As employees of an organization, we generally assume that the data we are working with is being appropriately handled within the IT and security groups and is as secure or non-secure as it actually should be. I can say that during my application developer and tech lead days I didn’t worry much about the data. Well, I did to some degree, mostly because I was working on a government contract with sensitive student financial aid information, but I already had top level government security clearance and I’d already been cleared by the FBI who had contacted just about everyone I knew right up to my grandma. So, naturally, I figured I had done what I needed to do. We have that secure feeling of “I’m an employee and if something happens I’ve been fingerprinted and passed my background check so the liability will be on my company.” At least I felt that way and so did pretty much everyone else on the project.
Now fast forward to today and I’m an independent IT consultant. I help small, medium, and large organizations in just about anyway I can – always innovating and offering new services in order to stay relevant and, of course, financially viable. I’m just one person – I don’t usually bring in my own team to consult. I’ve led groups of outside consultants on projects whom I had never worked with or met before – teams assembled by the client. But by far the more common scenario is for me to go into an organization – again, however big or small that may be – and either work individually or lead a group of their employees on a project, process re-engineering task, software rollout, new initiative, etc.
In these scenarios, the consultant is working with client data and managing the team of company employees handling the data. Much sensitive data is handled by project team members or company employees working with consultants and often little oversight is given to the data transition and protection. In fact, I’ve been on both sides of the coin and often the concept of accountability and data security is never really touched on – or it’s greatly minimized. You have that grey area of the consultant assuming it’s handled by the organization and the team assuming the consultant is the one that needs to be concerned about it. Who’s right? What should we do? What can the consultant do to ensure they are covered if unscrupulous employees on their team take matters into their own hands and purposefully or accidentally expose sensitive data, thus creating security breaches?
First, if the consultant is working with sensitive data, liability insurance is a must. In fact, the independent consultant should have this type of coverage ‘just in case’ anyway because a frustrated client could also come back seeking damages no matter who’s fault that last failed project was.
Second, if sensitive data is being handled on the consulting engagement, then some proper verbiage should be added to the contract to help minimize the consultant’s responsibilities when company employees are handling the data. Sensitive data sometimes leaves with company employees – they can be bigger threats than hackers…especially if someone gets fired holding the data. As an IT consultant, it’s just best to do what you can to get it in the contract before you even start the work…assume the worst and hope for the best.
Finally, ask for and ensure that the proper security clearances – if necessary – are already in place for the company employees who will be handling the data. Of course, it then becomes at least partially your responsibility to ensure that other individuals without clearance aren’t also handling the sensitive data. But that’s just a responsible and value-added move anyway.
The bottom line here is all data is at risk. All data, any time, on every project. We must calculate it as a risk on every project we manage. Some projects involve very sensitive data where it really matters. Some involve important processes, but data that is only important to the organization so the risk is fairly minimal. The definite answer is yes, we should be concerned about data safety on our projects, but we need to weigh it with the value and risk of the data as well so we don’t put too much effort into protecting it if it really isn’t necessary. That’s up to the project manager, team and customer. But the bottom line is that it is all at risk. Period.