Category Archives: Uncategorized


What you do when an important executive is alleged to have violated company policy says a lot about your compliance program.

“Claims About Executive Tested Uber Overhaul,” The Wall Street Journal, September 27, 2018 B3.  Senior executive investigated; rather than being terminated, he received a formal warning (apparently, informal was not sufficient), his bonus was reduced Why do you give bonuses to people who violate company policy?), and was required to take sensitivity training.

This at a company that had a rather sordid history of sexual harassment.

How will Uber convince its remaining employees that this time it is serious?  Do you believe them?  Is this an effective compliance program under the Federal Sentencing Guidelines, assuming that’s the appropriate measure?

Where’s the Board?  Do they care?

1 Comment

Filed under Board, Compliance, Compliance (General), Controls, Corporation, Culture, Directors, Duty, Employees, Governance, Oversight, Oversight, Uncategorized

Catching up (part 2)

More catching up, after a mid-summer’s nap.  Catching up (part 1) is here.

  1. The mysterious case of the non-missing purse.

    Naomi Osaka Gets the Last Word,” The Wall Street Journal, September 9, 2018 (online).  Serena Williams complained mightily after she was warned, penalized a point, and then penalized a game in her dispute with the umpire.  She was also fined $17,000, although she still received more than $1 million for second place.  Ms. Williams alleged sexism.

    What does it say when a high-profile player gets penalized for several infractions, including calling the umpire a thief?  What does it say, to her and to others, when she doesn’t?  And from a Governance standpoint, why don’t the rules allow for the disqualification of a player for gross disrespect to the game?  Losing the $1 million+ purse would have been a more appropriate penalty.

  2. Whose information/computer is it?“Lawsuit Tests Limits Of Bosses’ Snooping,” The Wall Street Journal, September 10, 2018 A3.  Company buys an employee a computer to work from home..Employee buys software to allow him to access his work account from his new computer at home.  Dispute arises, employee fired.  Three days later, company accesses not only computer at employee’s home, but also information contained on 2 attached hard drives.  Former employee sues.

    Would it matter if the employee had retained his former employer’s confidential information on (a) the computer or (b) the hard drives?  Who owns what?  Reminds me of my law school exams.

  3. Did I resign or was I fired?
    “D.E. Shaw Faces a Fight Over Statement on Firing,” The Wall Street Journal, September 10, 2018 B1.  Partner of a large hedge fund, when given the option to retire at age 36, does so.  Fund later says partner was fired after an internal investigation.  Former partner files a complaint.

    What can you say publicly about firing someone?  Would it matter if the person was accused of sexual harassment, in violation of company policy?

  4. When did the Board know?
    “CBS Board Was Warned Of Moonves Allegations,” The Wall Street Journal, September 11, 2018 A1.  Directors were told about a recent lawsuit alleging  sexual harassment by the now-former CEO  several decades ago, 6 months before the story broke.

    What did they know and when did they know it, and what, if anything did they do about it?  Investigation didn’t start for several months, after a NYT article.  Is that enough?

    In a similar vein, “Vatican to Address Allegations Of Abuses,” The Wall Street Journal, September 11, 2018 A7.  Despite knowledge of past sexual misconduct with seminarians, retired cardinal still made an adviser to the Pope.  (The retired cardinal has since resigned after allegations he had sexually abused a teenager years before.)  What does that say about how that institution is governed?  Can you hide this type of information?

  5. Text message.
    “Top ’60 Minutes’ Producer Departs,” The Wall Street Journal, September 13, 2018 B1.  Producer who had been with CBS for 36 years, alleged to have sexually harassed  at least one employee; was fired over a text message that may have been viewed as threatening a reporter who was reporting on various harassment scandals.

    What was he fired for, the text or the sexual harassment?  To whom does it matter?  What was the culture at the top of CBS?  This guy was a direct report to the CEO, Mr. Moonves.

  6. Is it live, or is it Memorex?
    “Facebook to Check Validity of Photos, Videos,” The Wall Street Journal, September 14, 2018 B5. This is part of an effort to limit Russian interference in US elections.

    It’s good to have some check on the accuracy of information.  Why isn’t Facebook’s effort more wide-spread?

  7.  Bribes.
    “Amazon Investigates Suspected Staff Bribes,” The Wall Street Journal, September 17, 2018 A1.  Did Amazon employees offer to sell confidential data to independent merchants?

    Are these people accused of selling Amazon’s data or your data?  Don’t employees have a duty not to do thing like that?  There must be a company policy.  Not sure that Amazon appreciated its employees “borrowing” its business model.

  8. Loose lips.
    “Tesla Is Subject Of DOJ Probe,” The Wall Street Journal, September 19, 2018 B1.  Did CEO’s tweet break the law?

    It has been suggested as  much, at the time of the tweet (August 7, 2018).  See Loose Lips, revisited.

