When Data Spills, Who do You Notify?

A few weeks ago, someone stole my backpack, which contained my laptop, my PDA, my pager and my wallet.

You can imagine, in the little closet of your most secret fears, what would happen if you lost all of your electronic gizmos that help your brain return the correct answer for just about every function call in life &#151 all at the same time.

So here I sit, with my brand new, pristine laptop. I love a new laptop. You get to put everything where it belongs this time, and not where it’s expedient to put it. You get to set up your document folders in some sort of logical fashion instead of a folder for today, a folder for Oh yeah I forgot (you can do that in Unix), and another folder for the past.

But damn it, there’s actually nothing on it.

I’ve got no appointments. I’ve got no notes, no contact lists… Oh, wait. I do have 1,700 pieces of mail I’m still sorting through two weeks later, and more coming in because I have no mail filters! You can only set this stuff up so fast.

But it makes me realize just exactly how much stuff I had on the laptop I lost. Now, I can be relatively assured that no sensitive data was in my possession because I don’t deal in SSNs, research results or other types of data that might be considered confidential or sensitive by the originator or custodian of that data. The worst that happens is someone sends me his or her password in e-mail. I call them up and make them change their password on the phone, and then I delete the e-mail message, and wash my eyes out with soap to burn the image from my mind. (Ok, I do everything except for that last part.)

But here’s the question: what is the right thing to do?

If you were to lose it all, how would you recover? Do you have a policy of notification in the event of what they politely call ‘a data spill’? Are you allowed to say, ”Oh, it’s OK. It was in binary and no one will piece it back together”? Did you know that certain foreign goverments employ people to do nothing but put 1/16-inch shred back together like a giant jigsaw puzzle? You need to be worried about your zeros and ones to be sure.

So let’s talk about notification, because we all know you have good, timely backups available for you to determine the extent of the damage. Do you notify those involved or do you notify the entire organization, telling them the affected individuals will be contacted accordingly?

Do you have to notify the vice president of HR in person that you’ve lost her personally identifying data, or is your boss willing to step up and notify his peers of an incident in his command? Contingencies need to be put in writing, so when the time comes, there’s no pointing of fingers and attempts to avoid an unpleasant task.

If the policy is to notify the circle of influence, don’t be shy to cast a broad net. These are people who need to respect and trust you to do their jobs. And they (apparently) trust you with very important and sensitive data. It may not seem so to you, but that set of research figures you were carrying around might be the professor’s hopes for a Nobel Prize. It also could be that admin’s notes from a meeting may provide the company a new revenue stream. You don’t know.

So if there’s a possibility the data you maintained was sensitive in nature, notify.

You see, they may not be very understanding, but they will be a lot less understanding if they find out about it from some third party, and you have to admit to it later. Bad, bad idea.

So, protect yourself. Find out what your policy on notification is, or in the absence of one, get one written and pushed through approvals. Data spills are like motorcycle spills &#151 you’ve either had one, or you will.

Linda LeBlanc, who served as a Gunnery Sergeant in the U.S. Marine Corps., now is a network security analyst at MIT. She also does security consulting for Web-based businesses. LeBlanc’s columns reflect her own opinions, and not necessarily those of her employer.

Adapted from esecurityplanet.com.