In “If You’re Collecting Our Data, You Ought to Protect It” in the Business Section of The New York Times of February 17, 2013, Natasha Singer describes how a data breach involving the personal nonpublic information of some 40,000 current and former NASA employees was preceded by an awareness program that accurately anticipated the subsequent breach.
The article goes on to discuss issues relating to the fact that the data on the stolen laptop containing the data was not encrypted and also the various personnel and legal activates that resulted. But to my mind, the most important statement in the piece was by Dr. Robert M. Nelson of the Jet Propulsion Laboratory, which is part of NASA. He asked the question: “Why does NASA need personal data unrelated to our work …?” He also questions why they treated the data in “such a cavalier way” that resulted in the data residing unencrypted on a laptop, which had been left in a car, being stolen.
In my opinion, that question of the need to collect the data is the crux of the matter. The encryption is secondary. Why is so little thought being put into the potential consequences of collecting and distributing highly sensitive data? I have long argued that convenience is no excuse. Rather that it was inconvenient for even authorized individuals to get at and replicate such data. We seem to be governed by the need to give quick and ready access to all manner of data and not upset the “users” by putting hurdles in their path.
Well, guess what … a little forethought and inconvenience is a small price to pay for the comfort of knowing that the data are protected and only released when absolutely needed and only then under strict monitoring and control. The multiple billions of dollars of intellectual property that is blatantly stolen every year could be easily reduced if it were strictly limited in access and distribution.
Yet even such an approach has its own limitations. Over time, controls over data become hazier and less stringent as those who understand the need to restrict access and distribution of particular information are bypassed or ignored as new requirements come into play. The dynamics of data creation, use and protection are constantly working against us. Perhaps one specific application required Social Security numbers, but nobody thought to block or mask SSNs for subsequent applications that didn’t require them. I wrote about this in January 2007 in an article “The Dynamics of Privacy Risk,” ISACA Information Systems Control Journal available at http://www.isaca.org/Journal/Past-Issues/2007/Volume-1/Documents/jpdf0701-the-dynamics-of-privacy.pdf
These ideas are clearly not new but, to be effective they need to receive adequate attention and the assignment of resources of suitable level and capability. I like to use the analogy of damming a river. The closer to the source, the easier and cheaper it is to construct a dam. If you try to dam a river estuary, the cost is many orders of magnitude greater. So it is with data. Restrictions close to the origin of the data are less costly and easier to implement than are attempts to corral the data once they are released to larger populations of users. Combine this with the difficulty in implementing effective identity and access management systems, and you have a situation that naturally leads to the kinds of data breaches and compromises that we see publicized every day.