This was huge. It was my turn to take a deep breath. Why, I wanted to know, are we storing client data on an external Web server? That flies in the face of everything having to do with security! The answer: It had always been done that way. I took another deep breath and pondered some realities. Our inexperienced webmaster is responsible only for content, while our Web site management is outsourced to the state-level webmasters. Our Web sites are hosted by the state in its data center. With so many cooks, it's not surprising that a disconnect of this sort could happen.

Before he left, I told the webmaster, "This weekend, you cannot allude to this even in casual conversation unless you want to see our agency on the front page of Monday's paper -- understood?"

There was nothing that could be done over the weekend, and the immediate error in configuration had been fixed. I needed to think about what steps to take. I knew that the law states that an "unauthorized disclosure" has to be reported in a timely manner and that all persons whose personal information is compromised must be notified. And I had developed the incident response policies and procedures, so those didn't worry me. But a political misstep would be painful for our agency.

On my way out the door, I dialed my boss's cell phone number but got no response. That was OK; I wasn't ready to talk to him yet. The weekend was a sleepless one. I tried to distract myself with family duties, but I thought about the incident every minute.

Monday Morning Blues