Smart people learn from their own mistakes. Really smart people learn from other people’s mistakes. And boy, we can all get a graduate based on the boneheaded blunders made by the Veterans Administration over the past few weeks. It’s a textbook case in how not to handle sensitive data and then how not to handle the resulting crisis.
If you haven’t been paying attention (possible? probably not) the Veterans Administration finally fessed up that it had lost the most sensitive information of 26.5 million veterans. An employee took home a CD with the records of every living veteran and then some. These records included just about everything necessary for easy identity theft including date of birth and social security numbers. This CD and the laptop it was sitting in were stolen from the employee’s home by a burglar. If you want the gory details, click here for a story from the Houston Chronicle.
Mistake #1: Poor Data Security
There is no way on earth that an employee should be able to routinely copy that much data onto a CD and then leave the building with it. Whether that’s one mistake or two is up to you. Simply copying that data onto a CD should have set off an alarm. That much personal data on portable media needs to be handled like weapons grade plutonium. It should be logged out and in not schlepped around like yesterday’s newspaper.
Who can get at your company’s personnel records, customer lists, financial data, technical information? How do you know that it’s not leaving the building? When an employee quits or is terminated, are they able to leave with your information? How often are passwords on your network changed. Forget a firewall. Most company’s data security is a screen door.
Mistake #2: Burying the Problem
The trouble was compounded when no one shot off a red flare and announced that there was a problem. In fact, the VA’s inspector general admitted that his office only learned about the loss of the data through office gossip ten days after the event.more than a week after the burglarly. Yilkes!!!
Make sure that everyone in your organization knows that problems must be escalated immediately and that the consequences of covering up are a lot worse than those of the original problem.
Mistake #3: Not taking charge of the communication
The mistakes just kept coming. The VA did not clearly communicate what was going on to the veterans. The story came out late and in pieces. This violates every principle of crisis communications.
Hopefully you’ll never have a problem that’s as serious as the one the VA is going through. If you do, the most important thing is to talk to the people affected as soon as you have a handle on the facts. Tell them what went wrong, what you are doing about it, and apologize early and often. Keep communicating as your efforts to fix the problem are successful–or even if they’re not.
There are lots of examples of how people made problems dramatically worse by trying to cover them up-Watergate comes to mind as does Bill Clinton’s fiasco over Monica Lewinsky. Remember, Clinton’s crime was perjury not adultery.