Klossner: Accidents happen?
Every fall, after the leaves have turned but hopefully before the first snow, I go hiking with my friend (and former GAO employee) Andy. Our treks usually follow the same routine: We hike into one of the Appalachian Mountain Club huts, change from our sweaty and smelly hiking gear into our not-yet-sweaty-and-smelly indoor gear, eat one of the incredibly hearty hut meals (of course, after hiking for six to nine hours, a can of Spaghetti-O's qualifies as "hearty," but the hut meals are the real thing, I assure you) and go to the rustic bookshelves for back copies of "Appalachia."
"Appalachia," a publication of the Appalachian Mountain Club in the northeastern United States, calls itself "America's Longest-Running Journal of Mountaineering and Conservation." I first came across it while staying in one of the huts on the Appalachian Trail in the White Mountains of New Hampshire. Since, after a long day of hiking, I was too tired to read any of the lengthy pieces, I looked for shorter, more manageable entries -- pieces that I would be able to finish before falling asleep with the magazine over my face. This led me to the Accidents section.
"Appalachia" is published twice yearly. This allows the editors to compile all the previous season's — winter or summer — accidents in each issue, giving the reader a full slate of accidental possibilities. I find it educational, sobering and at times highly entertaining. (I'd share some favorites with you, but then I'd be exceeding international blogging length standards.)
One of my favorite ingredients of the Accidents section is the editor's comment that follows each entry. The Accidents editor has a wonderful voice — that of a stern, suffer-no-fools parent who offers little sympathy for the cast on your arm while he asks, "Well, what did you THINK would happen when you jumped off the garage roof?" The Accidents editor operates on the basic premise that the mountains and trails are wilderness, with no seatbelt regulations, no Wi-Fi, and no Starbucks, (rumors of Starbucks kiosks being installed in Yellowstone have not been substantiated at this time), and hikers are responsible for their own actions and interactions with nature.
This week's editorial subject brought the Accidents section to mind. The data breach at a National Institutes of Health agency could be read as an accident, something that is none-too-rare in our world these days. A laptop PC getting stolen can happen as easily as slipping on a wet rock at tree line. Besides, the laptop in question had been protected: It had been placed in a locked car trunk. What more could the employee have done? This is where the Accidents editor comes in. Instead of the "Gee, you're right. You did all you could do, short of staying in the trunk with the computer" response, he could give you the "What didn't you do?" response. In this case, I imagine the Accidents editor's comment as something like this:
Data theft is not an uncommon experience these days, and anyone who collects data assumes the responsibility for the safeguarding of the information. This includes taking all current technological precautions. Saying that the stolen laptop was "off and password protected" and that officials "believe it's unlikely that the patients will be victims of identity theft or financial loss" is not enough when there are other steps that could have been taken. In this case, the data was not encrypted, when encryption is an accepted and recommended practice with all sensitive data storage. The response from those who don't encrypt seems to be that it is an inconvenience — for both the party sending and the party receiving the data. One would assume this is not the same inconvenience as the negative publicity (and added man-hours of time spent dealing with the lost data ) an organization receives when they are the victim of a data theft. To its minor credit, NIH has now instituted a policy of encryption for all of its laptops. This is commendable, but it's not as if they didn't know about encryption before the theft. One hopes they are using this experience to become forward-looking with security policy, not shutting the barn door after the horses have left the laptop in the trunk.
In thinking about cartoon possibilities for this subject, I was torn between two directions: ignorance and laziness. If NIH officials were ignorant — they didn't know about encryption — that would be one thing, and I would do this cartoon.
But ignorance, as discussed in the editor's comment above, isn't the case here. The parties involved didn't encrypt because of the inconvenience. That led to this week's cartoon.
Posted by John Klossner on Apr 07, 2008 at 12:18 PM