BreachExchange mailing list archives
Re: Firms play Data Protection roulette
From: Adam Shostack <adam () homeport org>
Date: Sun, 9 Jul 2006 00:19:07 -0400
Using real personal data for testing is usually not a purpose specified under various privacy policies & disclosures, and usually doesn't hit the "essential" tests that the laws allow. In the US, that's probably less of a problem legally, because we don't have a general data protection law, but in other countries, using live data for test is probably out. Adam On Sat, Jul 08, 2006 at 06:47:32PM -0500, Al Mac wrote: | Until this link, I had never heard of the Data Protection Act. | | I have been employed as a computer professional for over 40 years. | | Since I am a software developer for a privately owned manufacturer (not yet | subject to SOX and many well known other regulations, but we are under UL ISO | ROHS and some others), in which I vigorously test all my work using subsets of | the live data, where I had always thought the security issues were who can | access what data for what purposes, not whether it is in a live or test | condition, I went looking for the particulars of this law. | | It is a British law, perhaps European. | http://en.wikipedia.org/wiki/Data_Protection_Act_1998 | | The Wikipedia article is a small beginning. | It does not communicate what constitutes private data under this law. | For example, some US law says e-mail addresses are included as private data. | There's a lot in US laws about parts of social security #s and bank account | numbers. | The Wikipedia article does not say anything about restricting testing of | software development. | | Here is another explanation | I carefully read through this and saw nothing about any rules saying that we | cannot use live data when doing testing. | Of course this link might not be as official as the NetworkWorld article. | http://www.dataprotectionact.org/ | | I am in general agreement with the 8 principles, except there can be great | ambiguity about how long certain types of data ought to be kept. If we get | audited by the taxing authorities, we had better have all the payroll data on | our people from several years ago, available for their access. If a question | comes up about the safety of any product we have manufactured, we had better | have full records on where all the components came from and other details, such | as identities of people who inspected and certified product perfection. There | is no statute of limitations on product safety in the USA. We have to store | that kind of data to infinity. | | Since some data must be stored for a long long time, there is an issue not just | of security to block inappropriate access, but also what kind of media it | should be stored on. Today CDs or DVDs make sense, but some data was on | various shapes of diskettes when we first got that data, and magnetic media is | known to only hold the data reliably for like 10 years in climate controlled | conditions,. This varies with quality of diskette or tape manufacturer, and | some media is particularly prone to getting messed up so we can't read it, like | a tangled tape, or diskette out of registration with the device that reads it | Even then, I like to have more than one set of backups. | | There is a link in turn to | www.dca.gov.uk/foi/datprot.htm and http://www.dca.gov.uk/ccpd/about.htm#4 | | My interpretation of this is that the act does not ban core business | activities, I consider the testing of software changes to be a core business | activity, and I see no place here where the act disagrees with me, although I | have not read all of the content here. | | | | http://www.networkworld.com/news/2006/ | 070506-firms-play-data-protection.html?nlhtsec=070306securityalert3 | | By Radhika Praveen, TechWorld, 07/05/06 | | Large numbers of companies are taking risks with data protection, because | they are not aware of the requirements of the law. | | Nearly half (44%) of companies use live data in test environments -- | something the 1998 Data Protection Act warns against explicitly, according | to a recent survey of IT directors by Compuware. | | Half the directors (48%) were only 'vaguely familiar' with the Act itself, | according to the research, which highlights the importance of | understanding the demands and keeping track of how customer data is | treated. | | A further "83% used only minimal measures such as using non disclosure | agreements (NDA) to control data when outsourcing," said Ian Clarke, world | wide enterprise solutions director at Compuware. | | NDAs are all very well, but companies find it difficult to communicate the | complex legal terms to their employees or to outsourcing partners, said | the survey report. "Unless they have rigorous procedures in place, they | run the risk of live data being leaked to third parties. This can have | severe repercussions on customer confidence and company reputation, and | ultimately affect the bottom line," Clarke added. | | An NDA doesn't mean a lot when an employee in an outsourcing company in | India for example who earns $100-a-day can earn much more by selling | confidential data, he said. | | [...] | | _______________________________________________ | Dataloss Mailing List (dataloss () attrition org) | http://attrition.org/errata/dataloss/ | | - | Al Macintyre | http://en.wikipedia.org/wiki/User:AlMac | http://www.ryze.com/go/Al9Mac | BPCS/400 Computer Janitor ... see | http://radio.weblogs.com/0107846/stories/2002/11/08/bpcsDocSources.html | _______________________________________________ | Dataloss Mailing List (dataloss () attrition org) | http://attrition.org/errata/dataloss/ | _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/errata/dataloss/
Current thread:
- Firms play Data Protection roulette lyger (Jul 08)
- Re: Firms play Data Protection roulette Al Mac (Jul 08)
- Re: Firms play Data Protection roulette Saundra Kae Rubel (Jul 08)
- Re: Firms play Data Protection roulette Adam Shostack (Jul 08)
- Re: Firms play Data Protection roulette George Toft (Jul 09)
- Re: Firms play Data Protection roulette Peter Wood (Jul 10)
- Re: Firms play Data Protection roulette George Toft (Jul 10)
- Re: Firms play Data Protection roulette Saundra Kae Rubel (Jul 10)
- Re: Firms play Data Protection roulette Al Mac (Jul 08)
- Re: Firms play Data Protection roulette Chris Walsh (Jul 09)
- <Possible follow-ups>
- Re: Firms play Data Protection roulette Al Mac (Jul 10)