seem the type of event that calls into question the Board’s duty to supervise, unless this is the third time this same compliance issue has arisen.  This is only the second time.  The bank paid nearly $3 million in fines and restitution in 2012 for a similar violation.


Leave a comment

Filed under Board, Compliance, Compliance, Compliance Verification, Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Internal controls, Oversight, Oversight, Requirements

Electrical banana (reprise)

Slack is a new communications software in use in many companies.  Do your policies deal with the implications of the use and misuse of yet another new technology?  How will you handle this when litigation comes in?

“Tips to Tighten Slack Users’ Skills,” The Wall Street Journal, October 12, 2017 B4.

Leave a comment

Filed under Access, Communications, Compliance, Content, Controls, Corporation, Discovery, Duty, Duty of Care, Employees, Governance, Information, Interconnections, Internal controls, IT, Legal, New Implications, Oversight, Policy, Protect assets, Security

Burned by a phone

Apparently, NCAA rules prohibit coaches from using a burner phone to contact football recruits.  Or lying about it when you do.

“‘Burner Phone’ Accusation Marks New Chapter in Ole Miss Scandal,” The Wall Street Journal, September 20, 2017 A16. Coaches accused and investigated, and asked to sign certifications that they had never used pre-paid phones for recruiting or other work-related purpose.

Is this a question you normally ask your employees, or is this a form you have them sign?  Should you ask for a certification that exiting employees do not have any company information on a non-company asset or location?

Leave a comment

Filed under Access, Board, Compliance, Compliance Verification, Controls, Corporation, Discovery, Duty, Duty of Care, Employees, Governance, Internal controls, IT, Legal, Oversight, Oversight, Policy, Protect assets, Security, Third parties


“Makers Of Opioids Are Asked For Data,” The Wall Street Journal, September 20, 2017 A6.  Subpoenas served on 5 manufacturers, as 41 states investigate marketing and sales of painkillers.

How much will this cost?  Who will pay?  What will we learn?

Leave a comment

Filed under Discovery, Information, Legal, Value

Kidnapping v. stealing information

One unique aspect of information is that it can be stolen, yet remain in the owner’s possession.  Apparently, medical facilities are required to report if your medical information is stolen, but not if it is merely kidnapped and held for ransom.

“Some Cyberattacks Go Unreported,” The Wall Street Journal, June 19, 20127 B3.  Whether hospitals need to report a ransomware attack of their files as a data breach is a “gray area,” and the federal government doesn’t require such reports, even if the government knows about them.  Some hospitals don’t report ransomware attacks, so these attacks are not in the HHS statistics.

So, patients don’t know when hospitals have weak security protection.  What value, then, are the government statistics?  Do they need a big asterisk?


Leave a comment

Filed under Controls, Corporation, Data quality, Duty, Government, Information, Internal controls, IT, Legal, Requirements, Security, Third parties, To report, Value

The Day that Information Governance Died, the Sequel

Last July, after the July 5 new conference, I wrote about the consequences of James Comey’s decision not to prosecute,  I view that as The Day Information Governance Died.

This week, we had the sequel.

If you create a document in the normal course of your duties for your employer, about a conversation held in the course of your employer’s business, using the employer’s computer, then that document is the property of your employer.  It’s “proprietary.”  You can’t take that document with you when you’re fired and then give it to others.  Even if it doesn’t contain privileged information.  Or your purported recollections of a conversation in your official capacity with the President, subject to executive privilege.

But Mr. Comey seems to be above (or maybe beside) the Law, generally.  And he is (until the ethics people get a hold of this) a lawyer.

“The ‘Close Friend’ Behind Memo Leak,” The Wall Street Journal, June 9, 2017 A4.   Comey leaks a memo he wrote while a government employee to a friend, in order to leak it to the press.

And we wonder why we have a hard time getting traction on information governance.

Leave a comment

Filed under Controls, Duty, Employees, Information, Internal controls, Lawyers, Ownership, Privilege, Third parties

Digging out

I was otherwise engaged last week and missed posting.  Here are some catch-ups.

Leave a comment

Filed under Accuracy, Board, Communications, Compliance, Compliance, Content, Controls, Corporation, Directors, Discovery, Duty, Employees, Governance, Government, Inform market, Inform shareholders, Internal controls, Investor relations, Oversight, Privacy, Protect assets, Protect information assets