IT Confidential: Don't Apologize About Data Loss--Just Don't Do It

Adequate data security means never having to say you're sorry.
My son's first day of college is the day after Labor Day, and my wife and I are driving him to school at the end of this week. Several hours in the car afford time for the Big Talk--you know, the one about taking life seriously, applying yourself, always keeping a positive attitude, and learning from your mistakes.

One life lesson I might impart goes like this: It's better to apologize than to ask permission. But I'm torn.

I was reminded of that lesson last week, when AOL confirmed that its chief technology officer had resigned. AOL also let go two data-research workers. These came in the wake of a tsunami of protests over AOL having published data on its Web site from search results for over a half-million of its subscribers. AOL issued a public apology shortly after the incident.

My son is attending Ohio University in Athens, Ohio--my alma mater. Ohio University has had to do its share of apologizing lately, since it was revealed last spring that servers on the OU campus had been breached by hackers, one for as long as a year, maybe longer. These servers contained personal information such as names and Social Security numbers for thousands of students, workers, and alumni (myself included). The university sent out letters of apology. Two IT workers were subsequently suspended and face dismissal, and the CIO resigned last month, saying in a statement on the university's Web site, "A new energy level and skill set is going to be required in order to allow our IT organization to realize its potential."

For some organizations, the "apologize after" approach is more than a life lesson, it's a corporate strategy. Rather than being proactive in instituting the difficult, expensive, and resource-consuming steps required to secure--and keep secure--personal data, it seems some organizations would rather ignore the responsibility and deal with the consequences of a data "compromise" in a reactive fashion, like this: shock, dismay, apology, dismissal.

So, does that make "apologize after" a life lesson worth ignoring? Maybe not. I don't mean to muddy the waters too much, but the "apologize after" lesson also occurred to me two weeks ago, when a federal judge ordered the National Security Agency to stop its telecom-surveillance program. I'm not necessarily a fan of government surveillance, but fighting terrorism--unlike fighting domestic crime--is all about being proactive, dealing with the potential for violence in an aggressive, preventative manner. "Apologize after" seems like a highly appropriate strategy for the war on terror.

So, what do I tell my son? How about something like this: Think positive, be scrupulous in your work, take responsibility, be proactive, and apologize ... as little as possible. For those who wrote in about my son's Apple MacBook, no, it wasn't affected by the battery recall, but thanks for asking (wiping sweat from my brow, and egg from my face).

Speaking of apologies, let me assure those readers upset by my referring several weeks ago to Led Zeppelin as a "decidedly average rock 'n' roll band" (you know who you are) that it was a joke--check the context. I'm a Led Zeppelin fan from way back, having attended my first concert of theirs in the summer of 1969. Send a Zep anecdote or a favorite song, along with an industry tip, to [email protected], or phone 516-562-5326.

To discuss this column with other readers, please visit John Soat's forum.

To find out more about John Soat, please visit his page.

Editor's Choice
Brian T. Horowitz, Contributing Reporter
Samuel Greengard, Contributing Reporter
Nathan Eddy, Freelance Writer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Cynthia Harvey, Freelance Journalist, InformationWeek
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing