So by now most of you know that a few weeks ago someone stole my
backpack, which was holding my laptop, my PDA, my pager and my wallet.
You can imagine, in the little closet of your most secret fears, what
would happen if you lost all of your electronic gizmos that help
your brain return the correct answer for just about every function call
in life. All at the same time.
So here I sit, with my brandnew, pristine laptop. (I’ll only say I don’t
run the House of Gates, and it’s 10 times more likely to make me smile.)
I love a new laptop. You get to put everything where it belongs this
time, and not where it’s expedient to put it. You get to set up your
document folders in some sort of logical fashion instead of a folder for
today, a folder for Oh yah I forgot (you can do that in
Unix), and another folder for the past.
But dammit there’s actually nothing on it.
I’ve got no appointments. I’ve got no notes, no contact lists… Oh,
wait. I do have 1,700 pieces of mail I’m still sorting through two weeks
later, and more coming in because I have no mail filters! You can
only set this stuff up so fast.
But it makes me realize just exactly how much stuff I had on the laptop I
lost. Now, I can be relatively assured that no sensitive data was in my
posession because I don’t deal in SSNs, research results or other types
of data that might be considered confidential or sensitive by the
originator or custodian of that data. The worst that happens is someone
sends me their password in email. I call them up and make them change
their password on the phone, then I delete the email message, and wash my
eyes out with soap to burn the image from my mind. (Ok, I do everything
except for that last part.)
But here’s the question… What is the right thing to do?
If you were to lose it all, how would you recover? Do you have a
policy of notification in the event of what they politely call ‘a data
spill’? Are you allowed to say, ”Oh, it’s OK. It was in binary and no
one will piece it back togother”? Did you know that certain foreign
goverments employ people to do nothing but put 1/16-inch shred back
together like a giant jigsaw puzzle? You need to be worried about your
zeros and ones to be sure.
So let’s talk about notification, because we all know you have good,
timely backups available for you to determine the extent of the damage.
Do you notify those involved or do you notify the entire organization,
telling them the affected individuals will be contacted accordingly?
Do you have to notify the vice president of HR in person that
you’ve lost her personally identifying data, or is your boss willing to
step up and notify his peers of an incident in his command? All of this
needs to be put in writing, so when the time comes, there’s no pointing
of fingers and attempts to avoid an unpleasant task.
If the policy is to notify the circle of influence, don’t be shy to cast
a broad net. These are people who need to respect and trust you to do
their jobs. And they are (apparently) trusting you with very important
and sensitve data. It may not seem so to you, but that set of research
figures you were carrying around might be the professor’s hopes for a
Nobel Prize. It also could be that admin’s notes from a meeting may
provide the company a new revenue stream. You don’t know.
So if there’s a possibility the data you maintained was sensitive in
You see, they may not be very understanding, but they will be a lot less
understanding if they find out about it from some third party, and you
have to admit to it later. Bad, bad idea.
So, protect yourself. Find out what your policy on notification is, or in
the absence of one, get one written and pushed through approvals. Data
spills are like motorcycle spills — you’ve either had one, or you will.