Data Liability

  • Comments posted to this topic are about the item Data Liability

  • Unfortunately, not enough rule/law/regulation was set to require business and government to protect people, both employees or customers, in dealing with requirements of protecting data as a general business practice.

    There are specific business sectors and govt offices who have stringent rules about vetting people who will gain access to their data. However, there is no broad requirement other than to "secure" data...which we all know has failed miserably with the huge data breaches within the past 2-3 years.

    My biggest question is this: why is the information allowed to be connected to a public, at-will connection point in the first place? Isn't this just asking for people to work to get information where they shouldn't?

    Why OPM's personnel records needed to be accessible from a public system is beyond me, let alone any healthcare data warehouse, retail chain, home improvement chain, or bank's credit card/banking information.

    For the law to allow a person to be held responsible (other than for individual gross negligence) for duties performed in following their employer's policy and the rules governing their field (or a lack thereof) would be insane.

    Doesn't mean it won't happen, but it would be insane. Wouldn't be the first time that the system cut its nose off to spite its face.

  • It would be somewhat clearer in the UK

    The Data Protection Act requires any organisation holding personal data to register. That registration specifies what data they may hold, who may access it, how long it can be retained and what should happen when it is no longer required.

    The organisation is required to take steps to ensure it is secure and also correct.

    A breach of these is an offence.

    In the case given a case could be brought against both the person stealing the data and also against the organisation for failing to protect it. That exceptional steps required to be taken to obtain the data would be a mitigating factor to be taken into account when determining any damages. The organisation could expect to recoup some or possibly all of these damages from the person instigating the data theft.

    There could also be a case against the forensic recovery firm for not ensuring the person requesting the recovery had authority to do so.

  • jckfla (9/21/2015)


    My biggest question is this: why is the information allowed to be connected to a public, at-will connection point in the first place? Isn't this just asking for people to work to get information where they shouldn't?

    Cost and convenience.

    Most of these aren't connected to public applications. However they are connected to the public Internet. The reason is cost. The transfer of data through snail mail, or private lines, is high. I've worked with places where we had private lines and adding/removing new clients was a pain, and expensive.

    For some of these data stores, they're connected with firewalls and VPNs. Some just don't publish a URL publicly, but we know that information can be found with scanners. Some use a name/pwd, stored in a table, some have access tokens.

    Ultimately I think it's unrealistic to complain that data sources are accessible from the Internet. Too much data is shared in business and government to prevent this. However we can work towards better and more secure ways of protecting and transferring data. In those cases, we need to do our best to implement strong solutions and require application changes.

    However the liability piece is separate. I am concerned as a DBA that I could get held liable for a system I didn't implement, but do manage.

  • This is an interesting editorial. Do we need laws to spell out liability? I know that in 2 states PCI Compliance is mandated via fines if you have a break in (similar to the new contracts coming out October 1, 2015). With the lack of privacy fostered by social media can anyone define the line?

  • I know that feeling. In the health care insurance industry, HIPPA laws and requirements are stringent. As a health care insurance company they are required to report any incidents where health information was accessed, or disclosed improperly. The company is held responsible for such breaches and because of such, they should hold each employee accountable for securing and keeping that information confidential. Depending on the company, there are consequences for employee's involved in breaches and the severity of those consequences depend on the type of breach. I won't go into details but let it be sufficient to say that personal health information is sensitive data that needs to be protected at all costs and as much as we don't agree on all the nuances of HIPPA or the AHA, we all have to agree on the intent which is to protect our private data. As to bonding of the employee, that would be going to far. As long as the breach is traceable to a person and the breach was serious enough - say for monetary gain, then that person should be held liable and should face the full force of the law. For incidental breaches that happen, not so. Let's face it, the industry as you said is still struggling to figure this all out.

    That said, I also agree that the government is an easy target for anyone who wants information. It is in the best interest of companies that do any business with the Government to mask or hide personal information that could be accessed through a public interface such as the internet. The government would love to have all that information but who will be responsible for securing it on their end? There was a time that I thought that those in the government were the experts in these area's but now, after watching and being in the business, I can truly say that I have some serious reservations about those thoughts!