  9. Messenger.
    “Facebook Sought Users’ Financial Data for Years,” The Wall Street Journal, September 19, 2018 B1.  Facebook has been trying to get your financial information from your financial firm.  Some firms severely limited what Facebook could do with information transiting the Facebook Messenger servers.

    Whose information is that, anyway?  If your financial firm uses Messenger, the answer may surprise you.  If you use Facebook to communicate with your broker, shame on you both.  See also Gee, what could go wrong?

  10. Whitewash.
    “Unrecovered Texts Muddy Probe,” The Wall Street Journal, September 20, 2018 A3. Investigators from a major law firm in Coach Meyer probe failed to look for deleted texts.  See also Caesar’s wife.

    What does it say about both your Governance and your Compliance when your investigators don’t collect basic forensic data?  And that the day after the probe was begun, a principal discussed how to delete old text messages?  Isn’t this a basic competence question?

  11. Don’t be evil.
    “Apps Can Scan, Share Data From Gmail Accounts,” The Wall Street Journal, September 21, 2018 A4.  Google (one of whose tenets is “Don’t be evil”) lets other companies scan your Gmail account.

    There is no privacy.  You use their service for free and they get your information, to do with what they want.

Leave a comment

Filed under Uncategorized

Catching up (part one)

I’ve been otherwise occupied, and have fallen behind.  Forgive me, Faithful Reader(s).

  1. Breaking the company’s word
    “UBS Disclosure Breached Confidentiality,” The Wall Street Journal, August 29, 2018 B12.  A senior employee got suspended after a banker at UBS revealed the name of an investor who sold shares shortly after a public offering.  Breached the standard confidentiality promises to clients.

    Two main points: compliance extends beyond just the law and your company policies and procedures, to reach your breach of the company’s quasi-contractual undertakings (i.e., it’s word); and senior employees get punished, too (which is highly visible to other employees when the punishment gets made public).

  2. Cheating on expense account is still cheating
    “Wells Fargo Probes Staff Expenses,” The Wall Street Journal, August 231, 2018 B1. Employees, including at least one managing director, suspended for falsifying receipts for after-hours meals.

    Three points: Wells Fargo has a serious integrity problem; cheating on a expense report is still cheating (not a Records Management issue, but a Compliance with policy issue); and publicizing the suspension of managing directors has an impact on the muggles. (Note: it appears the managing director(s) only got suspended; lower-level staff got fired. RDHIP (“Rank Does Have Its Privileges).

  3. Cutting out the middleman

    “Truckers Take On Digital Traffic,” The Wall Street Journal, September 6, 2018 B4.  Trucking companies invest big time in technology to build brokerage operations to compete with third-party brokers.

    Information has value to someone.

  4. Wells Fargo, yet again
    Perennial Information, Governance, and Compliance poster child, Wells Fargo is back in the news again, this time following allegations that employees fraudulently added information on some customers’ statements.  “U.S. Probes Wells Bankers,” The Wall Street Journal, September 7, 2018 B1.

    Where to file this one, under “Dog Bites Man,” or something else?

  5. Governance or Compliance?

    Moonves Negotiates Exit at CBS,” The Wall Street Journal, September 7, 2018 A1.  Departure of CEO accused of sexual harassment comes during contentious battle for corporate control.

    You know it’s bad when this is the lead headline, above the fold, on page one.  But is this enforcing policy for policy’s sake, or for some other purpose?  Does it matter?  Or does that depend on whether you’re the departing CEO or a shareholder?

  6. Using Information to intimidate

    “Weinstein Is Investigated for Possible Fraud,” The Wall Street Journal, September 7, 2018 A2.  Did Harvey use a secretive Israeli investigator and a white-shoe Wall Street law firm to dig up dirt on people accusing Harvey of bad deeds?  Is this wire fraud, or piling on?

    If the information is truthful, what’s the harm in getting and using it?  Doesn’t there have to be “something else” to be a crime?  Is using it to “encourage” a witness not to testify an evil motive?

  7. Spartacus?

    Booker’s ‘Spartacus’ Moment Thwarted,” The Wall Street Journal, September 8, 2018 A4.  Senator says he will risk his Senate seat to publish confidential documents.  Turns out the documents weren’t confidential.

    A crime require both an mens rea (evil intent) and a bad act.  But what does it say about one’s ethics when one thinks he is violating the applicable rules?  Or is lying?  Is it one or the other?  Is this Governance, or Compliance, or Information?  Or some combination?

  8. What do you do with a drunken sailor?

    “Exits, Musk Interview Sting Tesla,” The Wall Street Journal, September 8, 2018 A1.  CEO apparently smokes marijuana during live interview.

    What impact does your CEO’s commission of a crime on live TV have on the share price?  What impact on the rank and file employees?  What is the culture on Compliance at Tesla?  What does it say about the executives who left?

  9. Astroturf

    “Another NFL Problem: Fake Fans Lobbying the FCC,” The Wall Street Journal, September 8, 2018 A1.  People use fake names to lobby a federal agency.

