Thanks very much.
I'm still a little bit concerned about the actual process for making sure this never happens again. I was a bit surprised to learn that the engineer who made this assumption about whether it was a significant privacy breach is still employed by Google.
As we try to push responsibility for making decisions in organizations down as far as we possibly can, I'd like you to outline what special privacy training will actually look like. Will the offending engineer be the person delivering this as some sort of equivalent to community service? I don't understand how this person can excuse what they did. I don't understand why they're actually still working for Google.
In every sort of training I've ever done, whether it was with family practice residents or new candidates, the basics are: know what you know, know what you don't know, and know to whom and when to go for help. If people are making this gross kind of assumption about what is or isn't a privacy problem, I'd like to know what kind of curriculum you're going to deliver. What does “intense training” mean when somebody at that level has been able to pull off this rather massive breach with whatever previous training there was?