Are You Watching What You Really Need?

The other day, I got to talking about what data was. I explained that data was a discrete fact that, by itself, had no specific relevance. We can't contrive meaning out of things like "red", "287.83", or "Ron" unless we know how they're being used ... that they have context.

Information is data in context. It's the lens by which that we perceive data and attempt to make sense of it. If I told you that, in this case, Ron was interested in purchasing a red suitcase for $287.83, then the data is put in context and makes sense, and subconsciously, our minds are already making judgments and decisions surrounding the information that it's been fed:

• Is "red" really a good color for a suitcase? Your mind is already buzzing with long-held perceptions, images, and opinions concerning red suitcases.
  
  
• Is $287.83 really too expensive, given your judgment and past history purchasing suitcases?
  
  
• Is there a reason why Ron wants to travel?

Watch What the Mind Does!

The mind is an interesting thing. See the last one there? My mind wanted to jump to the next logical conclusion - it made this assumption that Ron would be travelling based off of known variables. Ahh assumptions! But did I make the right assumption?

Think About Your Small Business Information System

Should we look at this example as a lesson for understanding your small businesses' information system, I think we should make three points:

1. Facts. Are the facts (datum) recorded in your company's information system accurate? This goes back to my last conversation with you. If the data is bad, the information we'll get from it is bad, and the decisions we'll end up making will be wrong. If the data's bad, why is it bad? That's going to need to be fixed before anything else.
   
   
2. Information. Is the information derived from the information system relevant to your job, or, the job of your employees? Example: if this was a suitcase retailer, it'd be relevant - we see who bought what and for what price. Instead, if you're in the business of, say, carpet cleaning, how does this information help you? Is the information you're getting from your information system relevant to the decisions that need to be made? If it ain't relevant to you or your employees, what's the point? What's the value in being handed irrelevant information? 
   
   
3. Assumption. Finally, how did the information system work to dispel assumption? In this case, there were few data points and my mind was able to wander (as minds do!) and make a broad assumption about what I was seeing. That assumption - that Ron was travelling - may be entirely wrong! And you guys know what happens when people ... assume ... in your business, right? The next thing to look at: how is the information system providing relevant, factual, accurate information, that dispels assumption, and leads the user to the correct decision/answer every time? If the information system provides information that's left up to interpretation (or assumption), we'd see increased guesswork in outcomes, leading to more errors, more malfunctions, more loss.

If we were talking, I'd want to look at the reports being spit out by your information system. How do the contents of this report benefit its user? I'd ask, "What do we absolutely need to know to do THIS job?", and then look at how the information system is providing the right information to the right person at the right time make the best decision, and in a way that dispels assumption, because the more assumptions that'll be made will contribute to higher error rates and loss down the road.

Hey ... There's More?

Wow! Cool, okay, today we've covered some great information theory 101! All of this content is related to my discussion on information management strategy for the small business.

Next time we'll talk about automated versus manual information systems, and, the impacts of errors and omissions. Talk to you then.

R

Just Another Bad Day At The Office ...

The other day, a business associate told me a terrible story about losing his cell phone. He placed it on the roof of his car and it probably slid off and flew into the street. I was empathetic, but at the same time, I asked a critical question: "Did you perform any business on this phone?"

He answered that he did. I started asking a bit more. "Do you think any of the emails on your phone had names of people, personal private data like addresses and phone numbers, and account information with your institution?"

Sadly, his smile began to fade as he started to see where I was going with this line of reasoning. "My friend, you've got a data breach situation on your hands."

... Just Got a Whole Lot Worse

A data breach is a condition where unencrypted Personal Private Information (PPI) is suspected of being compromised, or, falls out of the control of its owner.  

Most States have data breach laws that require reporting and disclosure of a data breach affecting their citizens. If you're a small business in Washington State, you're subject to RCW 19.255.010 governing data breach reporting to affected Washington citizens.

Unfortunately, there isn't a national data breach law: each and every state has their own standard which makes it very difficult to do business in this country. Example: if you're a Washington State company that does business with consumers in the State of Oregon, you're also governed by the ORS 646A.600 Oregon Consumer Identity Theft Protection Act. You'd have to respond to both states and their requirements equally.

Cell phones and other mobile devices (tablets, laptops, wearable computers) are unencrypted storage devices and might contain classified forms of PPI covered in the statute.

Unencrypted means that the data on the hard drive of the device isn't scrambled so that somebody can't access it, and sadly, adding a passcode or a fingerprint access to your cell does not encrypt the contents of the device.

Generally, in the State of Washington, if your mobile device contains email, notes, documents, or contact information that draws a line between a first and last name and:

• Social Security Number
• Driver's License Number or Washington Identification Card Number
• Account Number or Debit Card Number (in combination with any access password or PIN)

As a remedy, Washington State requires that you provide immediate notification to all affected parties in one of many possible forms for a breach consisting of less than 500,000 records:

• Written response
• Electronic notice ... "consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. Sec. 7001"

And the law also specifically addresses the company's liability to consumer civil action to recover damages, exposing the company to lawsuit for things like identity theft. (And BTW: do note that these laws are a baseline, not covering anything federally recognized as classified forms of information like HIPAA, FERPA, or GLB.)

But Think Bigger Than the Law - Think About Your Social Obligation

The letter of the law is fairly specific, limited, and even provides exclusions for public information that could be obtained from governments and other sources.

But think about it. What if it was your PPI, your kid's PPI, the private checking account information of your company (although it didn't have a PIN or passphrase)? Wouldn't you want to know about the data breach so that you could take reasonable precautions to protect yourself?

It's kind of like the recent automaker testimonials before Congress lately. If you knew about something but didn't take action - didn't go above the letter of the law and embrace the spirit of the law - doesn't that violate social obligation? Ruin public trust? If any form of sensitive information fell out of your control, shouldn't you be notifying those affected, and keeping a record of your social response so that you can justify your transparency and defend yourself from civil litigation, or, embarrassing allegations of concealing your negligence?

What's worse: admitting to the problem, taking ownership of it, and being seen as a leader to accept responsibility and seek remedies? Or, being caught in a cover-up? Or have somebody somewhere else damaged because you didn't take reasonable steps to notify them of the breach?

Preventative Measures

Okay, how can we be proactive about this stuff? Make sure it doesn't happen in the first place? 

1. Have a Security Policy. A document from your executive management that describes what your company does during a data breach and how it will respond. This document will demonstrate management's awareness of their obligations as custodians of PPI.
    
2. Have a Data Classification Policy. A document that classifies certain kinds of information within a company as being more or less sensitive, and dictates the kinds of controls and accessibility it should have. Example: this policy should state that SSN's, account numbers, WA Drivers License Numbers, and access codes are restricted forms of information, and should never be transmitted out of an encrypted state or to a mobile device. Ever. This document will demonstrate management's specific instructions on how to handle classified forms of PPI.
    
3. Training. You must communicate your intentions and train your staff so that they understand the risks and obligations taken on by your firm, and, how data breach affects them as individuals.
    
4. Audits. Periodically review the Technical Controls that enable these policies. Review cell phones of employees. Put in the necessary technical precautions to prevent 

These are best-practice approaches to illustrating management's intention, recognizing their obligation, proactively identifying what forms of information should be classified and how they should be treated, training staff, and auditing compliance.

Without these instruments or practices, the company is at best a poor custodian and at worse negligent, seriously exposing their firm to civil action from consumers damaged by identity theft.

R