You've got to feel for Tom Whittington. The CIO of California's Contra Costa County, across the bay from San Francisco, just found out that copies of hundreds of internal e-mail messages containing financial data and private employee information have been inadvertently sent to a Swedish company over the past two years .
It's not as if Whittington sat on his hands, ignoring the problem. He didn't know about the address book glitch that caused it. There was no indication of anything being wrong. He was blindsided.
Was there anything he could have done?
Not that I can see. Or at least, not without the kind of unlimited budget that doesn't exist in any real-world IT organization, much less in a government IT shop at the county level.
Actually, Whittington was comparatively lucky. The e-mails, many of which were stuffed with financial and personal data, were intended for someone in the county auditor's office. Instead, they ended up at Ord&Bild, a Swedish Internet company. And after they started arriving there, Ord&Bild repeatedly sent messages to tell senders of the wayward e-mails about the problem, according to Ord&Bild managing director Robert Carlesten.
But those messages got no response. And nobody told Whittington about the messages. He didn't learn about the problem until Carlesten contacted Computerworld reporter Dan Verton, who called Whittington.
Whittington was lucky that the data was kept confidential and not put to some malicious use. But he would have been a lot luckier if there hadn't been any wayward e-mails in the first place.
But what could he have done to prevent it? What can he do to keep it from happening again? That's what Whittington and his staff are trying to figure out now. None of the obvious options are very good.
Cut off the e-mail system from the rest of the Internet? That would protect the data, but then residents couldn't use e-mail to communicate with their government.
Put in two parallel e-mail systems -- one for internal messages and another for e-mail going to the outside world? That's a huge kludge for users to navigate.
Install outgoing-mail whitelists (which specify legal destination addresses) or blacklists (which list addresses that mail won't be delivered to)? That's impractical -- whitelists are too restrictive, and blacklists can never be comprehensive.
Eliminate address books from county users' machines so they have to type addresses manually? That would have avoided the glitch that caused the misdirected e-mails: a garbled address in one user's address book. But it would generate many more mistyped addresses.
Set IT staffers to work poring over outgoing e-mail logs, looking for potentially inappropriate destination addresses? That would be spectacularly labor-intensive and would generate huge numbers of false positives to investigate. And how would they know what to look for, anyway?
The perfect solution might be to somehow tag sensitive data so it could be automatically blocked at the firewall. That would only require rebuilding all the county's systems from the ground up, embedding tags in all the data and then customizing the e-mail system to make sure the tags don't get removed. Good luck getting the budget for that past the county board.
Whittington's team is still investigating what happened and what to do next. Whittington himself hopes better training for users and clearer policies about attaching data to e-mails will help.
Think there's a better way? Whittington would like to hear it. So would the rest of us.
Because what happened to Tom Whittington and Contra Costa County is just waiting to happen to every other organization. And the next one the problem hits may not be so lucky.
Frank Hayes, Computerworld's senior news columnist, has covered IT for more than 20 years. Contact him at frank_hayes@computerworld.com.