    Is this against the law?  You have the absolute right to petition your government.  Do you have to use your name to do it?  The Journal says, however, “Submitting fraudulent statements or representations to the federal government is a felony.”  If it obviously not your name, is it still a felony, since no one was confused?

    Interesting, as the information isn’t information, in the sense of being accurate; but it still is the opinion of an entity.  What are the Compliance ramifications?  How do you govern against this?  Pass another law?

  10. Suppression

    “States Ramp Up Legal Scrutiny of Tech,” The Wall Street Journal, September 10, 2018 A3.  Are major tech companies banding together to suppress conservative viewpoints?

    Assuming for purposes of discussion that this is true, is it wrong?  What if it were the suppression of the speech from some other category, such as blacks, or Catholics, or students?  Why isn’t the Federal Government asking these questions?  Is this a states’ rights issue?  Some Governance, some Compliance, and some Information.

More later.

1 Comment

Filed under Uncategorized

Gee, what could go wrong?

“Facebook Asks Banks for Customer Data,” The Wall Street Journal, August 7, 2018 A1. “[T]o offer new services to users,” Facebook asks banks for “detailed financial information about their customers.”

I can see what’s in it for Facebook, and maybe for the banks.  But isn’t this your information?  Shouldn’t you have some control what the banks do with it?  Are you comfortable with the controls the banks and Facebook will place on this information?  It might be convenient for you, but at what risk?

Do we remember Cambridge Analytica?  Will Facebook try to do this in Europe?

To whom do you complain?  Your elected representative?  Your bank?  The state or federal regulators?

1 Comment

Filed under Access, Controls, Corporation, Duty, Duty of Care, Governance, Information, Internal controls, Investor relations, IT, Oversight, Ownership, Privacy, Protect assets, Security, Third parties, Uncategorized, Who is in charge?

We didn’t know

Knowledge, or lack thereof, is often a good defense.

“Fiat Says It Didn’t Know CEO was Ill,” The Wall Street Journal, July 27, 2018 B1.  Company says privacy of health care information meant they didn’t know that their CEO had been sick for a year.

Who knew or should have known?  Was this insider information that would affect the value of investments?

Should the Board have known?  Did the CEO have a duty to disclose?  For more than a year!

Governance, Compliance, and Information.  All in one.  Add a dash of privacy.

Leave a comment

Filed under Access, Accuracy, Board, Communications, Compliance, Compliance (General), Compliance Verification, Controls, Corporation, Directors, Duty, Employees, Governance, Inform market, Inform shareholders, Internal controls, Investor relations, Oversight, Privacy, To report, Uncategorized


Interesting piece in the Journal Report on Cybersecurity on May 30, 2018.  Even a quick read provides some helpful context.

Some of the headlines:

Leave a comment

Filed under Protect assets, Security, Uncategorized

Departure – Wells Fargo

For those of you who want a fuller history of the Wells Fargo case(s), here’s a link to a solid piece from the D&O Diary.


Leave a comment

Filed under Uncategorized


A small promotional message.  I was honored to provide a presentation at the ARMA Spring Conference in Houston yesterday.  The title of the presentation was “Headlines: A Year’s Worth of Information Governance Failures.”

The presentation described the top seven IG failures since April 25, 2017, and then discussed other headlines that fell into a number of buckets.  The source materials were the headlines from this blog in the last year, pulled from the Archives.

If you want to see and hear a rough draft of the presentation, or to just see the slides, go to


Leave a comment

Filed under Uncategorized

Google this

“Google’s Practices Threaten Privacy, Too,” The Wall Street Journal, April 23, 2018 B1. Google’s practices may expose more information related to you.

What is you information worth to you?  What is it worth to someone else?  Who profits? What controls are in place and how effective are they?

Do you read their policies?  Do you care?

Leave a comment

Filed under Access, Analytics, Controls, Information, Ownership, Privacy, Third parties, Uncategorized, Value

Routine teaching case

“Insider Trade Alleged After Equifax Breach,” The Wall Street Journal, March 15, 2018 B1.  The CIO of an Equifax unit indicted for insider trading after learning of the Equifax hack, but before that information was disclosed.  Sold nearly $1 million in stock 10 days before the disclosure.

This reminds me of the lawyer who approved the sale by some Equifax execs of some stock after the breach but before disclosure.  See post here.  Those executives have since been cleared, as they didn’t know of the breach at the time of the sale.

The company said it had cooperated in the investigation (no doubt having re-read a copy of the Yates memo).  The defendant had been promoted to be Equifax’s CIO before the trading was discovered, at which time the offer was “rescinded.”  He hadn’t been told about the breach, but figured it out.  Avoided $117,000 in losses.  But not getting fired and indicted.


Leave a comment

Filed under Access, Compliance, Controls, Duty, Employees, Governance, Internal controls, IT, Oversight, Security, Uncategorized