On an early April morning in 1953, Union Pacific 4005, known as “The Big Boy”, was hauling sixty-two cars westbound at nearly 70 miles per hour along the tracks in southern Wyoming. Weighing in at a whopping 1,200,000 pounds, Big Boy was the biggest steam locomotive ever built.
At about 9:55 AM, the massive locomotive barreled toward Red Desert where the switch operator had erroneously opened the siding switches due to a miscommunication in the morning’s track line-up message.
An eyewitness recounts the incredible event: “the head brakeman and the fireman were screaming at the top of their voices to the engineer, STOP, STOP, RED SWITCH AHEAD! But it was too late.”
The 4005 entered the open switch at 50 mph causing it to careen off the rails and skid along its left side tearing up rail and roadbed. The locomotive, tender, and first 18 cars derailed. The cab of the locomotive was destroyed as the tender tore into it twisting and smashing the metal. The first 12 cars were badly damaged and piled in a 70-foot high heap. The engineer and fireman aboard were killed instantly.
While the engineer had many controls in the main cab of the locomotive and made an emergency attempt to break, the train entered the siding rails at an unsafe speed nonetheless. The scattered load of dead hogs, tractors, typewriters, coal, sewing machines, and other goods was not the result of a single point of failure. Rather, it was the fault of a systemic breakdown in communication and culture.
What does this massive catastrophe teach us about privacy and responsible data stewardship? A massive breach of privacy data can feel just like the 4005 wreck. The collateral damages incurred due to a large-scale data breach are broad and not easily remedied. In order to prevent the loss of personal data, we must establish a culture of privacy by design and responsible data stewardship.
Realizing no single control can prevent a data disaster, we must retrofit existing process and design new systems employing these control planes:
- Visibility – “What assets are we protecting?”
- Audit-ability – “Are we compliant to applicable regulations?”
- Controllability – “Is the location and access to our data properly controlled?”
- Agility – “How quickly can we adapt to change?”
- Automation – “Are our processes repeatable?”
- Scale – “Are we scaling to meet the demands of our constituents?”
When we work these six control planes into our culture of design, we are better prepared to avoid a massive privacy train wreck. GDPR provides us with an opportunity to take a look at our existing maturity of data stewardship and the related risk levels. If we take advantage of the impending deadline to review our current posture, we can emerge with an improved opportunity for transformation and not just a “check-the-boxes” response.
*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Privacy specialists can help you make sense of and comply with GDPR.