According to a widely published news story, AOL today announced in an inter-office memo that their CTO, Maureen Govern was fired and immediately being replaced by an interim CTO, John McKinley. A CNN report, however, indicates she resigned.
Govern was in charge of the area that released search data for the 658,000 users during March through May earlier this year. According to the initial reports about the release of the search data, AOL had indicated it had been released for "research purposes" to a publically available site, but that it was "mistakenly" released, and the decision to do so was "not appropriately vetted."
"In response to a torrent of criticism across the Internet, AOL also said it plans to create a task force to review its customer information privacy policy."
The AOL privacy policy is pretty much standard fare…including the statement, "Your AOL Network information will not be shared with third parties unless it is necessary to fulfill a transaction you have requested, in other circumstances in which you have consented to the sharing of your AOL Network information, or except as described in this Privacy Policy."
It will be interesting to see how they update their policy as a result.
Since the AOL spokesperson, Andrew Weinstein, indicated this was "a screw up, and we’re angry and upset about it," in a BNA news release, and also indicated "AOL is undertaking an internal investigation into the matter to ensure that it does not happen again," these personnel eliminations are likely part of the actions they are taking to mitigate any potential fines and penalties and try to demonstrate due diligence in addressing the incident.
So, the personnel eliminations could have been sacrificial lambs, or perhaps they really did perform their job responsibilities in ways that were either completely negligent in consideration of potential consequences, or maybe purposefully malicious in intent. It will be interesting to see if any statements will be made by Govern…highly unlikely considering she and the other dismissed employees probably signed NDAs.
This AOL incident is a good example of the need for thoughtful and well communicated and enforced privacy policies and procedures. Put it in your awareness and training file to use so your organization doesn’t make a similar mistake.
- Know your privacy policy and inplement procedures to support them.
- Communicate often and clearly about what is considered as personally identifiable information (PII) along with the other types of sensitive information (e.g., search data) that, when coupled with PII can create a huge invasion of privacy and violate your own privacy policies.
- Communicate how to protect PII and sensitive data often and effectively.
- Make businss leaders accountable for their decisions and enforce sanctions when they "screw up."
- Very, very basically, don’t use the Internet as your company’s open research data repository! Just because a research URL may not be easy to guess, it usually is very easy to find.
Technorati Tags
information security
IT compliance
regulatory compliance
AOL
application security
policies and procedures
awareness and training
privacy