Corporate policies are usually well-intentioned. They are meant to provide a framework for control within the organization and to ultimately help reduce the risk profile associated with how each organization conducts business. This profile can be varied. It may include risk factors such as:
* A disgruntled low-level employee who has “had enough” and wants to take action to right what he/she thinks are wrongs made by the organization.
* Outside individuals trying to hack their way into the organization to steal information.
* Market, political, financial, and other exogenous factors which have an indirect (and certainly direct at times) impact on the organization.
One factor that needs to be addressed, though it is not always easily done, is the “what the heck was he/she thinking……that is why we have this policy” situation. Utilizing jargon associated with our ever-increasing politically correct world, this is also commonly referred to as a “less than preferred” decision.
One can often see these decisions when reviewing the chronological list of data breaches on the Privacy Rights Clearinghouse website. This list is available at the following address: http://www.privacyrights.org/ar/ChronDataBreaches.htm.
One breach that piqued my interest was made public on November 6, 2009 by the National Archives and Records Administration. According to the information noted on the Privacy Rights Clearinghouse website (my italics added for emphasis):
“The National Archives and Records Administration violated its information security policies by returning failed hard drives from systems containing personally identifiable information of current government employees and military veterans back to vendors. By agency policy, NARA is supposed to destroy the hard drives rather than return them. On two separate occasions the agency sent defective disk drives back to vendors under a maintenance contract, rather than destroying and disposing of them in-house.”
Now you may more clearly understand what I meant when I called a decision like this as “less than preferred”. Let’s revisit my first statement above…….corporate policies are well-intentioned. That’s easy to see here. Policy required the destruction of the hard drives in question. Perhaps there was miscommunication involved. We may never know.
Any time you make a decision or take action without thinking about corporate policies and how they are meant to direct these decisions and actions, you are potentially taking the health of your organization into your own hands. If you are about to knowingly make such a decision, please take a look back at the aforementioned listing of data breaches. Do you really want to be responsible for adding your organization’s name to the list?
- Jeff Bamberger