Data Breach Avoidance Requires Copy Cops?

A U.S. senator proposes more data breach regulation, but experts say IT should be thinking data control. As one CSO recently put it, "The problem is not securing a copy of the data; it's securing data against copying."
Securing information is impossible once it escapes, whether the data goes missing accidentally or intentionally.

Witness WikiLeaks, where the discussion didn't involve whether to publish more than 200,000 leaked government cables, but when. They're now circulating freely on peer-to-peer (P2P) networks. On the apparently accidental disclosure front, meanwhile, records for 20,000 Stanford Hospital & Clinics emergency room patients appeared in a spreadsheet uploaded to--of all places--a homework help website, where they remained for almost a year before being spotted. How many copies of that spreadsheet will ultimately surface on P2P networks remains unknown.

In the Stanford Hospital case, the breach was traced to a subsidiary of a billing vendor used by the hospital. Of course, information must flow between business partners. Accordingly, many healthcare organizations contractually require their business partners to secure shared data. Nevertheless, data breach laws keep the onus on protecting data on the original information or data controller. In other words, outsourcing can't be an excuse for poor security.

That may be the law on the books, but without enforcement, no one is running scared. Many senior executives, watching the bottom line, likely see a better business case for spending less--not more--on security. (Though arguably, investing in security to prevent costly data breaches will pay handsomely in the long run.)

New legislation proposed by U.S. Senator Richard Blumenthal (D-Conn.)--the Personal Data Protection and Breach Accountability Act of 2011--could help. Notably, the bill would require any interstate business that stores information on 10,000 or more U.S. citizens to store personally identifiable information securely. The provisions also require logging and monitoring everyone who accesses that data. Businesses that failed to comply with the law could be sued by anyone whose personal information was compromised, to the tune of $10,000 per violation, per person, multiplied by every day the violation persisted, up to a maximum of $20 million.

"My goal is to prevent and deter data breaches that put people at risk of identity theft and other serious harm both by helping protect consumers' data before breaches occur, and by holding entities accountable when consumers' personally-identifiable information is compromised," Blumenthal said in a statement.

But security experts have questioned whether such a bill--if it were to pass--would solve today's data breach epidemic. "The underlying cause of data leakage is not that it's 'securely stored' it's that it's duplicated into too many people's hands--people who proceed to copy it to a thumb drive or laptop, which is then lost," Marcus Ranum, CSO of Tenable Security, recently wrote in SANS Newsbites. "The problem is not securing a copy of the data; it's securing data against copying."

In the same forum, William Hugh Murray, an associate professor at the Naval Postgraduate School, agreed by saying: "The pendulum needs to swing back in the direction of 'need to know' and 'least privilege.' For the same reasons that copying has become so easy, we really do not need it."

But how do you get tough on cut and paste? Classifying data to know what to restrict is both time-consuming and difficult. Modern notions of productivity--and approaches to IT--are predominantly based not on blocking people from accessing data, but delivering better and faster ways to share that information. Stories may abound of the NSA lunchroom, in which no one ever discusses their work, because no one knows who's authorized to know what. But that's life in locked-down land. Who wants to suffer that environment when revenue is the number-one priority?

One potential fix, practiced by some businesses that classify data, is putting senior managers in charge of sensitive information, such as regulated customer data, and firing them if they mess up. Of course, this often necessitates navigating political minefields, since data control equals power. Furthermore, corporate boards--historically weak on the concept of security, not to mention paying for it--would need to sharpen their security thinking. But with power should come responsibility.

The vendors, contractors, and other outside parties with which you do business can create a serious security risk. Here's how to keep this threat in check. Also in the new, all-digital issue of Dark Reading: Why focusing solely on your own company's security ignores the bigger picture. Download it now. (Free registration required.)