Would the agency in charge of gathering data on the budget deficit “massage” the numbers to make the deficit look worse?
“Greeks Investigate Statistics Chief Over Deficit Figure,” Wall Street Journal, March 23, 2015 A8. A prosecutor filed criminal charges alleging falsification of data (they don’t have 18 USC §1519 in Greece) against the head of the statistics agency. Was the deficit 4% of GDP in 2009 or 15%? More than a rounding error.
What happens if government numbers are a political football? Who’s watching this?
Filed under Business Case, Collect, Compliance, Compliance, Compliance, Compliance Verification, Data quality, Duty of Care, Governance, Management, Oversight, Oversight, Reliance, Risk, Use
Who owns information that’s freely available, but time-consuming to collect again?
That’s the problem as Google and Bing and others try to map the next frontier: the uncharted depths of the favelas in Rio.
Does the State own the data, even though they don’t have it charted yet? What about other explorers who have charted it already and who gave the map to the State? What about the criminal gangs that exercise dominion over the area, and who may want to be harder to find? What about the residents, or the shopkeepers?
“Google, Microsoft Expose Brazil’s Slums,” Wall Street Journal, September 26, 2014 B1. The rising availability of smartphones and internet access supports a need for being able to navigate even the slums. How do entrepreneurs monetize the data collected? Is the information worth more to Google than they are willing to pay?
Do Lewis & Clark still get royalties on their maps?
What information do you have? Does making money require you to hide that information, or can you just rent it to others? Is it your information? Can you just use it?
“SEC Is Examining Pricing at Pimco,” Wall Street Journal, September 24, 2014 C1. Allegations: Pimco bought at one price and then reported value at a higher number, pumping up the fund’s performance. So they knew what they paid but didn’t report that to the market; instead, they reported “value,” which is different. Were investors misled?
“Apple’s Latest Marketing Pitch: More Privacy,” Wall Street Journal, September 24, 2014 B1. Fresh on from the celebrity nude video breach of iCloud, Apple says one thing but appears to do another. “‘We don’t ‘monetize’ [your] information….'” But then iAd sells the ability to reach target demographics based on user data. Where’s the SEC when you need them? What information do you have, how do you use it, and how do you tell the market about it? And whose data is it?
“Websites Wary of Facebook Tracking,” Wall Street Journal, September 24, 2104 B1. Does Facebook really monetize your browsing information by allowing advertisers to target you? Whose information is it, anyway? [Read the user license] But online retailers are nervous about Facebook’s practices, but for a different reason. They view information about your visits to their sites as their information. So, what information do you have and how do you use it to make money?
“Data Breach Triggers Fraud,” Wall Street Journal, September 24, 2014 C2. Story follows fraudulent uses of credit cards following Home Depot breach. Is this news, or res ipsa loquitur (a legal term for “the thing speaks for itself; used to establish negligence)? Dog bites man? Or just a bad headline? From an information governance perspective, what happens if your controls fail? People using your information that you used with a retailer. To make money.
Filed under Board, Business Case, Collect, Controls, Duty of Care, Governance, Inform market, Information, Internal controls, Investor relations, Management, Oversight, Ownership, Privacy, Protect, Protect information assets, Risk, Security, Use, Value
First, “Phone Protections Alarm Law Enforcement,” Wall Street Journal, September 23, 2014 A4. New Apple (and soon to be Google) technology to place photos, videos, and contacts of a locked iPhone outside the easy reach of law enforcement, even with warrants. Just don’t backup on iCloud. Take that, NSA. And others. Law enforcement will need to get the passwords from the users.
Second, and for me foremost, “Use of Voice Is Key To Managing Teams,” Wall Street Journal, September 23, 2014 B1. For those who recognize the value of the brand of voice for internal corporate communications, three newish technologies: Talko, Slack, and Tango. If Ray Ozzie supports it, I’m interested. Talko bridges the gap from groupchat to voice + video. These have promise and are technologies to watch.
How will information governance policies and practices have to change to adapt? How will ediscovery handle the unavailability of information on an iPhone, other than by forcing the disclosure of passwords and the like?
This isn’t so much about information as it is about governance.
“Regulators, Accounting Firms Spar Over Rule,” Wall Street Journal, September 22, 2014 C1. At issue is having the name of the engagement partner of a company’s accounting firm sign off on each public company audit. And their name will be disclosed to investors. The fight is over whether the disclosure is in a 10-K, and thus reasonably accessible to investors, or on a Form 2, which is harder to get.
