Keep Calm and Carry On: Words of Wisdom When Facing a Data Loss

Author's Note: Data breaches are in the news again, which lead to a conversation in the Email Council not only about the breaches themselves but the reaction to these breaches. This blog was originally posted on www.dotmailer.com/blog, but I thought it would be useful to share it here as well.

I recently suffered a personal data loss and did I react like an experienced data professional? No I did not; I panicked and in the end, caused myself a lot more pain. But, let's start at the beginning.

It was one of those rare warm spring days in London and I was rushing from one meeting that ran over to another with a colleague for a working lunch. We were meeting in one of those comfy coffee house kind of places and when I arrived, I plopped down in one of the chairs relieved to be there and to be sitting. After a cold Diet Coke had arrived and we had exchanged pleasantries, my colleague and I got down to business.

I had been there maybe fifteen or twenty minutes when I reached for my phone to check something. Huh, not in my pocket. Not on the table. Not in my jacket pocket. Not in my bag. Nobody had turned it in in the cafe. Not in my pocket. Not in my jacket. Definitely not in my pocket. Not in the cushions of my chair. Definitely not in my jacket. Check the bag again but I never put it in there; nope not there. Better check the ‘Find my iPhone’ app. Oh no! It's in that sketchy looking NHS clinic near Dean Street in Soho. Must have been nicked; best to report the phone stolen.

So I borrowed my colleague's phone and began navigating the labyrinth that is the Vodafone auto-attendant, becoming increasingly frustrated and panicked. Once I got through they quickly blocked the phone. It was only then that it occurred to me that blocking the phone was not enough.

My entire personal life is on that phone: my Evernote which has sensitive personal information like copies of the whole family’s passports, bank account details, etc.; my password keeper which is encrypted but still too close to everything for comfort; banking apps which I set to require a password for each use but still... I literally keep my entire digital life on my phone. I need to erase it. Grab the iPad, follow the remote erase procedure - phew! Oh wait, the phone has been blocked, I can't erase it and no Vodafone won't unblock it long enough to be erased but, it is what it is.

At this point I am about 45 minutes into this drama and have wound up the call with Vodafone and decide to call my wife to tell her what has happened and why she might not be able to reach me, which apparently she had. The person who found my phone was trying to return it. It had not been stolen but had popped out of my jacket pocket when running to beat a stoplight. Unfortunately the Good Samaritan did not leave his personal details; he only asked my wife to return his call on my phone. But now it’s too late. Even if I get Vodafone to unblock it (which they can do), the phone will erase as soon as it connects to the network and I will never be able to reach the person. Now I face the hassle of replacing and then rebuilding the phone.

When I realised my phone was missing and in a sketchy clinic in Soho, human nature kicked in and led me directly down the wrong path. What I should have done was first called my wife. I have been married for over seventeen years, you would think by now that calling her first would be an instinctual action. Had I reached her first, I would have had my phone back that afternoon and probably in less time than this ordeal had already taken.

Even if I had not been able to reach her or the Good Samaritan had not reached out straight away, there was no need to blindly block and erase the phone. My phone was set to auto-lock after two minutes. Once locked, it was secured by fingerprint scan (probably breakable but also probably not by your average Good Samaritan or pickpocket, for that matter). It was also protected by a four digit PIN and set to auto-erase if the PIN was incorrectly entered ten times (I discovered that this feature works after my 5-year-old had decided to play on Daddy's iPhone). Since I still had the requisite fingers, the finder of the phone had a 1:10,000 chance of guessing the PIN. To put this in perspective, these are the same odds as being killed by a grizzly bear. To be fair, I got this stat off the internet and can only assume that one has to be in relatively close proximity to the bear in the first place. I am guessing that the odds of this happening in London are more remote but you get the idea.

When wearing my data professional's hat however, I tend to think in worst case scenarios. So, worst case is that the thief is really lucky and breaks into the phone. What would be the impact then? In my case pretty severe. All of the apps that grant access to my bank accounts, credit cards, etc. are all username and password protected but the email is not; with all of those email accounts you could definitely hijack a large part of my digital life and go on a spending spree at Amazon, limited only by my credit card limit. You would also have full access to my online social presence which could prove embarrassing at best or personally and professionally damaging at worst. Of course all of these passwords can be changed relatively quickly (in fact probably faster than it took me to get the phone blocked).

Instead of jumping right into action I should have referred to my plan; unfortunately, I did not have a plan but I certainly could have taken the time to make one.

My personal data loss plan now is:

1. Do NOT panic

2. Call my wife.

3. What is the possibility the average person can access the device?

4. If someone does access the device, what is the potential damage?

5. How can I limit that in the time I have?

6. Get going and sort it.

As I look at this however, it is not a bad model if you have potential data loss in your business environment either

1. Do NOT panic

2. Communicate with key stakeholders.

3. Assess the risk that the lost device could be compromised.

4. Assess the potential impact if the data on that device were compromised.

5. Develop a plan of action.

6. Execute on that plan of action.

It is a bit cliché but failing to plan is planning to fail. I think you would agree that this story is the epitome of #epicfail. If I had a plan ready to go in such an eventuality or taken the time to make a considered one in the moment, then all I would have needed to do is execute, which is a whole lot less stressful than flapping like a headless chicken.