Category Archives: Requirements

Kidnapping v. stealing information

One unique aspect of information is that it can be stolen, yet remain in the owner’s possession.  Apparently, medical facilities are required to report if your medical information is stolen, but not if it is merely kidnapped and held for ransom.

“Some Cyberattacks Go Unreported,” The Wall Street Journal, June 19, 20127 B3.  Whether hospitals need to report a ransomware attack of their files as a data breach is a “gray area,” and the federal government doesn’t require such reports, even if the government knows about them.  Some hospitals don’t report ransomware attacks, so these attacks are not in the HHS statistics.

So, patients don’t know when hospitals have weak security protection.  What value, then, are the government statistics?  Do they need a big asterisk?



Leave a comment

Filed under Controls, Corporation, Data quality, Duty, Government, Information, Internal controls, IT, Legal, Requirements, Security, Third parties, To report, Value

How important is keeping records?

In September 2010, a pipeline exploded in San Bruno, California, killing eight.  PG&E, the pipeline’s owner, couldn’t find records of pipeline inspections required by regulation.  Lots of fines and civil damages.

As part of the resolution, or as part of their post-crisis communications plan, PG&E placed a full-page ad in The Wall Street Journal on March 21.

Here’s a pdf of the ad.  TheWallStreetJournal_20170321_B005

Doubt if the corporation has that ad in Lucite paperweights.

Does your corporation adhere to regulatory record-keeping requirements?



Leave a comment

Filed under Board, Compliance, Compliance, Corporation, Directors, Duty, Employees, Governance, Legal, Oversight, Records Management, Requirements

Sellers’ Agreement on Production Limits

Today’s focus is on the exchange of price/sales/production information.

“OPEC Deal’s Challenge: Member Cheating,” The Wall Street Journal, December 12, 2016 B9. OPEC members agree on production cuts, but then cheat to meet their internal issues. The enforcement mechanisms at the cartel aren’t 100% effective.

So, in addition to complying with law, people shouldn’t agree with competitors about price, sales, or production because the other competitors will cheat.  Don’t expect cheaters to live up to their promises.


Leave a comment

Filed under Board, Communications, Compliance, Compliance, Controls, Corporation, Culture, Culture, Duty, Employees, Governance, Internal controls, Legal, Oversight, Requirements, Third parties

The reason for policies

What happens when company employees don’t follow company policies?

“J.P. Morgan Settles Asia Jobs Probe,” The Wall Street Journal, November 18, 2016 B1.  The company apparently had a policy prohibiting the hiring the sons and daughters of clients and potential clients.  Then it created a program to do exactly that in Asia, resulting in a lot of red faces and $264 million in fines for FCPA violations.

Why do you have the policies you have?  Some are to assist compliance with law, while others just make good business sense.  Why, exactly, would you fast-track the hiring of  the offspring of clients and potential clients?  Because they were the best and the brightest, or because doing so “facilitated” relationships?  To obtain or retain business?

Who’s going to get fired?  Who, ultimately, is going to pay the fine?

Leave a comment

Filed under Board, Compliance, Compliance, Compliance, Controls, Corporation, Directors, Duty, Employees, Governance, Legal, Management, Oversight, Policy, Requirements, Risk

Failure to report up

Some laws require you to tell the government stuff.

“Penn State Fined for Crime Reporting Lapses,” The Wall Street Journal, November 4, 2016 A2.  Federal law requires schools to report crimes correctly, and Penn State didn’t report various items about football coach Jerry Sandusky.

At common law, employees have a duty to their employer to report violations of company policy.  Most companies have a policy against violating law.  Do employees routinely do this?  Is this a major compliance gap?

Leave a comment

Filed under Business Case, Compliance, Corporation, Data quality, Definition, Duty, Employees, Governance, Information, Legal, Oversight, Policy, Requirements, Risk, To report

Information delayed is information denied

What do you do when the governor doesn’t follow the rules?

“NIH Unit Delayed Report Of 2 Deaths From Study,” The Wall Street Journal, October 22, 2016 A3.  National Institutes of Health is a year late in  reporting the two deaths (aka “severe adverse events”) to the FDA, as required by law.

What do you do when employees fail to follow federal reporting requirements?  Do you fire the employees?  Penalize their bosses?  Convene a committee to study?

Leave a comment

Filed under Compliance, Compliance, Controls, Duty, Employees, Governance, Government, Internal controls, Legal, Management, Oversight, Protect assets, Requirements, To report

Foxes and hen houses

Dodd-Frank says only independent directors can set executive compensation at some companies.  Does the fact that those directors also get paid to lobby for the company mean they are not independent?  Apparently, it is the Board that determines whether it’s directors are sufficiently independent.  And the Board knows that these folks do lobbying for the company, and aren’t concerned that the directors might tend to be more generous to the CEO who effectively pays both their salary and their consultants’ fees.

“Lobbyists Test Post-Crisis Rules For Boards,” The Wall Street Journal, October 5, 2016 A1.

What does it say about a company’s culture that the Board is a bit flexible on the whole “independent” thing?  Having lobbyists is fine, but do the same people really have the proper creds (both credentials and credibility) to be an independent check on CEO pay?



Leave a comment

Filed under Board, Compliance, Controls, Culture, Culture, Directors, Duty, Governance, Internal controls, Legal, Oversight, Oversight, Requirements