I do data protection for a living. I still found my son's first messaging account harder to set up than any audit I've run. Not because the apps are complicated, but because of how much I was quietly deciding for him. The phone number, it turns out, is the decision that outlasts all the others.

Mishandle your own bank details and an alert fires within the hour. Mishandle a child's data and nobody calls. The harm, if it comes, comes years later, somewhere you'll never see. This is what makes stewardship harder than compliance.

A few years ago I mapped a school's data, system by system. The admissions platform stopped me. Ten years of applications. Children who enrolled, children turned down, all still there. I asked why. Nobody had decided to keep it.

When the Canvas breach hit the news, it pulled me back to PowerSchool. Not the breach itself. The conversations that followed it. Good people who looked at what had been leaked and arrived at the same question: how damaging can this really be?

A phishing email from what looks like a trusted colleague. The right name. A real project. Sent on a Friday afternoon when people are moving fast. These aren't lucky guesses. They're built from data. And most of that data wasn't stolen from anywhere.

A few years ago I ordered a vinyl pressing of Zooropa. A text arrived saying I owed €6.47 in customs duty. It looked real. I tapped through, entered my card details, and got on with my day. Forty-five minutes later, my credit card's fraud team caught it.

You share your screen in a meeting. You start typing the URL of a doc. Your browser drops a list of suggestions in the address bar. Some are work. One is something you searched for at 6:47 AM that you never planned to share with the room.

You did everything right. Sixteen characters. Uppercase, lowercase, numbers, symbols. Nothing anyone could guess. Then the company holding that password got breached. A hundred million credentials leaked onto a forum you've never heard of. The password wasn't weak. It was just shared.

It was framed as anonymous. Staff were told their responses were confidential. The form asked honest questions about workplace culture, management, and morale. The responses went into a Google Sheet. That sheet was sitting in a Shared Drive. Anyone in the company could open it.

A new tool lands in your inbox. You click the setup link. There's no Sign in with Google. You know what you should do. You do what you shouldn't. You type the same password you use for everything else. This isn't a character flaw. It's a predictable response to an impossible demand.

You got a hardware upgrade. You handed your old work laptop back to IT. You closed the windows, shut the lid, and walked out with your new machine. But you never clicked Sign Out. Whoever opens that laptop next is signed in as you.

A Kahoot login. A Calendly link. A free PDF tool. Each one is still connected to your Google account. Still with permission to read your email, access your calendar, and in some cases view files in your Drive. Every time you clicked Sign in with Google, that connection stayed active.