I Can't PHInd My Laptop!

Making the case for Information Security.

May, 2011

Missing Laptop I can't remember if it had been lost or stolen, but it really didn't matter. The laptop had gone missing and this was my opening. I scribbled, "We lost a laptop!!" in the margin of this article, and dropped it on the CEO's desk.

He was in my office within an hour. "Was there any PHI on it?"

"We had better hope not," was the best I could do. I found myself in a difficult situation. It wouldn't be fair to describe the company's management culture as not being sanguine to security, these guys were down right hostile toward it. My hazing occurred when I was told that a work-from-home programmer, wanting to share some code with a co-worker in the office, had uploaded the artifact to an unprotected, public file-sharing service because it was too large as an e-mail attachment. Not only was this code snippet a classified, company-proprietary business asset, it was intellectual property that represented an investment in the company's most strategic project (more than $30 million). On top of that, we were a public company in the healthcare space, which means this has all kinds of compliance implications. I was certain there was a better solution. When I approached this individual's manager, a gentleman bystander announced, "We will NOT punish people for circumventing stupid Security rules to do their job." The Manager beamed. Astoundingly, the "bystander" was promptly promoted to CIO.

Punish? I was just trying to find out what happened and maybe find a better solution. It was inconceivable, incomprehensible, and above all unconscionable to me that a company dependent upon information and technology for its revenue stream could hold a basic thing like Security in such disdain. After a week on the job, I was already feeling pressure from both Sales and Legal to resolve compliance issues and this guy was not helping. We were failing Customer audits upon which new as well as existing business was contingent. These were very basic HIPAA and Sarbanes-Oxley exceptions that leadership had failed to address, and at the end of the day it cost us valuable business. As it turns out, our hero had little regard for most of the basic IT governance concepts and his shenanigans ultimately limited his tenure after valuable business was lost. But the damage had been done. His lack of leadership had poisoned the management culture, and cost a lot of good people their jobs.

Forget (for only a moment, please) the more than $7 million in remedies and fines Blue Cross Blue Shield Tennessee had spent so far. Forget as well some of the other frightening numbers:

  • 500,000 people with potentially compromised privacy and identities,
  • 220,000 people notified,
  • more than 700 people hired to assist the remediation,
  • 8,728 member phone calls,
  • 20,500 members taking advantage of identity protection services, and (my personal favorite)
  • letters to attorneys general in 32 states.

Fines can be paid. Remediation is costly, but it's only money. Writing letters to attorneys general? Now there are those among you who might disagree, but I'm guessing that's more painful than writing a check. Compromising the privacy of your Customers? The very people who trusted you as a steward of their personal, protected health information (a.k.a. PHI)?

No one wants to see funds that could have gone to a dividend used for remediation or to pay a fine. I get that. But don't you see? You can always get more business and earn more money. But it is infinitely more difficult to earn back a reputation lost. I'm talking about your company's trusted brand; your good name. It's precious, and it's to be protected at all costs. Indeed, it is a tangible, balance sheet asset called goodwill. It's why ValueJet changed its name to AirTran after the flight 592 tragedy.

Game Over

Unfortunately, it's too common for a company to not figure this out until it's much too late. Making the case with examples like ValueJet and BCBS TN can be a powerful tactic, but leaders have to take stock of the cultural and political environment while planning a strategy. People don't take kindly to looking foolish and failure to accurately gauge the situation can make our job that much more difficult.

But we cannot relent. The goodwill of the company is the foundation upon which everything else is built, and when it's gone it's gone forever. Change your name. No more audits, no more CIOs, and no more sales. Game over.