    I have even talked with coworkers about a national database of health information but the conversations always came down to one factor that would stop the system dead in it's tracks - Security. Who will administer the security of that system and how do we control who can gain access to the data. So, even in the industry we have serious concerns about securing data and keeping prying eyes away from it. It's a huge job and I don't envy those who have to deal with it daily so a huge thanks to those that do!

  • If you are dealing with PHI and HIPPA data and the company has put in 'adequate' safeguards, everyone being HIPPA certified for example, then the responsibility does fall on the individual. It sucks, but you are not supposed to deal with HIPPA data unless you have been certified, meaning you should pay attention to the do's and don'ts during training. If you are dealing with HIPPA and you aren't certified then that's on your company.

  • david.morton (9/21/2015)


    ... So, even in the industry we have serious concerns about securing data and keeping prying eyes away from it. It's a huge job and I don't envy those who have to deal with it daily so a huge thanks to those that do!

    You're welcome. I work for a health organization and have been directly involved with the developing HIPAA and associated laws over the years. At a recent seminar we were told that the trend when there are serious violations is for the company boards to find a scapegoat. In our company that would be me. So it is a bit scary.

  • I think we might have to get some form of insurance against some of these things. I once explored even the idea of organizations having to insure against down time especially now in the advent of the cloud(This phenomena is mostly suited to developing countries prone to fiber cuts with no proper disaster recovery alternative).

    [/url]

  • John Hanrahan (9/21/2015)


    This is an interesting editorial. Do we need laws to spell out liability? I know that in 2 states PCI Compliance is mandated via fines if you have a break in (similar to the new contracts coming out October 1, 2015). With the lack of privacy fostered by social media can anyone define the line?

    Or laws that limit liability? Who is responsible if data is exposed from a SQL Injection flaw? The CEO? The development manager? The developer? The DBA that deployed the code and manages it? All of them? Any that know about the issue?

    Ugh

  • crmitchell (9/21/2015)


    It would be somewhat clearer in the UK

    The Data Protection Act requires any organisation holding personal data to register. That registration specifies what data they may hold, who may access it, how long it can be retained and what should happen when it is no longer required.

    The organisation is required to take steps to ensure it is secure and also correct.

    A breach of these is an offence.

    In the case given a case could be brought against both the person stealing the data and also against the organisation for failing to protect it. That exceptional steps required to be taken to obtain the data would be a mitigating factor to be taken into account when determining any damages. The organisation could expect to recoup some or possibly all of these damages from the person instigating the data theft.

    There could also be a case against the forensic recovery firm for not ensuring the person requesting the recovery had authority to do so.

    The ICO ( Information Commission Office) has few teeth and massively understaffed. Even if they think there is breach they cant enter a business without consent. You are right that if a company gets caught then they can be prosecuted and there can be fines and prison. Its not like the USA or Germany.

    We have had in the UK professionals being prosecuted for data breached in a company.

  • I can see no winners in this other than the legal profession.

    People share so much on social media that I'm not sure what view would be taken for disclosure of material that could otherwise be obtained from the public domain.

    It feels more like a copyright theme where companies have to pay the individual for using the individual's data. That should cure those in possession of a spam cannon and an itchy trigger finger. I was in the advertising and name and address lists started at £50/1000 for electoral roll and went up rapidly based on the wealth of information and the information on wealth.

    Lets suppose we all have a data usage account. We could put our data on the market with the users paying into that account when they use it and with an amount inline with the attributes they use and that we allow.

  • and good luck getting your medical data from a hospital without doctors orders-- have been down that road more time than I care to count-- most hospitals will not give it out without a doctors orders. so much for being the repository of your own medical data. I rotate between 2 hospitals and moving the information back and forth has been troublesome to say the least.

  • The law in many jurisdictions has shown itself to be ignorant of IT and naive in its understanding as to the effects demanded by lobbying stakeholders.

    Liability will be a mess and whilst I am covered for developing software I am unsure how well my insurance will deal with a data breach. I believe that in today's climate in the UK that I am OK but roll it forward a decade and I may feel the need to choose a different career path.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

Viewing 14 posts - 1 through 13 (of 13 total)

You must be logged in to reply to this topic. Login to reply