“Marriott Says Starwood Data Breach Affects Up to 500 Million People,” The Wall Street Journal, November 30, 2018 (online). Data breach potentially affecting passports and credit cards of as many as 500 million guests at Marriott’s Starwood properties, which were acquired in 2016. They knew about this in September, but reflects a breach that may go back to 2014.
So, two years after an acquisition, the target’s information security practices blow up in the acquiror’s face. What does that say about the acquiror’s duty to integrate the data practices and controls around information protection?
Does your M&A team think about information governance issues? Is that an identified risk, with an identified (and owned) action plan? Did the Board identify this as a risk? What the value of this information considered part of the transaction value? How was that reflected?
Filed under Board, Compliance, Compliance Verification, Controls, Corporation, Directors, Duty, Duty of Care, Governance, Information, Internal controls, IT, Management, Oversight, Protect, Protect assets, Protect information assets, Risk Assessment, Risk assessment, Security, Value
“UC System is Sued for Data On Admissions,” The Wall Street Journal, November 16, 2018 A2. Is the state university using race inappropriately in making admissions decisions?
The government has different obligations with respect to information than a private company. Government also collects a lot of information. What controls are in place to allow and to prevent the disclosure of this information? What about for non-core activities, like running the state’s university system?
Filed under Access, Collect, Compliance, Compliance, Controls, Duty, Governance, Government, Internal controls, Management, Third parties, To report, Use
“Rebuke at Wells Shows Clash,” The Wall Street Journal, November 15, 2018 B1. Chief administrative officer (and former head of HR) at Wells placed on leave after the Office of the Comptroller of the Currency criticizes the oversight that she and the bank’s chief auditor provided.
If your company interacts with government regulators (and whose doesn’t?), is the government effectively a part of your governance structure? Or is government a separate component of Governance, whether that is Compliance Governance or Information Governance? Or just “Governance”?
And what does it say about communications when the government holds up a senior official for poor oversight? What about the board? Highly visible to the worker bees.
Filed under Board, Communications, Compliance, Compliance, Compliance (General), Controls, Corporation, Duty, Employees, Governance, Government, Internal controls, Management, Oversight, Oversight, Third parties, To report
“Beware the ‘Free’ Internet,” The Wall Street Journal, November 15, 2018 A2. How much money do Facebook, Twitter, and Google get from allowing others to access you based on your data?
The article makes an interesting comparison to Wikipedia, where a large amount of information is made available for free, without advertising. That’s truly free. As opposed to social media.
How much is your data worth? To you? To Google? Do you agree with the implicit bargain, whereby you give use of your information in return for cat videos and an endless stream of ads?
“Boeing Withheld Data On Potential Hazards,” The Wall Street Journal, November 13, 2018 A1. Did Boeing fail to disclose potential problems with its new flight-control feature? Was that a factor in the Lion Air crash in Indonesia, killing 189 people?
Maybe this feature didn’t factor into the crash; we’ll have to wait for the cockpit voice recorder and the flight data recorder. But if you know something and don’t tell other people who would like to know — well, that’s bad. Even if you didn’t want to confuse them by providing them too much information. Was it better “marketing” to tell their customers that they wouldn’t need as much training?
How do you decide how much information to provide your customers? Are there problems you don’t mention? Why?
Filed under Access, Accuracy, Communicate, Communications, Controls, Corporation, Data quality, Duty, Duty of Care, Governance, Information, Internal controls, Management, Risk assessment, Third parties
“When ‘Free Trading’ Isn’t Really Free,” The Wall Street Journal, November 10, 2018 B5. You can avoid commissions when trading stock by using an app. But if the price you pay or get paid for the stock is more or less, is the trade really free? It depends on how much price improvement is involved.
Interesting study of how the benefits and cost savings on high frequency trading are divided among the various parties. And who knows what.
Isn’t this type of “information imbalance” inherent in every transaction? Do we know how much a tomato or an iPad costs the store that sells it? Or whether the salesperson gets a commission? How do we manage that imbalance? Or do we just accept it, whatever it means?
“Wall Street Analysts Are Selling More Data,” The Wall Street Journal, November 8, 2018 B11. Analysts are searching and make available a bunch of information on your information, including “social media sentiment … and geospatial mapping.” Think of it as expanded research reports.
Well, they are in the business of reviewing data and offering opinions (for a price). Is it much of a disintermediation for them to start selling the information directly? I guess there’s money in it. Or service.
Filed under Access, Analytics, Collect, Controls, Corporation, Duty, Information, IT, Management, Operations, Ownership, Security, Third parties, Use, Use, Value