As I write this, Facebook CEO and Founder Mark Zuckerberg is in Washington, getting ready to testify before a joint session of the Senate Judiciary and Commerce committees on April 10 and the House Energy and Commerce Committee on April 11. The committees are investigating both the use of Facebook to interfere with the 2016 Presidential election, and the loss of 87 million Facebook profiles to Cambridge Analytica. But viewed through an IT professional lens, Zuckerberg's testimony also serve nicvely as a roadmap of what not to do when it comes to protecting your data, especially once you know something's gone wrong.
Continue Reading Below
You're at least somewhat familiar with Facebook's current debacle details if only because it's impossible to escape the 24-hour news cycle in which Facebook plays a key role. But lost in that are lessons that IT managers can use to protect their own data, their companies, and themselves. After all, finding your data hijacked by foreign data miners is bad enough, but having it come out that you behaved badly after finding that out is certainly career limiting.
Protect Your Data...And Your Anatomy
Unfortunately, taken by itself, Zuckerberg's testimony isn't enough. Partly that's because it's short on specifics, and partly because it's broadly self-serving. He is, after all, trying to save important portions of his anatomy that are very much on the chopping block. With that in mind, here are some basic ideas that you might want to remember when dealing with your marketing and legal departments about public-facing digital assets.
Adopt this mantra: Personal data is critically important. It doesn't matter if it's a back-end system, such as a marketing automation suite, or a front-end customer-facing instrument like an email marketing campaign -- any data gathered must be protected using the same stringent guidelines. It also doesn't matter that your customers or your employees or your users have given you permission to use it, you must protect it as if it's the most important data in the world. As you're seeing, if it comes out the data is misused, someone will come after you. Most likely many someones, and they won't be interested in mercy.
Don't pass the buck. That didn't work at Nuremburg and it won't work here. If you're directed to construct large gathering engines for consumer, partner, or other versions of foreign data, treat the project like you're the one who'll be ultimately responsible. Because in many cases, you just might be no matter whose name is atop the email memos. That means questioning the process, imposing best practices when it comes to access control, and not only making sure there is an access audit trail, but actually following it on a regular basis. Like at least once a quarter.
If You See Something, Say Something
Privacy that goes beyond personal data is also important. You have no business spying on your customers without legal necessity, so if you're asked to do that by someone upstairs, make sure to question it and, if necessary, object. And while most IT professionals certainly know they'll need to manage infrastructure and facilities with an eye out for illegal activity or even just activity that goes against in house-usage policies, so many don't realize it's their responsibility to disclose this. Not saying anything is the same as being complicit. Know what the legal limits on surveillance are, and make sure your company adhers to that.
Things Never Blow Over
When things go bad, don't keep it a secret. If you've had a data breach, you'll likely face pressure, at least intiially, to keep it a secret. Do yourself a favor and point out as soon as possible that this isn't a good idea. Witness the example of Panera Bread, who ignored its rather massive breach and left data available for months. Instead, fix it as quickly as possible, and know your local legal obligations when it comes notifying the authorities. If you're asked to violate those obligations, talk to your legal department. When it's time to let everyone know, no doubt marketing will step up, but if it's left to you be open and as soon as possible let everyone affected know what happened.
Don't wait and hope the problem will blow over. Facebook's executives waited for years, even after they knew about Cambridge Analytica internally, and even after the news broke that 87 million profiles had been compromised. People understand that breaches happen, but they don't understand when you don't fix the problem. And they'll come after your favorite body parts if they find out you knew about it and didn't do anything. A big reason Zuckerberg is going through so much hell now is because the crew in his leadership team advised him to wait, hoping the problem would get better by itself. Universal truth: It never gets better by itself.
As it happens, Facebook did some things right, but I'll bet you have no idea what they were. The reason? The problems they caused subsumed all else. For the record, what they did right included kicking out the IRA and closing down Russian fake news pages; but in the end, nobody cares what Facebook did right because people can only see their own pain, and that was caused by Facebook. Facebook's handling of these problems is high on the list of all-time bad examples, but it didn't start and stop with the senior leadership team. These issues came from systemic abuses that crossed multiple departments, including marketing, legal, and, yes, IT and development, too. It looks like Mark is going to take most of the heat, but that's just for now. These problems could easily begin sliding down the executive food chain at Facebook, and if such abuses happen in your organization there's no telling where the repercussions may begin or conclude. Do yourseslf and your organization a long-term favor and make sure you speak up about data breaches and abuses before those problems come back and roost on your desk.