Information Security

Defending the digital infrastructure


Manage Learn to apply best practices and optimize your operations.

Personal data security: Why we're dropping the ball

Privacy failures are infosec failures. The law shouldn't need to require companies to enforce personal data security -- infosecurity should already be doing it.

July 1 was a sad day for the infosecurity community. That's when the California General Assembly forced all companies doing business in the Golden State to notify their customers if their private data was exposed through a security breach. This is just the latest and most dramatic evidence that we are failing in our duty to protect the most sensitive information of all -- that which concerns private individuals.

When the nascent computing community first began addressing data control issues in the '60s, inappropriate access was characterized as being a "loss of privacy." Unfortunately, privacy fell off our radar screen once the sexy and memorable CIA security triumvirate of confidentiality, integrity and availability became the single model for understanding information risk.

Western society believes that individuals have the right to discretion regarding potentially embarrassing information about their health, finances, family background and personal habits. It's considered a basic human right that the subject of such information is the "owner" of it, and the owner has the privilege of choosing who may have access to it.

Unfortunately, journalists, private investigators, information brokers and hackers know how to obtain poorly secured personal data. Identity theft is just one of the possible outcomes of stolen personal information, and perhaps not the most significant. Blackmail, career setbacks, broken relationships and personal embarrassments are other tragic consequences of inadequately protected private information.

Financial, legal and customer data is highly vulnerable in an electronic format. Internet history is replete with examples of hacks that captured individual's personal and financial information -- such as the 1996 breach of a Florida database that exposed the case histories of 4,000 AIDS patients, the 2000 hack of CD Universe that compromised more than 350,000 credit card accounts, and the 2002 attack on the California State Comptroller's office that exposed more than 265,000 state employees' retirement fund data.

We shouldn't need a bunch of politicians to tell us that data is most likely to leak when it's centralized, collated, sorted and searchable.

Given the growing public outrage, it's time that we realize that privacy failures are infosecurity failures. We are the only profession that's tasked with finding and assessing sensitive information, securing it, and reacting when that information is stolen or manipulated. Simply put, nobody but security professionals can or should protect privacy data. Even if we don't always recognize this, the U.S. Congress does and is looking to craft a federal version of the California law, as well as other security and privacy laws.

We shouldn't need a bunch of politicians to tell us that data is most likely to leak when it's centralized, collated, sorted and searchable. While the "P" in HIPAA stands for "portability," aiming for administrative efficiencies, the "A" for "accountability" serves notice that the use of private information brings specific responsibilities and liabilities. Whatever labyrinthine processes resulted in the creation of this bill, the finished regulations correctly address the inherent conflict between performance and security by unambiguously requiring health care providers to secure patient-related data.

For me, it's embarrassing when lawmakers around the world decide that we're doing such a poor job of protecting private data that we must be forced to protect it through regulation. In spite of the apparent corporate disinterest in protecting individual's information, it's obvious that many people are avoiding e-commerce over concerns that security failures will directly affect them. It's bad for business when customers believe that companies are more interested in protecting their interests at their customers' expense. Reasonable people would prefer dealing with firms that treat their customers' assets more carefully than their own.

There can be no higher professional responsibility for any of us than to protect innocent people from harm, even when that means making organizationally unpopular decisions. I hope and believe that some of us do care enough about people to be willing to do the right thing. It's our duty to apply our skills to protect people from harm by preventing irresponsibly low levels of information protection.

About the author:
Jay Heiser, CISSP, is a London-based security analyst with TruSecure Corp.

Article 7 of 12
This was last published in December 2003

Dig Deeper on Data privacy issues and compliance

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

The amount of personal data that is flying around the internet these days is insane. It is almost impossible to deal with the cognitive dissonance. I think of the internet as basically held together with bubble gum and bailing wire - the data leaks are everywhere. I agree that data leaks should be revealed to the public, but I'm more worried about the ones the company doesn't know about.
I'm glad that companies are required to disclose data breaches, and I don't think that it should come as a surprise to anyone that some companies must be compelled to do so by the law, or else they wouldn't do it on their own.

My information has potentially been involved in 4 or 5 data breaches in the last couple of years... I've lost count at this point! It began with Target. It was a pain because my credit card company had to re-issue my card and cancel my existing one. Since then, I've received several other notices. I guess that on the bright side, I'll probably have enough free credit monitoring services to last me a lifetime!

Get More Information Security

Access to all of our back issues View All