Download our in-depth report: The Ultimate Guide to IT Security VendorsSo by now most of you know that a few weeks ago someone stole mybackpack, which was holding my laptop, my PDA, my pager and my wallet.
You can imagine, in the little closet of your most secret fears, whatwould happen if you lost all of your electronic gizmos that helpyour brain return the correct answer for just about every function callin life. All at the same time.
So here I sit, with my brandnew, pristine laptop. (I'll only say I don'trun the House of Gates, and it's 10 times more likely to make me smile.)I love a new laptop. You get to put everything where it belongs thistime, and not where it's expedient to put it. You get to set up yourdocument folders in some sort of logical fashion instead of a folder fortoday, a folder for Oh yah I forgot (you can do that inUnix), and another folder for the past.
But dammit there's actually nothing on it.https://o1.qnsr.com/log/p.gif?;n=203;c=204650394;s=9477;x=7936;f=201801171506010;u=j;z=TIMESTAMP;a=20392931;e=i I've got no appointments. I've got no notes, no contact lists... Oh,wait. I do have 1,700 pieces of mail I'm still sorting through two weekslater, and more coming in because I have no mail filters! You canonly set this stuff up so fast.
But it makes me realize just exactly how much stuff I had on the laptop Ilost. Now, I can be relatively assured that no sensitive data was in myposession because I don't deal in SSNs, research results or other typesof data that might be considered confidential or sensitive by theoriginator or custodian of that data. The worst that happens is someonesends me their password in email. I call them up and make them changetheir password on the phone, then I delete the email message, and wash myeyes out with soap to burn the image from my mind. (Ok, I do everythingexcept for that last part.)
But here's the question... What is the right thing to do?
If you were to lose it all, how would you recover? Do you have apolicy of notification in the event of what they politely call 'a dataspill'? Are you allowed to say, ''Oh, it's OK. It was in binary and noone will piece it back togother''? Did you know that certain foreigngoverments employ people to do nothing but put 1/16-inch shred backtogether like a giant jigsaw puzzle? You need to be worried about yourzeros and ones to be sure.
So let's talk about notification, because we all know you have good,timely backups available for you to determine the extent of the damage.Do you notify those involved or do you notify the entire organization,telling them the affected individuals will be contacted accordingly?
Do you have to notify the vice president of HR in person thatyou've lost her personally identifying data, or is your boss willing tostep up and notify his peers of an incident in his command? All of thisneeds to be put in writing, so when the time comes, there's no pointingof fingers and attempts to avoid an unpleasant task.
If the policy is to notify the circle of influence, don't be shy to casta broad net. These are people who need to respect and trust you to dotheir jobs. And they are (apparently) trusting you with very importantand sensitve data. It may not seem so to you, but that set of researchfigures you were carrying around might be the professor's hopes for aNobel Prize. It also could be that admin's notes from a meeting mayprovide the company a new revenue stream. You don't know.
So if there's a possibility the data you maintained was sensitive innature, notify.
You see, they may not be very understanding, but they will be a lot lessunderstanding if they find out about it from some third party, and youhave to admit to it later. Bad, bad idea.
So, protect yourself. Find out what your policy on notification is, or inthe absence of one, get one written and pushed through approvals. Dataspills are like motorcycle spills -- you've either had one, or you will.