Wednesday, February 27, 2013

Top Secret

In any job you do, any folks that you manage, there will be data that has to be treated with confidentiality. Ok, that's kind of a "duh" statement, there, but let me clarify: you may have company information--intellectual property--or personal information about employees, or something else that must be managed with discretion, if discussed at all at any time when you're working in a managerial capacity, as a project manager or people manager.

For an example of very hard to believe "secret" info, I had a friend when I was in college who had a husband in the military. When they were deployed to Germany, she literally couldn't answer "Where's your husband?" sometimes because saying "on the bus" was literally and technically giving away troop movements while her husband was serving in another country.

This blog is not usually concerned with military maneuvers or responsibilities, though its a good example of how what seems like very simple, basic data is pretty important to some folks and oddly secret depending on the situation.

Most people have heard the story of Apple employees losing a prototype phone in a bar, twice. That's a very blatant and serious example of being less than smart with company information. There are theories that Apple, after the first time, might be taking advantage of "hey, we left a prototype, start the word of mouth campaign," but honestly, a human being probably just forgot their phone. Whatever the reason proprietary company information became public information.

We didn't hear too much after the initial loss or after the second one...some articles here and there. Big companies don't like to remain in the spotlight in association with giant security snafus. Most likely, though, those individuals were, at the very least, fired, and may have had to pay the company compensation for potential loss caused by revealing proprietary information.

And that's my point: everyone's aware that there is a lot of important proprietary information floating about. Most people aren't aware of what can happen to you if you don't treat it properly. Much like a person speeding on the highway is pretty sure they'll never crash or get a speeding ticket, a manager or project manager is typically not keeping "how do I keep what I know confidential?" all the time, because its just not top most in their minds that what they know could escape them (or their lips, or their desks, or whatever).

Now, I'm not saying that most managers are doing the equivalent of speeding with private information (to thoroughly mix my metaphors), but leaving a resume face up, alone on your desk is a violation of that person's privacy and maybe that of your company's private information practices. Even if you're only gone a second. Warning an employee not to purchase the new car a week before the layoffs--despite the kind intentions--is a clue to proprietary company information that could, with the right people, be exploited to learn about the situation the company is facing before the company is prepared to manage that situation with potential repercussions to stock price, the sale of the business, etc. Using a reserved "code" word for a super secret project accidentally in conversation could be enough for it to show up on a blog and possibly get picked up in bigger outlets...potentially leading to you being fired for the wild speculation that follows the term, even if you never gave context or any additional information. Finally, blatantly sharing information about internal workings of software or hardware or designs between companies--say you pass on ideas from your old company that you created there to your new one--could lead to law suits between the companies, as well as hot water for you. Even if you thought up the ideas.

When accepting any position, its best to know the types of information that you'll be made responsible for, and what kind of data is yours, and what kind of data stays with the company after you leave. The general rule of thumb is that if you created it during working hours, it belongs to the company for whom you created it (you know, while they were paying you), but some companies have you sign agreements that may extend to any creative work in that field at any point during your employment, on site or not (Thought of something in the shower? It belongs to them). Read everything CAREFULLY, and though you might sign thinking that you could easily and willfully break these agreements later, keep in mind its not just your job you might lose; your pay could be garnished, you could be forbidden to work in your field, and in some cases you could go to jail and/or implicate others to go to jail, or be prohibited from working their field, etc. I typically review the privacy statements and amend them not to include my creative work outside my chosen field, so, for example, I own the writing for this blog. However, I also write for this blog when I'm not being paid to do work for my company.

As an individual contributor, the world can be a manageable secretive place, but add in project management--with schedules that many people outside the company would salivate for a chance to look at--or people management--where personal data inappropriately protected could lead to very expensive lawsuits to you and the company--and the world expands exponentially into the amount of trouble you can get into by telling a funny anecdote about something that happened at work to your spouse.

Techniques I use to protect the data in my brain are pretty simple: work stays at work, use generalities and get rid of the paper trail. I try not to talk about work at home, primarily because my husband's eyes roll up in his head, and while he does his best to look interested and head nod along, its kind of torture for him (much the same way hearing about his life as a Scientist was for me, which, you'd think would be exciting, but you'd totally be wrong).

Otherwise, I don't typically talk about work other than in generalities. Specifics are typically pretty meaningless when you're venting anyway, "Director of Made Up Title, John Doe is asking for the entire demo tomorrow when the Java code isn't scheduled to be started until February 28th" is more work than it's worth when "Crazy Director wants demo before code has been started" gets my point across a lot better without revealing details about internal workings (like people's names and specified dates and times for demos of specific features in specific coded languages).

Note, I called him a "Crazy director" which, while a a generality, could still get me in trouble depending on who repeated it. It's not something I'd say to a co-worker, for example, but it is something my spouse could nod his head to and actually feel like he was part of the conversation without having to understand the delicacies of project or people management.

Finally, get rid of paperwork. Remove unsecured files from insecure file locations that have private information in them, either about your project, or individual team members, or even people you were looking at hiring. Shred resumes. Anything an identity thief could use to really screw with you or someone else--get rid of it. Safely. Securely.

Part of being a manager is accepting responsibility for the things that happen to your team, within your company, and in relation to the work. Part of accepting that responsibility is recognizing that lightning does strike people occasionally, and just because it hasn't ever happened to you--and chances are very remote it ever will--doesn't mean you and yours should dance outside in a thunderstorm.


The apple bar phone
Treat this like it's a million dollars

No comments:

Post a Comment