Editorials

Where Does Responsibility Land with a Data Breach?

by Stephen Wynkoop

Where Does Responsibility Land with a Data Breach?
I read an article today, the first of these that I had then seen posted on the AP wire site. Essentially, there has been a massive, comprehensive data breach of systems containing all sorts of information – personally identifiable in the most damaging ways – for current and past federal employees.

We’re still in the "fog of war" stage on what really has happened, how it happened and, I suspect, how comprehensive the issue is. You can read the article that caught my attention here…

in this link to the AP article.

But what killed me was this section – particularly as it relates to our work as data professionals:

"We believe that Social Security numbers were not encrypted, a cybersecurity failure that is absolutely indefensible and outrageous," Cox said in the letter. The union called the breach "an abysmal failure on the part of the agency to guard data that has been entrusted to it by the federal workforce."


Samuel Schumach, an OPM spokesman, said that "for security reasons, we will not discuss specifics of the information that might have been compromised."


The central personnel data file contains up to 780 separate pieces of information about an employee."

The entire first part of the article talks about laying blame for the hack on the reported purpetrators. Sure, we need to catch whomever it is that’s really behind this. It’ll be hard to do anything with that though – it’s a group, or country or whatever.

Assuming the situation remains as it is, that it’s an outside hack, not an employee with access that gave away the world….



The thing is, in my opinion, the SUCCESS of the data breach lays with the database teams responsible for their systems. I’m sorry, but at it’s most fundamental, protection of data is critical. Yes, systems failed to prevent the intrusion, but there is much more at play here.

To have Social Security information – perhaps the grand daddy of all personally identifiable information – stolen and NOT encrypted in the database is a breach of data ethics, data responsibilities and just plan not doing your job. To have that information in the database and not protected at rest is unforgivable. There are so many tools and outstanding approaches to introducing encryption, to managing keys and such – this just should not be possible. I get "they broke in and got data" – I could even forgive "some usable information" – but to have SSN information (specifically) and 780 separate pieces of information that are not protected at rest – at all – should have set off flags and action to correct it, for years.

Please – if you’re responsible for information – speak up. Don’t let things sit. If you don’t understand what needs to be done, that’s OK. But get help. There are so many people and resources to help you. There are outstanding vendors and partners that you can really lean on to learn, to deploy solutions. Ask the tough questions and if you don’t know the questions, get them. Ask around. Find out what needs to be done.

Ignorance of what can or must be done is no excuse on this. If you don’t know – admit it to yourself and then find out what you need, or find partners that can help you.

I really, really hope that we don’t lose the lessons to learn on this in our zeal to find somewhere (else) to put blame for the break-in. It’s like saying that someone broke into the bank, stole all the money and everything in the safe deposit boxes because they were all left open and unlocked. But it’s not the bank’s fault that they got it. It’s those darn bank robbers.

Take on the responsibility if no one else is. It’s got to be our ethic as data folks to do so.

Tags:
Author: Stephen WynkoopStephen is the founder of SSWUG.ORG and a Microsoft Data Platform MVP. He contributes editorials, webcasts, and sessions for the site and its associated events.