Keeping a hack of your enterprise should be difficult. Some find it easy.
“Uber CEO Knew of Hack for Months,” The Wall Street Journal, November 24, 2017 A1. Uber was hacked in October 2016 (they say), affecting 57 million accounts. Less than Yahoo’s 3 billion, and Equifax’s 145 million. The CEO learned of the breach in September 2017, shortly before taking the top job. Uber also paid the hackers $100,000 to destroy some of the stolen data.
Would they have disclosed it at all if they weren’t seeking outside financing?
What’s your obligation to disclose to your customers that their information may have been stolen from you?
Filed under Communications, Compliance, Controls, Corporation, Directors, Duty, Employees, Governance, Information, Internal controls, Investor relations, IT, Legal, Oversight, Ownership, Requirements, Security, To report
When someone touts numbers, what do they really mean?
“Your Lost Luggage May Not Count as Lost,” The Wall Street Journal, November 16, 2017 A12. The “official” figures on how many pieces of luggage each airline misplaces are different than how many bags get lost. The government defines the operating statistics that must be reported.
Are your sufficiently critical when someone gives you numbers? Especially when it affects their compensation?
How do you enforce the rules in the future if you haven’t enforced them in the past?
“Bergdahl Avoids Jail Time,” The Wall Street Journal, November 4, 2017 A3. A convicted deserter loses some benefits but doesn’t go to jail or get executed.
If you’re the Army, what steps can you take to prevent desertion in the future? For those in the private sector, has your employer failed to enforce the rules? What does that do to the culture? If he had been convicted of sexual harassment, would the sentence have been different?
Violating the patents of others can be expensive.
“Qualcomm Feels Sting of Fine and War with Apple,” The Wall Street Journal, November 2, 2017 B4. Between a fine of almost $800 million and a major customer (Apple) withholding royalty payments for patent licenses, profit drops $1.4 billion for the fourth quarter.
As you attempt to quantify the risk of violating the intellectual property rights of others, this provides some data points. Were the directors aware of this risk? If not, why not? If they were, what does that say about them?
How do you protect against intrusions (including hacking and viruses and ransomware)? Policies and technology, mainly. How do you protect against internal breaches (phishing, etc.)? Policies, training, and a bit of technology. How do you respond to an actual breach? Policies and procedures, training, and technology.
In the response, keep the notice requirements in mind. The rules vary from state to state.
“States Quiz Equifax on Disclosure,” The Wall Street Journal, October 30, 2017 B1. Several states initiate investigations into by Equifax’s delay in reporting after the hack that may have compromised the records of 145.5 million credit accounts. What did they know, when did they know it, and when did they report it, and to whom? Notice to the state, to the fed, to the consumers, and to investors? What’s reasonable, or what’s required by statute?
It’s all about notice. Given the business, should the directors have been on top of this?
Filed under Communications, Compliance, Controls, Corporation, Directors, Duty, Governance, Information, Interconnections, Internal controls, IT, Legal, Oversight, Requirements, Security, To report, Value
This is a straight compliance piece, where a corporation is held liable for the misdeeds of its employees (agents).
“Wells Fargo to Pay $3.4 Million Over Advisers’ Flub,” The Wall Street Journal, October 17, 2017 B10. Apparently, some of the bank’s financial advisers recommended volatility ETFs when they shouldn’t have. The advisers also didn’t have adequate training.
This is straightforward. Should some manager be fired or disciplined? Maybe. This would not seem the type of event that calls into question the Board’s duty to supervise, unless this is the third time this same compliance issue has arisen. This is only the second time. The bank paid nearly $3 million in fines and restitution in 2012 for a similar violation.
Filed under Board, Compliance, Compliance, Compliance Verification, Controls, Corporation, Directors, Duty, Duty of Care, Employees, Governance, Internal controls, Oversight, Oversight, Requirements
One unique aspect of information is that it can be stolen, yet remain in the owner’s possession. Apparently, medical facilities are required to report if your medical information is stolen, but not if it is merely kidnapped and held for ransom.
“Some Cyberattacks Go Unreported,” The Wall Street Journal, June 19, 20127 B3. Whether hospitals need to report a ransomware attack of their files as a data breach is a “gray area,” and the federal government doesn’t require such reports, even if the government knows about them. Some hospitals don’t report ransomware attacks, so these attacks are not in the HHS statistics.
So, patients don’t know when hospitals have weak security protection. What value, then, are the government statistics? Do they need a big asterisk?
Filed under Controls, Corporation, Data quality, Duty, Government, Information, Internal controls, IT, Legal, Requirements, Security, Third parties, To report, Value