When Data Spills, Who do You Notify?
December 21, 2005
Columnist Linda LeBlanc had her laptop stolen a few weeks ago, and she's still digging out from the mess. But the theft left her with some questions. Who should be notified?
You can imagine, in the little closet of your most secret fears, what would happen if you lost all of your electronic gizmos that help your brain return the correct answer for just about every function call in life. All at the same time.
So here I sit, with my brandnew, pristine laptop. (I'll only say I don't run the House of Gates, and it's 10 times more likely to make me smile.) I love a new laptop. You get to put everything where it belongs this time, and not where it's expedient to put it. You get to set up your document folders in some sort of logical fashion instead of a folder for today, a folder for Oh yah I forgot (you can do that in Unix), and another folder for the past.
But dammit there's actually nothing on it.
But it makes me realize just exactly how much stuff I had on the laptop I lost. Now, I can be relatively assured that no sensitive data was in my posession because I don't deal in SSNs, research results or other types of data that might be considered confidential or sensitive by the originator or custodian of that data. The worst that happens is someone sends me their password in email. I call them up and make them change their password on the phone, then I delete the email message, and wash my eyes out with soap to burn the image from my mind. (Ok, I do everything except for that last part.)
But here's the question... What is the right thing to do?
If you were to lose it all, how would you recover? Do you have a policy of notification in the event of what they politely call 'a data spill'? Are you allowed to say, ''Oh, it's OK. It was in binary and no one will piece it back togother''? Did you know that certain foreign goverments employ people to do nothing but put 1/16-inch shred back together like a giant jigsaw puzzle? You need to be worried about your zeros and ones to be sure.
So let's talk about notification, because we all know you have good, timely backups available for you to determine the extent of the damage. Do you notify those involved or do you notify the entire organization, telling them the affected individuals will be contacted accordingly?
Do you have to notify the vice president of HR in person that you've lost her personally identifying data, or is your boss willing to step up and notify his peers of an incident in his command? All of this needs to be put in writing, so when the time comes, there's no pointing of fingers and attempts to avoid an unpleasant task.
If the policy is to notify the circle of influence, don't be shy to cast a broad net. These are people who need to respect and trust you to do their jobs. And they are (apparently) trusting you with very important and sensitve data. It may not seem so to you, but that set of research figures you were carrying around might be the professor's hopes for a Nobel Prize. It also could be that admin's notes from a meeting may provide the company a new revenue stream. You don't know.
So if there's a possibility the data you maintained was sensitive in nature, notify.
You see, they may not be very understanding, but they will be a lot less understanding if they find out about it from some third party, and you have to admit to it later. Bad, bad idea.
So, protect yourself. Find out what your policy on notification is, or in the absence of one, get one written and pushed through approvals. Data spills are like motorcycle spills -- you've either had one, or you will.