A major failing of many information governance initiatives is the failure to designate one C-suite resident as the owner of the information governance program, with responsibility for what gets done and what doesn’t. See also the Federal Sentencing Guidelines Manual. A contributing cause to the failure of many information governance programs is the absence of a procedure by which the managers of each group of employees sign off at least annually on the compliance by those who report to the managers.
If your boss has to sign off that you’re in compliance, will he or she do more to find out how you’re doing? Will you? What will happen to the culture, both in your group and in your company?
Filed under Board, Compliance, Compliance, Compliance, Controls, Culture, Culture, Governance, Internal controls, Management, Oversight, Protect
Sports is a target-rich environment for information-related pieces. Here’s one on information-in-use.
“Baseball Experiments With Brain Science,” Wall Street Journal, September 20-21, 2014 A16. Use of neurologic training systems designed to improve a batter’s ability to hit the ball. Interesting graphic on what’s going through a batter’s mind in the 400 milliseconds between the pitch and the ball arriving at home plate.
Information governance has three main areas: compliance, protection, and use. This is “use.”
“Home Depot Breach Tops Target’s,” Wall Street Journal, September 19, 2014 B1. A custom-made virus allowed hackers to steal data from 56 million credit cards over 5 months before it was detected and, hopefully, removed. Cost for investigation, credit monitoring, call center, and the like: $62 million, or a bit more than $1.10 per breached card. Cost of lawsuits: priceless.
Insurance covered $27 million of initial costs.
How good are your protections against hackers? How good is your cyberrisk insurance? How much information do you have that belongs to others? How well do you protect it?
Filed under Board, Business Case, Collect, Controls, Governance, Information, Interconnections, Internal controls, IT, Management, Ownership, Protect, Protect assets, Protect information assets, Risk, Security, Third parties, Value
Students of the Target credit card breach may remember that access to Target’s POS system started with a security breach/hole at a small refrigeration contractor saving money on its antivirus software.
“Hackers Find a Way In,” Wall Street Journal, September 18, 2014 A3. Transportation companies working with the US military were breached at least 20 times last year, and the US military was advised of 2 of the breaches. The hackers were linked to the Chinese government.
Do your contracts with vendors require them to notify you if they are attacked or breached? The government now does. Wouldn’t that be a good control for you to have? Would you enforce it?
What about US attempts to spy on Chinese government activities? Is that different?
Filed under Board, Business Case, Controls, Governance, Information, Interconnections, Internal controls, IT, Management, Oversight, Ownership, Protect, Protect assets, Protect information assets, Risk, Security, Third parties, Value
“‘[E]ntities must not be multiplied beyond necessity.'” Per Wikipedia, September 17, 2014. A principle variously stated, generally along the lines of the simplest explanation is preferred over the more-complex one.
“Insurance Site’s Frailties Detailed,” Wall Street Journal, September 17, 2014 A4. Report on a study by the GAO on security weaknesses of HealthCare.gov.
HealthCare.gov is an amalgamation of a bunch of other sites, with multiple connections and numerous contractors, rather than a single site, built from scratch. “Many of the problems stemmed from … disagreements about security roles and responsibilities with the various contractors, states and federal agencies that exchange information ….”
Are your information systems unnecessarily complex? Are they too complex to secure against attack? Is there a simpler solution?
The page 1 story is how Home Depot reacted to the Target credit card breach, but perhaps too late. “Home Depot Upped Defense But Hacker Moved Faster,” Wall Street Journal, September 13-14, 2014, A1. But that’s not the subject of today’s post, as interesting as the story may be.
Instead, I turned to page 4, for “Gun Law Gone, Debate Over Files Persists,” Wall Street Journal, September 13-14, 2014 A4. Unusual information governance issues, in a different context. Apparently, since 1935 Durham County in North Carolina required gun owners to register their weapons with the county clerk. The law was recently repealed. But what to do with all those paper records?
Leaving aside the politics, what happens to information that was illegally collected (assuming a constitutional violation)? Even if it has historic value? What if this were the registry of people of a particular religious faith?
Does the legality of the collection of the data influence the decision to destroy it? Maybe not a problem for corporations, but the government keeps a lot of information. That information was collected for one purpose or another and is now a subject for retention for yet another purpose. Who owns it? Do different rules apply to the government?
I guess this raises the right to be forgotten. But that doesn’t apply here. Should it?