Last year I returned from a two-week trip to SCCE programs in Europe, and while opening my mail I discovered a tax refund check from the state of Indiana. Since I live in Los Angeles, and the SCCE/HCCA is based in Minnesota, I called immediately to tell them there must be a mistake of some sort.
The man who answered the phone couldn’t have been nicer. He listened to my story and told me I must have been the victim of identity theft. The thieves had made a mistake with the bank transfer information, which is why I received the check.
He told me to fill out an affidavit of identity theft on the IRS site and send it in to him along with the check.
Then, about a week later, I received a letter from Michigan telling me that they had questions about my tax return. By this time, I was annoyed but no longer panic stricken. In fact, I knew the routine, and I immediately sent them the affidavit as well.
And now, I just received a notification that my medical records may have been breached. I knew it was coming – the breach had been in the news. I wasn’t surprised by the letter. I wasn’t angry. My blood didn’t boil. I just sighed and will now explore the identity protection that the health system is providing in addition to the identity protection I have been paying for since I received that Indiana check.
Bottom line: I’ve gotten oddly used to the notion of having my data stolen right, left and center. I’ve gone from wondering if it would happen to when it’s going to happen next and by whom.
It’s a great example of what SCCE Compliance and Ethics Institute speaker Garrett Reisman, a former NASA astronaut, calls the “normalization of deviancy.” In a video interview he did as a preview of his presentation, he talks about how falling foam from the external fuel tank of the Space Shuttle grew to be normal. Everyone knew the foam wasn’t supposed to fall off, and much work went into stopping it, but nothing bad happened, and people were used to it. Then one horrific day we lost the shuttle and all the lives on board.
Letting bad things seem normal is not good when lives are at stake. Nor is it a good thing in business.
There’s the risk that, as more and more breaches occur, management and employees may start seeing them as normal. “It happens all the time, we’re not the first and not the last” thinking could take over.
Careless behavior is already a substantial problem when it comes to protecting data. Laptops and jump drives go missing constantly. Yet despite the frequency of these events, we can’t allow acceptance of the risk to lead to indifference to it.
Much like safety, we have to educate to the point that it becomes rote. That way, even if the workforce stops noticing the risk, we’ve already ingrained the habits that mitigate it.
[bctt tweet=”We can’t allow acceptance of the risk to lead to indifference to it @AdamTurteltaub” via=”no”]