Without getting into the politics, there are a lot of lessons from the current kerfuffle over Susan Rice and the unmasking of names in security reports.
- one defines “Information Governance” as how an organization manages its information, and
- the names of the US citizen(s) are clearly information received in the course of the organization’s business, and
- Ms. Rice was clearly an employee (and therefore an agent) of the organization
Then we get insight into how the organization manages that information.
How does the organization restrict who can see what and how does it restrict and track the transfer of that information and how does it restrict or control the storage of that information? These restrictions are designed to make sure that agents of the organization comply with the applicable statutes and policies against disclosure and misuse. Who “owns” this information? Who (beyond the person who doesn’t follow the restrictions) in the organization is responsible (and accountable) if those restrictions are not followed? Can people injured by the breach (if any) sue the organization whose agent breached the law? How does the behavior here measure up against the ten-part measuring stick of compliance under Federal Sentencing Guidelines Manual, and if the answer is “not well,” then who gets penlaized? Who, if anyone, had a duty to report up when they saw that information had been unmasked and distributed (if indeed it was distributed)?
Interesting parallels to the Information Governance issue in the corporate environment.