[Company locations, company names, and employee names have been changed for their privacy.]
Due to work efficiency being very important within companies and organizations, internal data leakage prevention methods are still taken quite lightly among U.S. companies, even after the Snowden incident. If someone insisted on introducing a company to an internal data leakage prevention system (which can cause a variety of work restrictions), it is likely that the company would just brush it off because he/she doesn’t understand the American work culture.
However, there was an incident that occurred during business cooperation between a Japanese company and an American company. After seeing the possible internal data leakage unfold, it has become clear that this security risk can’t be traded for work efficiency culture of the U.S. The following story is an adaptation from real events that occurred in Silicon Valley. We hope that this story will change your minds, and help you consider an internal data leakage prevention system, not just as a foundation of trust to keep your company’s data safe but your business partners’ as well.
John has been an employee at company A (herein as “A”), a fast-growing and multinational Japanese company for three years. He is a participant of a new product development project in the Japanese Research and Development center. His job often requires him to go on business trips to Silicon Valley and work with collaborative partners.
When John first started working there, John was introduced to A’s strict data security system for the first time and felt restricted by the rules. Some of the rules include that John could not bring any personal storage devices into the office, and could not send any data to anywhere outside the office without the security manager’s approval. Naturally, all devices that are allowed in the office are set with passwords.
John’s next business trip to Silicon Valley was to meet with company B (herein as “B”), a Silicon Valley-based company that is partnered with A. This trip was very important to John because he was to discuss with the engineers of company B, the results that were developed by over a hundred engineers between the two companies over the last two years, and finalize the plans to launch a new product in six months. If he brought the company laptop loaded with confidential conceptual drawings to discuss with B’s engineers, he would have had to get approval from his security manager first. But John was worried that the company laptop contained other confidential data, which if lost could be devastating to his company. He also realized that the data security software would not work without an internet connection, which wouldn’t allow John to work. So instead, A’s security manager let John sign an official memorandum that would guarantee the destruction of the confidential data hard copies after the business discussions, and off John went with the paper copies.
The first day in Silicon Valley, the business meeting went well. Tom, an employee of B, wrote detailed minutes of the meetings instead of A, because John did not bring any company laptops from Japan. Tom also held onto the conceptual drawings because it was used often to discuss in the string of meetings. It was decided that the hard copies would be destroyed once John received the final minute after the final meeting of the business trip. After the second day’s meeting, John felt confident that they would be able to achieve the outcomes that they had hoped for after two years of effort and overcoming hardships together. He assumes that he could send the good news to A’s management.
The only part that John felt uncomfortable about is that Tom, an employee of B, carries and uses his personal laptop which contained data about the conceptual drawings and other confidential data, even in his home. Before being accustomed to A’s rules and regulations on information security, John might have envied Tom because of his ability to work freely no matter where he was, but now John worried that Tom might lose the confidential information. John wanted to insist that B follow the data security rules of A, but decided against it due to thinking that it was a cultural difference and that it shouldn’t be any of his business.
On the last night of the business trip, John, Tom, and the other members of the meeting went to have dinner together to celebrate their progress and achievements. They parked their cars in a public parking lot near the restaurant. But after dinner, something terrible happened. Three of their cars’ windows had been smashed and the laptop bags containing the laptop with the confidential data and the hard copies of the conceptual drawings were taken. The crime scene got more attention as policemen, security guards, and bystanders surrounded the scene. One of the policemen mentioned that it would be difficult to find the lost items because this appeared to be a common occurrence in the area.
Now, the only thing John can do is hope that it was not stolen by an industrial spy hired for A’s confidential data. The worth of such documents could easily reach tens of millions of dollars. A and B certainly don’t want this incident to be exposed to the public. If one of their competitors could get the confidential data and launch a similar product earlier than A and B, then no one would never know that the new product was developed after modification on the data lost by the two companies.
It is very unfortunate that B does not have strong data security systems in place like A. No matter how good Tom’s work efficiency is, it is not worth millions of dollars. John didn’t think the internal data leakage prevention system caused work inefficiency as much after he familiarized himself with it. After all, if the strong data security system made it highly inefficient to work like most Americans seem to think, how has A grown so quickly into the big multinational company it is today? Now John has to report this disaster to his boss and security manager of his company. They will most likely urge B to keep the strictness of A’s security rules and regulations for the sake of A’s partnership. If not, A may have to look for a different partner that will adhere to their security regulations.
A has achieved a lot with B’s partnership, but A lost data worth millions of dollars because of B’s poor data security. How can that ever be compensated?