Category Archives: Legal

Hacking denial

Keeping a hack of your enterprise should be difficult.  Some find it easy.

“Uber CEO Knew of Hack for Months,” The Wall Street Journal, November 24, 2017 A1.  Uber was hacked in October 2016 (they say), affecting 57 million accounts.  Less than Yahoo’s 3 billion, and Equifax’s 145 million.  The CEO learned of the breach in September 2017, shortly before taking the top job.  Uber also paid the hackers $100,000 to destroy some of the stolen data.

Would they have disclosed it at all if they weren’t seeking outside financing?

What’s your obligation to disclose to your customers that their information may have been stolen from you?


Leave a comment

Filed under Communications, Compliance, Controls, Corporation, Directors, Duty, Employees, Governance, Information, Internal controls, Investor relations, IT, Legal, Oversight, Ownership, Requirements, Security, To report

It depends what you mean by “lost”

When someone touts numbers, what do they really mean?

“Your Lost Luggage May Not Count as Lost,” The Wall Street Journal, November 16, 2017 A12.  The “official” figures on how many pieces of luggage each airline misplaces are different than how many bags get lost.  The government defines the operating statistics that must be reported.

Are your sufficiently critical when someone gives you numbers?  Especially when it affects their compensation?

Leave a comment

Filed under Accuracy, Controls, Data quality, Definition, Information, Requirements


A fascinating area for exploration is the drafts that led to the final version.  The dates, the wording, the recipients.  Why do people keep drafts?  Just because?

“Comey Originally Tougher On Clinton, The Wall Street Journal, November 7, 2017 A5.  A Republican Senator discloses that Comey’s early draft of the exoneration document used the language “grossly negligent,” the statutory test.

I’ve referred to July 5, 2016 as the Day that Information Governance Died.  That’s when the Director of the FBI announced his decision not to prosecute someone who had routinely violated the rules on handling secret documents, because “no reasonable prosecutor would bring charges.”  Not to get into the politics of things, but how can you argue that following the rules is required when the Secretary of State isn’t held to the standards that apply to a Navy seaman?

That being said, why do people hold on to drafts?  Because it’s easy?  Or because it’s hard to get rid of them?  There is seldom a reason to retain them beyond when the document is final.  Maybe a phrase or a paragraph.  But the entire document?  How can we convince people not to keep drafts?



Leave a comment

Filed under Legal, Discovery, Risk, Records Management, Governance, Controls, Internal controls, Compliance, Duty, Employees, Corporation

Crime without punishment

How do you enforce the rules in the future if you haven’t enforced them in the past?

“Bergdahl Avoids Jail Time,”  The Wall Street Journal, November 4, 2017 A3.  A convicted deserter loses some benefits but doesn’t go to jail or get executed.

If you’re the Army, what steps can you take to prevent desertion in the future?  For those in the private sector, has your employer failed to enforce the rules?  What does that do to the culture?  If he had been convicted of sexual harassment, would the sentence have been different?


Leave a comment

Filed under Compliance, Controls, Corporation, Duty, Governance, Government, Internal controls, Requirements, Third parties

Violating patents

Violating the patents of others can be expensive.

“Qualcomm Feels Sting of Fine and War with Apple,” The Wall Street Journal, November 2, 2017 B4.  Between a fine of almost $800 million and a major customer (Apple) withholding royalty payments for patent licenses, profit drops $1.4 billion for the fourth quarter.

As you attempt to quantify the risk of violating the intellectual property rights of others, this provides some data points.  Were the directors aware of this risk?  If not, why not?  If they were, what does that say about them?

Leave a comment

Filed under Compliance, Corporation, Directors, Duty, Governance, Oversight, Requirements, Risk


How do you protect against intrusions (including hacking and viruses and ransomware)?  Policies and technology, mainly.  How do you protect against internal breaches (phishing, etc.)?  Policies, training, and a bit of technology.  How do you respond to an actual breach? Policies and procedures, training, and technology.

In the response, keep the notice requirements in mind.  The rules vary from state to state.

“States Quiz Equifax on Disclosure,” The Wall Street Journal, October 30, 2017 B1. Several states initiate investigations into by Equifax’s delay in reporting after the hack that may have compromised the records of 145.5 million credit accounts.  What did they know, when did they know it, and when did they report it, and to whom?  Notice to the state, to the fed, to the consumers, and to investors?  What’s reasonable, or what’s required by statute?

It’s all about notice.  Given the business, should the directors have been on top of this?

Leave a comment

Filed under Communications, Compliance, Controls, Corporation, Directors, Duty, Governance, Information, Interconnections, Internal controls, IT, Legal, Oversight, Requirements, Security, To report, Value

Problems in your industry

One of the early warning signs of most crises is a similar problem elsewhere in your industry.

“EU Officials Raid BMW’s Headquarters,” The Wall Street Journal, October 21, 2017 B2.  Raid was apparently looking for evidence of antitrust violations in the industry, perhaps including agreements on emissions technologies.

Is this related to the emissions scandal at VW and other car makers?

If you’re a European car manufacturer, does this raise the risks of what’s in your information systems and files today?  How can you address?

Leave a comment

Filed under Legal, Discovery, Information, Records Management, Definition