UPDATE: Link fixed
Terry Dowdy forwarded me his thoughts about this recent story in The Washington Post about The Nature Conservancy's mismanagement of data. With his permission, I present Terry's (slightly edited) thoughts:
This is wrong on so many counts: why was old data was still being used, why was it on a laptop (SSNs!), where is the AMS in all of this, why didn't they have good anti-spyware programs in place, etc. The only good point I see is that the network folks were monitoring their network traffic and were able to pinpoint the breech (albeit too late).
An organization as large as Nature Conservancy should've known better…and protected themselves better. But in the end, it always comes down to the end-user and their sense of personal responsibility — or lack thereof.
Terry raises some great points:
- Sensitive data on a laptop. That should never happen. Laptops are, by definition, mobile, which means the information can be easily physically stolen. Ironically, in this case, this information could have been on a workstation since it was stolen using spyware.
- Old data still being used. There may be some reason for keeping old data (since this related to payroll). But again, why would this data be on a hard drive? It should be a one a network drive that's well-protected.
- Where is the AMS? Good question. This was employee information, so it's arguable it didn't belong in the AMS, but a case could be made for that.
- Where's the anti-spyware? Again, hard to say if there was any loaded and whether or not it was updated.
But all of this points to data management malpractice. As data managers we are caretakers of the data. We have to be sure the data we're managing is safely handled at all times. And that includes keeping the data up to date and keeping it well-protected.
Where are your security holes? And what have you done to address them? It only takes one well-publicized incident like this one to sully an organization's reputation for years.