This week, we’re launching our blog series on problems that professionals encounter when collaborating with counterparties on important documents and files (or collaborating at arm’s length) #CollaborationDisasters.
The name was inspired by 1970s disaster cinema, which includes movies such as Airport, The Poseidon Adventure, and, of course, a personal favorite, The Towering Inferno. In the series, you can expect to see a lot of posts on #EmailFails since email is still the most common way professionals collaborate at arm’s length. (In fact, they’re so frequent we thought about calling this series #EmailDisasters).
Like real natural disasters (Flood!, Earthquake!, Avalanche!), collaborations can fail in a wide variety of ways. However, for arm’s length collaborations, Armageddon almost always involves a breach of trust. It’s a bit different from arm-in-arm collaborations, where there’s often a high degree of assumed trust. After all, most people don’t expect their internal slack channels to devolve into a City on Fire[1]. In arm’s length collaborations, while parties need some trust to initiate the collaboration, the parties will often maintain a more circumspect “Trust, but verify”[2] stance throughout the process, requiring both transparency and accountability from everyone involved.
This is one of the reasons why many of the #CollaborationDisasters are usually trust-related, including misunderstandings created by missing or lost communications or the use of the wrong documents and files. Or, losses of confidentiality created by inadvertent disclosures, data leaks and breaches. And sui generis situations, such as including the wrong people in a collaboration. We hope to explore the topology of disaster through this series.
Another thing worth keeping in mind is that for arm's length collaborations, breaches in confidentiality can manifest in two subtly distinct manners, each with unique implications.
In these sorts of situations, each party has access to two types of spaces - a private zone for their internal deliberations and a ‘common’ space shared between parties. This common space or collaboration space is often hosted by one party or the other.[3] Breaches within the individual zone, like an unintentional leak of their negotiation strategy, harm that party. However, when the common space is compromised, it results in damage to all involved.
Consider some recent reporting by Krebs on Security, a great source of cybersecurity news. It turns out that “Many Public Salesforce Sites are Leaking Private Data.” Sites belonging to governments, banks and healthcare providers are unintentionally exposing private and sensitive information due to a misconfiguration issue. For example, “TCF Bank had a Salesforce Community website that was leaking documents related to commercial loans. The data fields in those loan applications included name, address, full Social Security number, title, federal ID, IP address, average monthly payroll, and loan amount.” For everyone involved it’s a #CollaborationDisaster.
Mr. Kreb’s article and the majority of reporting around this Salesforce issue have been focused on misconfiguration. And rightly so, after all, the days and weeks after a systemic cause are uncovered are the “platinum ten minutes “or “golden hour”[4] for cybersecurity professionals to use to stabilize the situation. That said, there is a more fundamental question that’s missing from the debate.
Specifically, why is the collaboration platform being used as an archive? For example, one would assume that once the loan application (or application for unemployment) is complete and approved (or rejected), the content and documents, such as an IRS CP 575 (Employer Identification Number) or identity documents, would be removed from the transactional system and archived. Archives are required for compliance reasons (e.g., to prove adherence to laws and regulations), but the transactional system itself should not be an archive. Not only does it make the application that much more logy, but it also makes the remediation after a security breach that much more painful.
In fact, we covered similar points when we discussed email as an archive. It’s one reason why TakeTurns uses an ephemeral storage approach for the collaboration content. After all, when you’ve reached the end of an approval process or a negotiation, does it make sense to preserve that content in the shared space for some indefinite period of time? We don’t think so, but this is probably a topic for a much longer blog post at some point in the future.
Have you ever experienced or seen a #CollaborationDisaster? We’d love to know!
Please email your disasters to hello@taketurns.com and in your email let us know if we can share your name. Please keep in mind that as a policy, we will never share any identifying details of the parties involved. For those stories we choose to publish (anonymously or attributed) we’ll enter you to win a free year of TakeTurns, your best platform for collaborating with counterparties on docs and files.
[1] The key word is expects. No one expects that their slack channels at work will be awful. But then again, did anyone expect the Spanish Inquisition?
[2] This phrase come from an old Russian proverb “Doveryai, no proveryai” that rose to prominence back in the 1980s during the arms control negotiations with the USSR (https://en.wikipedia.org/wiki/Trust,_but_verify)
[3] We think that these collaborations should take place in an environment where the parties are on equal footing. Because in collaborations with other organizations you are peers – one organization does not dominate the other.
[4] The term “golden hour” was coined by Dr. Adam Cowley back in the 1970s. It describes the concept of quickly treating injuries before potentially fatal damage from shock affects body organs. (https://www.nytimes.com/1991/11/01/us/dr-r-adams-cowley-74-dies-reshaped-emergency-medicine.htm). The companion term “platinum 10 minutes.” This is based on the concept that seriously injured patients should have no more than 10 minutes of scene-time stabilization by emergency medical personnel prior to transport to definitive care at a trauma center. http://jlgh.org/JLGH/media/Journal-LGH-Media-Library/Past%20Issues/Volume%209%20-%20Issue%201/Rogers9_1.pdf
.png)