[Dataloss] Firms play Data Protection roulette

George Toft george at myitaz.com
Sun Jul 9 11:10:47 EDT 2006 

I think we should make a distinction between live data and real data.

Some companies make copies of their live data and put it in their 
development environment(s) for development and testing.  It's not live 
data, but it is certainly real.

There are many benefits to using a copy of live data, but in today's 
reality, I think the risk to the business is too great to endorse this 
activity.  I think it also might violate the spirit of "separation of 
duty" that most companies implement to keep developers out of production 
systems.

Regards,

George Toft, CISSP, MSIS
My IT Department
www.myITaz.com
480-544-1067

Confidential data protection experts for the financial industry.


Adam Shostack wrote:
> Using real personal data for testing is usually not a purpose
> specified under various privacy policies & disclosures, and usually
> doesn't hit the "essential" tests that the laws allow.
> 
> In the US, that's probably less of a problem legally, because we don't
> have a general data protection law, but in other countries, using live
> data for test is probably out.
> 
> Adam
> 
> On Sat, Jul 08, 2006 at 06:47:32PM -0500, Al Mac wrote:
> | Until this link, I had never heard of the Data Protection Act.
> | 
> | I have been employed as a computer professional for over 40 years.
> | 
> | Since I am a software developer for a privately owned manufacturer (not yet
> | subject to SOX and many well known other regulations, but we are under UL ISO
> | ROHS and some others), in which I vigorously test all my work using subsets of
> | the live data, where I had always thought the security issues were who can
> | access what data for what purposes, not whether it is in a live or test
> | condition, I went looking for the particulars of this law.
> | 
> | It is a British law, perhaps European.
> | http://en.wikipedia.org/wiki/Data_Protection_Act_1998
> | 
> | The Wikipedia article is a small beginning.
> | It does not communicate what constitutes private data under this law.
> | For example, some US law says e-mail addresses are included as private data. 
> | There's a lot in US laws about parts of social security #s and bank account
> | numbers.
> | The Wikipedia article does not say anything about restricting testing of
> | software development.
> | 
> | Here is another explanation
> | I carefully read through this and saw nothing about any rules saying that we
> | cannot use live data when doing testing.
> | Of course this link might not be as official as the NetworkWorld article.
> | http://www.dataprotectionact.org/
> | 
> | I am in general agreement with the 8 principles, except there can be great
> | ambiguity about how long certain types of data ought to be kept.  If we get
> | audited by the taxing authorities, we had better have all the payroll data on
> | our people from several years ago, available for their access.  If a question
> | comes up about the safety of any product we have manufactured, we had better
> | have full records on where all the components came from and other details, such
> | as identities of people who inspected and certified product perfection.  There
> | is no statute of limitations on product safety in the USA.  We have to store
> | that kind of data to infinity.
> | 
> | Since some data must be stored for a long long time, there is an issue not just
> | of security to block inappropriate access, but also what kind of media it
> | should be stored on.  Today CDs or DVDs make sense, but some data was on
> | various shapes of diskettes when we first got that data, and magnetic media is
> | known to only hold the data reliably for like 10 years in climate controlled
> | conditions,.  This varies with quality of diskette or tape manufacturer, and
> | some media is particularly prone to getting messed up so we can't read it, like
> | a tangled tape, or diskette out of registration with the device that reads it 
> | Even then, I like to have more than one set of backups.
> | 
> | There is a link in turn to
> | www.dca.gov.uk/foi/datprot.htm  and http://www.dca.gov.uk/ccpd/about.htm#4
> | 
> | My interpretation of this is that the act does not ban core business
> | activities, I consider the testing of software changes to be a core business
> | activity, and I see no place here where the act disagrees with me, although I
> | have not read all of the content here.
> | 
> | 
> | 
> |     http://www.networkworld.com/news/2006/
> |     070506-firms-play-data-protection.html?nlhtsec=070306securityalert3
> | 
> |     By Radhika Praveen, TechWorld, 07/05/06
> | 
> |     Large numbers of companies are taking risks with data protection, because
> |     they are not aware of the requirements of the law.
> | 
> |     Nearly half (44%) of companies use live data in test environments --
> |     something the 1998 Data Protection Act warns against explicitly, according
> |     to a recent survey of IT directors by Compuware.
> | 
> |     Half the directors (48%) were only 'vaguely familiar' with the Act itself,
> |     according to the research, which highlights the importance of
> |     understanding the demands and keeping track of how customer data is
> |     treated.
> | 
> |     A further "83% used only minimal measures such as using non disclosure
> |     agreements (NDA) to control data when outsourcing," said Ian Clarke, world
> |     wide enterprise solutions director at Compuware.
> | 
> |     NDAs are all very well, but companies find it difficult to communicate the
> |     complex legal terms to their employees or to outsourcing partners, said
> |     the survey report. "Unless they have rigorous procedures in place, they
> |     run the risk of live data being leaked to third parties. This can have
> |     severe repercussions on customer confidence and company reputation, and
> |     ultimately affect the bottom line," Clarke added.
> | 
> |     An NDA doesn't mean a lot when an employee in an outsourcing company in
> |     India for example who earns $100-a-day can earn much more by selling
> |     confidential data, he said.
> | 
> |     [...]
> | 
> |     _______________________________________________
> |     Dataloss Mailing List (dataloss at attrition.org)
> |     http://attrition.org/errata/dataloss/
> | 
> | -
> | Al Macintyre
> | http://en.wikipedia.org/wiki/User:AlMac
> | http://www.ryze.com/go/Al9Mac
> | BPCS/400 Computer Janitor ... see
> | http://radio.weblogs.com/0107846/stories/2002/11/08/bpcsDocSources.html
> 
> | _______________________________________________
> | Dataloss Mailing List (dataloss at attrition.org)
> | http://attrition.org/errata/dataloss/
> | 
> 
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/errata/dataloss/
> 
> 
>

More information about the Dataloss mailing list