Planning for failure and developing a business backup plan


Matthew Chambers is an intellectual property & information privacy attorney at Spengler & Agans in Charlotte, North Carolina. After graduating from Indiana University law school, he founded a digital media startup that distributed films to streaming services. He transitioned to consulting startups and businesses with a focus on data privacy. He is a Certified Information Privacy Professional for the United States and Europe (CIPP/US, CIPP/E), accredited by the International Association of Privacy Professionals.

In the cult comedy Office Space, three coworkers grow tired of working as software developers at Initech, eventually concocting a plan to steal from the company with malware. With dreams of quitting their soul-crushing job, the plot goes awry when the virus takes too much money. Knowing the scam will be quickly discovered, Peter Gibbons returns the cash along with a note taking all blame. He prepares himself for federal prison. Unbeknownst to Peter, another disgruntled employee, Milton Waddams, finally reaches his breaking point after Division Vice President Bill Lumbergh took his prized red stapler. He burns down Initech, along with all evidence of Peter’s crime. Milton took the money overseas to retire on a beach, and Peter found a more fulfilling job cleaning up Initech’s burnt ashes. The business was rubble, and almost everyone learns a lesson.

Businesses can learn a lot from the 1999 romantic comedy. First, there’s a lesson about employee morale and improving management relationships. Second, is planning for business continuity. Like most modern businesses, Initech’s most crucial asset was data. Data includes software, business plans, graphic designs, customer contacts, marketing material, licensing agreements, employee information, leads, and everything in between. Insurance can be helpful, but it cannot replace business data developed, engineered, and researched over the years. Clients will be forced to move to another company while Initech tries to rebuild their software, contacts, and processes. The fire has effectively closed Initech for good.

There are standard risks to all organizations, including disgruntled employees, fires, or both. Hackers, malware, trojans, and viruses have increasingly forced entire companies to stop operation or close. Hackers used ransomware to shut down hundreds of dental offices after infecting their cloud service providers. Ransomware forced entire cities like Atlanta and Baltimore to spend millions recovering their data. Smaller towns have paid hundreds of thousands in ransoms. Some companies are not as lucky and have to close up shop. Not only can data outages cost thousands in lost revenue, but there is also a possibility that data is gone forever. Just as important as firewalls and password-protected computers is business continuity planning. 

All businesses should strive to keep their data confidential from unauthorized users, secure from changes, and accessible to approved employees. This last requirement may feel like the least important, but data is not easily replaceable. A data breach can cause a lot of headaches and costs, but losing access to company information can mean the end of business operations in a split second.

The simple fact is hackers are growing more advanced while more data is heading online and onto cloud platforms. The risk increases every day for dentists, governments, and every business in between. The risk of a fire set by a disgruntled employee may be small, but now companies must be aware of an array of dangers that could shut them down.

Employees know information privacy practices as annoying requirements. Logging in requires long, complex passwords that must be changed weekly, and blocking personal emails from company computers are some great examples. However, protecting a company starts from the top, and requires updates to many processes and policies. Some organizations do not understand that protecting their data and how they do business is more than just a robust IT infrastructure. Security does not begin and end with the tech guy.

Data privacy policies will review a company’s physical, administrative, and technical guidelines. In Office Space, physical safeguards would limit Milton from accessing the office in off-hours and would recommend basics like water sprinklers. Administrative safeguards would prevent Peter from authorizing the installation of malware. Technical safeguards would require secure, off-site data backups. 

The first two steps prevent data loss, while the latter helps business continuity. Business continuity planning was once an expensive premium service used by national banks and international businesses. The rise of sophisticated hacks has resulted in affordable cloud-based data backups and a strengthed focus on improved information privacy practices. Business continuity is broader than preparing against hacks. 

There should be a plan both in case of nefarious hacks, but also basics like Internet outages or losing access to cloud-based software. When a nationwide restaurant chain lost service to their point of sale systems, they stood to lose millions until they could again electronically process credit cards. Instead, their business continuity planning included keeping a credit card imprint machine at each restaurant. 

How did they plan for such a problem? After a public, embarrassing hack years prior, they revisited and improved their information privacy policies and procedures to prevent future data breaches. This top-level improvement leads naturally to business continuity improvements. After their first major breach, it was apparent they could no longer afford to not invest in planning for disaster. The chain has since seen robust growth, no further data breaches, and success where competitors would suffer.

Businesses can no longer afford to ignore data risks. Hackers are hitting more organizations, small and large. Even third-party cloud-computing applications can shut down unprepared companies for days, if not longer. Planning for the worst can make an organization more competitive, keeping clients happy with continuous services. A Certified Information Privacy Privacy Professional (CIPP) privacy attorney can tailor industry-leading policies to any organization and comply with state, national, and international data privacy laws. With bigger and bigger breaches, organizations will focus more on business continuity planning. Learn from Bill Lumberg. He would still be Division Vice President at Initech if he planned for disaster instead of asking employees to work on weekends.