The headline read “Google loses employee data.” It caught my attention as I thought of all the implications this has for all the other data Google stores. A headline like that hits a nerve, I take it personally, because like most of us I immediately think of my search history from the last 10 years.
But wait! Turns out Google didn’t really lose anything. Once you read the article (most people won’t), you find out that Colt Express Outsourcing, a company subcontracted for recruiting, was burglarized on May 26. Data that was unencrypted was stolen, though no identity theft or other exploit of that data has been detected yet. Colt had many clients in the technology sector, many of which were apparently affected. But who makes the headline? Google, because it becomes guilty by association. Its name in the headline brings the emotional response. Because I use Google, it’s personal.
So, did Google do something wrong here? Its response to the potential breach was relatively fast and went above and beyond its legal obligations. Under California law, Google is subject to Senate Bill 1386, which requires notification of affected parties. Google also reportedly offered to cover the cost of a one-year subscription to a credit-monitoring agency for those whose identity was disclosed. So it did the right thing in terms of reacting to the breach. But Google has now taken a reputation hit which is arguably the greatest cost of such breaches. Google is now suffering guilt by association. All of this could have been avoided if the data were encrypted. Not only would that render the data unusable to thieves, but it would also exempt Google and its subcontractors from the notification requirements of SB1386. Effectively, encryption is the “safe harbour” exception in SB1386. So the real question is: What requirements and policies did Google contractually demand from Colt? Did Google require Colt to be compliant with some standard such as SAS 70 Type II, a standard for process controls in service (outsourcing) organization? Were there any requirements for frequent audits? Were there any requirements in place regarding handling and storage of personal information? These are questions you should be asking about your own subcontractors.
Compliance should not be limited to situations where there are legal requirements. And neither should compliance standards be used only as a cover-your-arse mechanism. Compliance frameworks offer a standardized mechanism for companies to apply, document and enforce best practices, both internally and on external partners. You can’t run a business today without many external partners. But you can’t also let their lack of care become your guilt by association. When your name shows up on the headline just because it has better emotional impact, you can scream foul and blame shoddy journalism, but you’ll still take a hit. Staying off the front page requires you to police your partners too.