[Dataloss] Firms play Data Protection roulette
Adam Shostack
adam at homeport.org
Sun Jul 9 00:19:07 EDT 2006
Using real personal data for testing is usually not a purpose
specified under various privacy policies & disclosures, and usually
doesn't hit the "essential" tests that the laws allow.
In the US, that's probably less of a problem legally, because we don't
have a general data protection law, but in other countries, using live
data for test is probably out.
Adam
On Sat, Jul 08, 2006 at 06:47:32PM -0500, Al Mac wrote:
| Until this link, I had never heard of the Data Protection Act.
|
| I have been employed as a computer professional for over 40 years.
|
| Since I am a software developer for a privately owned manufacturer (not yet
| subject to SOX and many well known other regulations, but we are under UL ISO
| ROHS and some others), in which I vigorously test all my work using subsets of
| the live data, where I had always thought the security issues were who can
| access what data for what purposes, not whether it is in a live or test
| condition, I went looking for the particulars of this law.
|
| It is a British law, perhaps European.
| http://en.wikipedia.org/wiki/Data_Protection_Act_1998
|
| The Wikipedia article is a small beginning.
| It does not communicate what constitutes private data under this law.
| For example, some US law says e-mail addresses are included as private data.
| There's a lot in US laws about parts of social security #s and bank account
| numbers.
| The Wikipedia article does not say anything about restricting testing of
| software development.
|
| Here is another explanation
| I carefully read through this and saw nothing about any rules saying that we
| cannot use live data when doing testing.
| Of course this link might not be as official as the NetworkWorld article.
| http://www.dataprotectionact.org/
|
| I am in general agreement with the 8 principles, except there can be great
| ambiguity about how long certain types of data ought to be kept. If we get
| audited by the taxing authorities, we had better have all the payroll data on
| our people from several years ago, available for their access. If a question
| comes up about the safety of any product we have manufactured, we had better
| have full records on where all the components came from and other details, such
| as identities of people who inspected and certified product perfection. There
| is no statute of limitations on product safety in the USA. We have to store
| that kind of data to infinity.
|
| Since some data must be stored for a long long time, there is an issue not just
| of security to block inappropriate access, but also what kind of media it
| should be stored on. Today CDs or DVDs make sense, but some data was on
| various shapes of diskettes when we first got that data, and magnetic media is
| known to only hold the data reliably for like 10 years in climate controlled
| conditions,. This varies with quality of diskette or tape manufacturer, and
| some media is particularly prone to getting messed up so we can't read it, like
| a tangled tape, or diskette out of registration with the device that reads it
| Even then, I like to have more than one set of backups.
|
| There is a link in turn to
| www.dca.gov.uk/foi/datprot.htm and http://www.dca.gov.uk/ccpd/about.htm#4
|
| My interpretation of this is that the act does not ban core business
| activities, I consider the testing of software changes to be a core business
| activity, and I see no place here where the act disagrees with me, although I
| have not read all of the content here.
|
|
|
| http://www.networkworld.com/news/2006/
| 070506-firms-play-data-protection.html?nlhtsec=070306securityalert3
|
| By Radhika Praveen, TechWorld, 07/05/06
|
| Large numbers of companies are taking risks with data protection, because
| they are not aware of the requirements of the law.
|
| Nearly half (44%) of companies use live data in test environments --
| something the 1998 Data Protection Act warns against explicitly, according
| to a recent survey of IT directors by Compuware.
|
| Half the directors (48%) were only 'vaguely familiar' with the Act itself,
| according to the research, which highlights the importance of
| understanding the demands and keeping track of how customer data is
| treated.
|
| A further "83% used only minimal measures such as using non disclosure
| agreements (NDA) to control data when outsourcing," said Ian Clarke, world
| wide enterprise solutions director at Compuware.
|
| NDAs are all very well, but companies find it difficult to communicate the
| complex legal terms to their employees or to outsourcing partners, said
| the survey report. "Unless they have rigorous procedures in place, they
| run the risk of live data being leaked to third parties. This can have
| severe repercussions on customer confidence and company reputation, and
| ultimately affect the bottom line," Clarke added.
|
| An NDA doesn't mean a lot when an employee in an outsourcing company in
| India for example who earns $100-a-day can earn much more by selling
| confidential data, he said.
|
| [...]
|
| _______________________________________________
| Dataloss Mailing List (dataloss at attrition.org)
| http://attrition.org/errata/dataloss/
|
| -
| Al Macintyre
| http://en.wikipedia.org/wiki/User:AlMac
| http://www.ryze.com/go/Al9Mac
| BPCS/400 Computer Janitor ... see
| http://radio.weblogs.com/0107846/stories/2002/11/08/bpcsDocSources.html
| _______________________________________________
| Dataloss Mailing List (dataloss at attrition.org)
| http://attrition.org/errata/dataloss/
|
More information about the Dataloss
mailing list