Don’t learn the wrong lesson from the Cabinet Files breach
The Cabinet Files security breach uncovered by the ABC this week seems like an episode of that crazy cable TV show Storage Wars, where bargain hunters bid for unclaimed storage lockers in the hope of uncovering hidden treasure.
That a person could pop into a Canberra second hand shop and walk away with a treasure trove of Cabinet-in-Confidence documents must be a wake-up call for every senior executive in the Public Service: it is time to take record-keeping more seriously. All government agencies must ensure they are assessing the value and risk of their information holdings in an active, ongoing way.
After the cavalier disposal of a locked filing cabinet filled with sensitive documents, the ABC can quite rightly point to “a seemingly casual attitude of some of those charged with keeping the documents safe”.
Unfortunately, people may be learning the wrong lessons from the past few days. Interviewed on ABC’s 7:30 program, Terry Moran suggested that a switch to digital from paper records should be expedited. Opposition Leader Bill Shorten also suggested that spies should just be “shopping in second-hand furniture stores” for sensitive paper files.
Despite the media circus, inadvertent exposure of digital records remains a significant risk. Indeed, electronic breaches can be far more damaging because of the potential to disclose massive amounts of information.
Recent examples include:
- USB memory sticks and CDs with sensitive Defence information left in airport lounges
- The accidental publication of the personal details of 550,000 donors on the Australian Red Cross website
- 500,000 customer records being extracted and sold by an employee of the Bupa health care giant
- Medicare cards being extracted via medical providers and sold using the same ‘dark web’ channels used to resell stolen credit cards
- 3 billion Yahoo! users having their details stolen after a security breach in 2013
I would caution investigators against a witch-hunt to ascertain the identity of the heinous filing cabinet seller. Events like this are a systemic failure, and the solution needs to be systemic as well.
Most record-keeping efforts struggle without deliberate, ongoing reinforcement because of the psychological distance that exists between record-keeping actions and effects. In short: the consequences of bad record-keeping happen later, to someone that isn't you, somewhere else, and you don't think anything will ever happen anyway.
There are many tools and techniques you can employ to reduce psychological distance. For example, the use of meaningful reports and key performance indicators can make a distant obligation more relevant.
An even more enduring effect comes from running periodic simulations of record-keeping emergencies. These emergencies test organisational responses and mentally reinforce the importance of sound custodianship among business users.
However, the most fundamental aspect of managing records effectively is for staff to understand the value and risk of their organisation’s information holdings. Many government organisations apply the same level of record-keeping care to a routine memo setting up a meeting as they do to a highly sensitive submission to the Departmental Secretary.
Undertaking a value and risk assessment of information holdings by documenting the relative costs and benefits of success and failure, per business process, can be a critical aid for leaders when prioritising information handling improvements.
Finally, as the custodian of Australia’s national interests and champion of better governance outcomes, the public service should take a leaf out of the healthcare sector and consider implementing sentinel events for records.
In healthcare, “sentinel events” are a range of unacceptable systems outcomes. The goal is for sentinel events to never occur, but if they do, it triggers a centralised reporting process and root cause analysis to aid in future prevention.
In a record-keeping context, this would cover things such as the inadvertent release of Cabinet and National Security documents, and major leaks of personal information about Australian citizens. Mandating reporting and action in response to record-keeping sentinel events would provide accountability and a commitment to improvement that could sustainably fix massive systemic failures like those we have seen this week.
Stephen Bounds is the Executive – Information Management at Cordelta, a Canberra-based professional services company. stephen.bounds@cordelta.com