Fines for Data Access

  • Comments posted to this topic are about the item Fines for Data Access

  • Monitoring is the wrong approach. Flat denial of privilege is the correct one. Why go to the pain and expense of tracking access, storing the data, having to analyze the data, when least privilege means you don't have to buy disk drives (or SANs) just to store logs on the off chance somebody is being a dick?

    If somebody doesn't have the right to view the data why did you give them access? If they have access (and why would co-workers have access to personal information anyway?) then it's not unusual access and thus not worthy of logging or alerting anyone anyway.

    This is yet another example of gathering data that shouldn't be gathered. Far better to lock the door ahead of time than stumble across the problem accidentally then comb terabytes of log data to see who else was a creep.

  • At my previous job we did some logging. We could tell who access what, when. But even so, it could have been better.

    In my current job I am very impressed with how important it is to my employer, to log data access. For the most part, every system I've seen, unless it is over 15 years old, has logging built in and done better than I did at my old job. I'm sure there's room for improvement, as there always is. But I do think my current employer is going a great job.

    Kindest Regards, Rod Connect with me on LinkedIn.

  • Times change and people change. No one is a criminal until they commit a criminal act.

    Monitoring makes sense, not the least of which is from privilege/credential theft or malware under impersonation.

  • I doubt that this one specific female employee was an isolated target. The people doing this have probably been routinely accessing DMV records for hundreds or thousands of women over the years and this one woman only discovered she was a victim because she works for the police department.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • It wouldn't surprise me if the department staff improperly accessing DMV records were also selling the data to third parties like private investigators, skip tracers, and law firms. Cell phone providers also do this with our geo-location data. That's often times why corporate executives deny disclosing the data but the data somehow leaks into outside hands, they have data privacy policies in place but rogue employees are not being monitored close enough and there is a lot of easy money to be made.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Exactly. These people need access, they aren't affected by least privilege. They also can't all be fired all the time, though perhaps a few terminations would slow this down.

  • roger.plowman wrote:

    Monitoring is the wrong approach. Flat denial of privilege is the correct one. Why go to the pain and expense of tracking access, storing the data, having to analyze the data, when least privilege means you don't have to buy disk drives (or SANs) just to store logs on the off chance somebody is being a dick? If somebody doesn't have the right to view the data why did you give them access? If they have access (and why would co-workers have access to personal information anyway?) then it's not unusual access and thus not worthy of logging or alerting anyone anyway. This is yet another example of gathering data that shouldn't be gathered. Far better to lock the door ahead of time than stumble across the problem accidentally then comb terabytes of log data to see who else was a creep.

    I hope that no serious data controller would ever permit monitoring access to private data to be dropped.   When some data has clearly gotten out to someone who shouldn't have it, it didn't get out by magic - someone read it and delivered it to where it should never have gone.  That clearly wasn't someone who was flatly denied the privilege of access to the data, and the only way of finding out how it escaped is to have monitored all access and for the particular data that has escaped to require that the accessor explain why he accessed that specific data (and if only one person has accessed the leaked data, even if he had a good reason to access it he is clearly the guilty party).  That definitely requires monitoring.  End of story - without monitoring, you (as a data controller) CAN NOT POSSIBLY do the things that you are required to do under the current personal data protection regulations.  Nor can you reasonably claim to be attempting to do so.  Big nasty fine - not just for the leak, but a bigger one for the decision not even to bother to try to ensure that your staff either conform to the regulations or get caught.

    Perhaps you hadn't realised that someone who has access to the data is supposed to go to it only when neccessary, not arbitrarily access it every day?  If so, please don't try to help anyone conform to current EU (and most of the rest of the world) regulations until you've understood it properly - until then you can only leave them paddleless up the creek.

    • This reply was modified 5 years, 5 months ago by  TomThomson.

    Tom

Viewing 8 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic. Login to reply