• Law, Policy -- and IT?

    Tracy Mitrano explores the intersection where higher education, the Internet and the world meet (and sometimes collide).


Responsibility for a Breach

Who owns it?


September 11, 2016

Who is responsible for an information management/ technology breach? Whole books could and should be written about this subject. The first order of any information privacy and security program is governance. If that aspect is missing or vague in your institution’s plan, get thee back to the drawing table and clear it up. The consequences of letting it lapse will come back to bite at the moment you need it least to rear its ugly head. Keeping with that metaphor, those are precisely the kind of circumstances when heads roll. Don’t let it be yours.

This question came up in comments to the last post about the Clinton emails. In brief, the prohibition against outside servers did not occur under the Secretary’s tenure.  State corrected that gap after she left office. Therefore, there was no law to break. Furthermore, State failures (negligence?) in adequately melding classified data rules with its information management/technology resulted in the F.B.I. finding that Clinton did not meet the legal definition of intent. A guest commenter suggested that as head of State, she was responsible. She went further to suggest ultimately her boss, the President. That point raises the larger question with which I began this post.

I am much more acquainted with organizational structure and dynamics of higher education than I ever will be with federal government. Still, as is the nature of a blogger, I offer a thought. To make political appointment leaders responsible in the same way that we might expect to make an institutional chancellor or president or even the CEO of a for-profit corporation is a stretch. Let’s break that thought down a bit. 

Vice chancellors and vice presidents exist to exercise strategic alignment for operational areas such as facilities, human resources or information technology (which, by the way, unless clearly articulated in a job description and bought into by institutional leadership, does not necessarily mean information management). Second, many factors go into whether an incident rises to the level of cause to terminate employment. If vice presidents of IT or CIOs were fired every time an institution experienced a breach, EDUCAUSE’s CIO list would be a constant jumble of shifting signature lines!  It is not unheard of that a CIO might lose a position as a result of a breach, but any combination of factors might underlie that event: the severity of the breach and degree of risk that it brought the institution expressed often in dollars but also in reputational harm; the identification of a pattern of such lapses and the lack of trust that the CIO is able to learn and grow from the experience, or other sundry ineluctable political factors that may be at stake. 

I am aware of an interesting story a number of years back whereby the theft of laptop with lots of sensitive, regulated data resulted in significant consequences for the players involved in the event. The device was being used to upgrade an enterprise service. The user was an analyst who may or may not have been aware of the content of the data involved in the upgrade. The theft of the physical laptop occurred off campus.  Probabilistically, the thief stole the laptop for the device, not the data. Nonetheless, it was a notifiable breach. The institution sanctioned the highest level IT leader; that event maybe have contributed towards an early retirement. The institution also sanctioned the director of enterprise systems. The information security officer, who had done no proactive rule-making (“devices involved in the upgrade shall not be allowed off-campus"), no training or education of the analysts, incredibly, was promoted. The individual argued that the chief information security officer, who sat in the IT organization, had responsibility for the entire campus but not the central IT shop. For those who maintain a jaded view of institutional leadership, this narrative might sound exactly right.  Promote the individual that can pull wool over everyone’s eyes enough to thrive while everyone else pays for that person’s mistake!  Isn’t that the definition of leadership?

NO, it is not.

But it happens … as a result of people, personalities and politics.

Maybe this is the kind of dynamic that the commenter to last week’s blog had in mind when s/he noted that Clinton, or even Obama, should have been sanctioned for the information management/technology failures of the State department. By that logic, in the example I just gave above, the president of the institution should have been let go because of the stolen laptop. (Maybe even the Board chair?) No chance. It makes even less sense for political appointee at the top level of our federal government. One wonders about the civil servants in State in charge of information management/technology, however; the press has said not a word about them or that subject.

To be sure, if there is sustained, gross negligence or the overlooking of repeated, intentional violations, top heads would and should roll. Let’s play some of those scenarios out.  Repeated facilities failures that not only inconvenience but cause the destruction of research to the tune of millions of dollars in government grants. Rampant, unchecked sexual harassment throughout the institution resulting in multiple law suits.  Information technology failures that cripple operations and cause sustained institutional harm affecting student enrollment and faculty retention. How about intentional acts? Clinton selling those emails to North Korea or Russia? Leadership who role model sexual harassment? Mental illness causes a president to sabotage research through facilities because of a paranoid fear of a top faculty researcher. 

I exaggerate to make the point: all of the above are the kinds of acts that go to the top. But confused, inadequate and even negligent information management/technology to date?   No.  That is why we all – government, industry and higher ed – are still a work in progress figuring those plans, programs, policies and procedures out.  To expect perfection at this stage is ridiculously unrealistic. To not pay attention or devote resources to this quest is also, in my view, grossly negligent of the realities of a global information economy and its significance to business functions and institutional success no matter what vertical we are talking about.  Dedicated, accountable, responsible pursuit of excellence through the learning of reasonable mistakes, taking calculated risks, trying new approaches, keeping on top of administrative and technical developments in cybersecurity, information and technology management rings Goldie Locks. It is just right. 



Back to Top