Recently we had a data security issue in our office; a flash drive with client data was lost. All of us involved were very devastated; we felt horrible that it happened and worried about the risks to our client and the people they serve. Although our client was understandably upset, and we felt horrible, we did the best we could under the circumstances to make amends. We actually received compliments (!) on how we handled the issue. We also were told by several people that this sort of thing happens all the time.
We did a number of things to address the loss that I think might be useful to others if they find themselves in the same situation--this process was useful to us and our client. Although I hope this never happens to any of our readers, if it does, I hope these lessons can be useful.
1. We notified our client immediately and made ourselves available to do whatever remediation they felt necessary. This meant clearing our calendars for several days to respond to questions, draft answers, research the problem, etc.
2. determined the risk involved with the data that was lost. For example, in our case we felt that the data would not likely be used to financially hurt the individuals, but could make the individuals feel like their privacy was violated.
3. We determined the likelihood that those risks would come to fruition. In this case, the flash drive was mistakenly discarded, rather than stolen, so it was unlikely that someone would access it with the intended purpose of doing harm.
4. We created a response to both the actual and the perceived risks, including purchasing a credit protection plan for any individuals involved when requested; this was explained in a letter that went to everyone involved.
5. We were very apologetic, and let everyone involved (the client, their program participants, and other stakeholders) know how sorry we felt that it happened. We took responsibility immediately and made ourselves available to answer any questions that came up.
6. We identified weaknesses in our security procedures and worked with our client to address them. This included some minor investments on our part of new encryption equipment and time to write new policies and procedures.
