Published: 01 Dec 2003
July 1 was a sad day for the infosecurity community. That's when the California General Assembly forced all companies doing business in the Golden State to notify their customers if their private data was exposed through a security breach. This is just the latest and most dramatic evidence that we are failing in our duty to protect the most sensitive information of all -- that which concerns private individuals.
When the nascent computing community first began addressing data control issues in the '60s, inappropriate access was characterized as being a "loss of privacy." Unfortunately, privacy fell off our radar screen once the sexy and memorable CIA security triumvirate of confidentiality, integrity and availability became the single model for understanding information risk.
Western society believes that individuals have the right to discretion regarding potentially embarrassing information about their health, finances, family background and personal habits. It's considered a basic human right that the subject of such information is the "owner" of it, and the owner has the privilege of choosing who may have access to it.
Unfortunately, journalists, private investigators, information brokers and hackers know how to obtain poorly secured personal data. Identity theft is just one of the possible outcomes of stolen personal information, and perhaps not the most significant. Blackmail, career setbacks, broken relationships and personal embarrassments are other tragic consequences of inadequately protected private information.
Financial, legal and customer data is highly vulnerable in an electronic format. Internet history is replete with examples of hacks that captured individual's personal and financial information -- such as the 1996 breach of a Florida database that exposed the case histories of 4,000 AIDS patients, the 2000 hack of CD Universe that compromised more than 350,000 credit card accounts, and the 2002 attack on the California State Comptroller's office that exposed more than 265,000 state employees' retirement fund data.
Given the growing public outrage, it's time that we realize that privacy failures are infosecurity failures. We are the only profession that's tasked with finding and assessing sensitive information, securing it, and reacting when that information is stolen or manipulated. Simply put, nobody but security professionals can or should protect privacy data. Even if we don't always recognize this, the U.S. Congress does and is looking to craft a federal version of the California law, as well as other security and privacy laws.
We shouldn't need a bunch of politicians to tell us that data is most likely to leak when it's centralized, collated, sorted and searchable. While the "P" in HIPAA stands for "portability," aiming for administrative efficiencies, the "A" for "accountability" serves notice that the use of private information brings specific responsibilities and liabilities. Whatever labyrinthine processes resulted in the creation of this bill, the finished regulations correctly address the inherent conflict between performance and security by unambiguously requiring health care providers to secure patient-related data.
For me, it's embarrassing when lawmakers around the world decide that we're doing such a poor job of protecting private data that we must be forced to protect it through regulation. In spite of the apparent corporate disinterest in protecting individual's information, it's obvious that many people are avoiding e-commerce over concerns that security failures will directly affect them. It's bad for business when customers believe that companies are more interested in protecting their interests at their customers' expense. Reasonable people would prefer dealing with firms that treat their customers' assets more carefully than their own.
There can be no higher professional responsibility for any of us than to protect innocent people from harm, even when that means making organizationally unpopular decisions. I hope and believe that some of us do care enough about people to be willing to do the right thing. It's our duty to apply our skills to protect people from harm by preventing irresponsibly low levels of information protection.
About the author:
Jay Heiser, CISSP, is a London-based security analyst with TruSecure Corp.