Ahh, time flies. It seems like just yesterday we were talking about redaction fails, but somehow that was five years ago!
What could have been happening since then? Data creation, to the tune of 10 times the amount that existed back in 2016, among other things...
Cautionary tales of data leaks usually only warn against the deliberate kind. However, our “fail” examples below are focused on the equally common scenarios where the best intentions and talents stray. With or without a bit of schadenfreude, we can examine these “fails” and hopefully better prepare ourselves with the humility that we all make mistakes, so best to be both informed and as prepared as you can be.
Fail No.1: Paul Manafort’s Legal Team Slips
It used to be that most people were unaware of how or why they inadvertently shared sensitive or confidential data. These days, generally speaking, people are savvier about protecting sensitive data, but knowing about risk is only half the battle. “The best-laid plans of mice and men,” as they say.
From the Microsoft Office suite (and open source alternatives) to Adobe Acrobat and the many other PDF-conversion tools that exist, there's no shortage of ways to create documents to aid in our day-to-day work. And while it's possible to "redact" with some of these tools, the capability to remove sensitive information is often included more as an afterthought, and just as frequently, misunderstood by those tasked with applying it.
The legal team for Paul Manafort was guilty of this failure when they produced a filing with "redacted" text that could be revealed simply by selecting the text, copying it, and pasting it into a new document. Unfortunately, this often happens when the background color and text color are set to match, thinking this has done the trick. So if you're going to reuse document creation tools for data protection, make sure you dig in to see if they're up to the task and keep produced materials labeled distinctly.
Lesson: Tools are more often to blame than talent.
Fail No.2: EU Shares COVID-vaccine Contract
Fails often happen because of this sequence:
Aware of all your data sources? Check!
Data organized such that it won't get lost? Check!
Using tools that check all the nooks and crannies of your files? ...Erm, Check?
To redact safely, you have to be confident the tools are surfacing or addressing everything about the digital file types a common file user may not know about. Document formats are a treasure trove of secret hideouts for your sensitive data, from comments to metadata to hidden headers and footers.
If your team isn't expertly aware of each of these locations, as most aren’t, you could end up like the EU when they published their AstraZeneca COVID-vaccine contract with redacted paragraphs but didn't eliminate the data from the bookmarks bar. It's no small task to ensure you've got all the bases covered, so if you can lean on tools built with this in mind, you'll be setting yourself up for success.
Lesson: Use software that secures the "hidden elements."
Fail No.3: Postal Service FOIA Flub
While researching the Paul Manafort Fail above, I learned about a story involving the Postal Service. Here’s a short summary from the Columbia Journalism Review:
“Also in August, the United States Postal Service responded to a FOIA request for information on a former employee, Abigail Spanberger, who was running for a Democratic congressional seat. The service sent not only public documents about Spanberger, a former CIA officer, but also her unredacted federal security clearance application, including her health information and Social Security number.”
Emergent tasks such as requests for information are always a challenge, (we talked a bit about FOIA this year at Fest), so be sure to ask your team, firm, or provider if they’re familiar with the latest solution workflows that can utilize your existing tools.
Lesson: Even reliable institutions make mistakes with emergent tasks.
Fail No.4: Canadian Government Immigration Case Leak
Unfortunately, issues often compound – particularly when there are tight timelines and high stakes. Recently the Canadian federal government improperly removed sensitive data and missed data when redacting earlier this year on an immigration matter.
Government and corporate teams are facing a trifecta of challenges:
More data to manage.
More tasks to do with that data.
More requests for insight into the data.
So it's critical to ensure there is time for proper training on the tools that will be used for – as well as to introduce quality control steps – to the process of responding to requests for information. Otherwise things – critical information, for example – get missed.
Lesson: Better quality control comes from slowing down, even on a deadline.
I hope we don't do a follow-up to this post five years from now, but there most likely will be “fails” and “leaks,” so with that, I suspect there are a few more lessons for us over the horizon. Do your best to watch for potential stumbling blocks by remembering these lessons and sharing them with others who are tasked with keeping data secure.