Friday, November 18, 2011
Suggestion for reporters and victims on data breach incidents
by Larry Geller
Hawaii appears to be still in the dark ages with regard to protection of sensitive data. There have been a number of incidents including repeated situations at the University of Hawaii that should ring alarm bells. The new incident at the East-West Center should ring alarm bells in newsrooms.
Reporters should be asking questions that would reveal whether the East-West Center was a responsible custodian of the personal data that it collected.
Most stories are reported (as was the APEC data story on the front page of today’s Star-Advertiser) as though the institution was the passive victim of an unforeseeable crime. That is, some sophisticated hacker somewhere out there, maybe even in a foreign country, who knows, committed a crime by breaking into one of the organization’s computers. Data was or may have been taken. Individual victims may have been or might be harmed.
Breaking into a computer is a crime, but the institutional data-keeper is far from passive. Usually there is a good measure of negligence involved. That negligence is what puts the individual victims at risk. It puts them at risk even if there is no break-in. That negligence, or questions about it, should be part of news repporting.
And let’s face it, an organization may not even know that an intruder has accessed sensitive data. Organizations in Hawaii need to do better, and the press can participate by reporting more fully on these incidents.
So reporters should ask better questions, I suggest. And potential victims might consult with their attorneys. Through education and holding organizations responsible, we might have a chance to improve the awareness of the very basic security practices that seem to be lacking in Hawaii. (See: Class action suit filed against University of Hawaii personal information breaches, 11/18/2010.)
So here are some questions off the top of my head. I’m sure this list isn’t inclusive. And since situations vary, it isn’t prioritized.
1) Was it necessary to collect the data in the first place (i.e., Social Security numbers)?
2) Was access to the sensitive data properly restricted as to personnel who could access it?
3) Would the organization know if some unauthorized employee accessed the data?
and the key questions related to computer use:
4) Was the computer storing the data connected to the Internet? Why was sensitive data kept on an Internet-connected compuer?
5) Was the data encrypted? Was the encryption password adequate?
6) Were backups that were taken also encrypted? Was the encryption password adequate? Was the password adequately protected? (There’s nothing dumber than to store the encryption password somewhere on the Internet-connected computer.)
7) Were emails that contained the data encrypted?
8) Was the keeping of the data authorized, and did key management know it was being stored?
9) Did key management review the data protection practices under which the data was stored?
In the APEC case, probably all of these questions apply.
Not to belabor the point, but if you leave valuables in an open car, they might be stolen, but it’s necessary to ask why the car was left parked on a street in Manhattan with the doors unlocked. The story is not that the goodies were stolen, it is why they were essentially given away.
Prevent, don’t lament.