Taylor’s post about our growth in 2011 included a bunch of numbers showing how the pistons inside the 37signals engine are pounding faster, but it all got swept away by what seemed like an innocent side-note: The 100 millionth file was called cat.jpg.

Being as it is that the internet is constantly accused of being just an elaborate way of sharing pictures of cats, sharing pictures of cats, we thought that was funny. But it wasn’t. We shouldn’t make jokes about anything even remotely related to people’s data.

Because the natural train of thought from there goes: Hey, if they saw the file name cat.jpg and shared it with the world, what’s to prevent them from sharing other data? Actual sensitive data, like Downsizing-Plans-2012.pdf? Hell, what if they’re actually looking at my secret new logo and leak it to the press?

That’s a completely legitimate train of thought to ride and it was our mistake to get it on track. So let’s start with first things first: We’re sorry. We made a mistake. We should have thought it through and remembered that storing your data with someone else in the cloud hinges on a fragile layer of trust. We poked that trust in the eye and it was wrong. We shouldn’t have checked the log files to see the name of the 100 millionth file.

So what’s a business to do from here?

Well, we could:

  1. Let heads roll, either through a public reprimand or even outright firing. Pinpoint blame, call it an isolated rogue employee, and dish out hard punishment.
  2. Form new institutional scar tissue and require that all future SvN posts would be reviewed by senior management and approved before posted.
  3. Try to cover up that it even happened by removing the remark from the original post, censor comments, or even delete the whole thing and pretend that would make it go away.

History is littered with examples of all three approaches, but none of them felt just, moral, or us. So we came back to our guiding principles on all things 37signals: What would we feel would be proper if we were wronged? First, apologize like a grown-up and own up to the mistake.

Second, how can we turn this mistake into a point of pride? A good place to start would be our privacy policy, which we basically haven’t touched in years. While not as bad as some, it’s surely not a page that has us radiating with pride. If I was a customer, I’d want to know 1) who can access my data, 2) under what circumstances will it happen, 3) what about law enforcement requests?, and the like.

So that’s what we’re going to do. We’ve started a project on Basecamp Next to reform the privacy policy to make it current, relevant, and as human as possible.

What would you like to see in it?