BreachExchange mailing list archives
Re: Firms play Data Protection roulette
From: "Saundra Kae Rubel" <privacylaws () sbcglobal net>
Date: Sat, 8 Jul 2006 20:10:08 -0700
The UK Data Protection Law is just one of many different data protection laws. The UK was required to locally implement the EU Data Protection Directive and did so with their passage of the UK Data Protection Act. To see which countries have laws regulating the use and protection of data, visit http://www.privacyknowledgebase.com/document.jsp?docid=REFDP000 Saundra Kae Rubel, CIPP _____ From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of Al Mac Sent: Saturday, July 08, 2006 4:48 PM To: dataloss () attrition org Subject: Re: [Dataloss] Firms play Data Protection roulette Until this link, I had never heard of the Data Protection Act. I have been employed as a computer professional for over 40 years. Since I am a software developer for a privately owned manufacturer (not yet subject to SOX and many well known other regulations, but we are under UL ISO ROHS and some others), in which I vigorously test all my work using subsets of the live data, where I had always thought the security issues were who can access what data for what purposes, not whether it is in a live or test condition, I went looking for the particulars of this law. It is a British law, perhaps European. http://en.wikipedia.org/wiki/Data_Protection_Act_1998 The Wikipedia article is a small beginning. It does not communicate what constitutes private data under this law. For example, some US law says e-mail addresses are included as private data. There's a lot in US laws about parts of social security #s and bank account numbers. The Wikipedia article does not say anything about restricting testing of software development. Here is another explanation I carefully read through this and saw nothing about any rules saying that we cannot use live data when doing testing. Of course this link might not be as official as the NetworkWorld article. http://www.dataprotectionact.org/ I am in general agreement with the 8 principles, except there can be great ambiguity about how long certain types of data ought to be kept. If we get audited by the taxing authorities, we had better have all the payroll data on our people from several years ago, available for their access. If a question comes up about the safety of any product we have manufactured, we had better have full records on where all the components came from and other details, such as identities of people who inspected and certified product perfection. There is no statute of limitations on product safety in the USA. We have to store that kind of data to infinity. Since some data must be stored for a long long time, there is an issue not just of security to block inappropriate access, but also what kind of media it should be stored on. Today CDs or DVDs make sense, but some data was on various shapes of diskettes when we first got that data, and magnetic media is known to only hold the data reliably for like 10 years in climate controlled conditions,. This varies with quality of diskette or tape manufacturer, and some media is particularly prone to getting messed up so we can't read it, like a tangled tape, or diskette out of registration with the device that reads it Even then, I like to have more than one set of backups. There is a link in turn to www.dca.gov.uk/foi/datprot.htm and http://www.dca.gov.uk/ccpd/about.htm#4 My interpretation of this is that the act does not ban core business activities, I consider the testing of software changes to be a core business activity, and I see no place here where the act disagrees with me, although I have not read all of the content here. http://www.networkworld.com/news/2006/070506-firms-play-data-protection.html ?nlhtsec=070306securityalert3 By Radhika Praveen, TechWorld, 07/05/06 Large numbers of companies are taking risks with data protection, because they are not aware of the requirements of the law. Nearly half (44%) of companies use live data in test environments -- something the 1998 Data Protection Act warns against explicitly, according to a recent survey of IT directors by Compuware. Half the directors (48%) were only 'vaguely familiar' with the Act itself, according to the research, which highlights the importance of understanding the demands and keeping track of how customer data is treated. A further "83% used only minimal measures such as using non disclosure agreements (NDA) to control data when outsourcing," said Ian Clarke, world wide enterprise solutions director at Compuware. NDAs are all very well, but companies find it difficult to communicate the complex legal terms to their employees or to outsourcing partners, said the survey report. "Unless they have rigorous procedures in place, they run the risk of live data being leaked to third parties. This can have severe repercussions on customer confidence and company reputation, and ultimately affect the bottom line," Clarke added. An NDA doesn't mean a lot when an employee in an outsourcing company in India for example who earns $100-a-day can earn much more by selling confidential data, he said. [...] _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/errata/dataloss/ - Al Macintyre http://en.wikipedia.org/wiki/User:AlMac http://www.ryze.com/go/Al9Mac BPCS/400 Computer Janitor ... see http://radio.weblogs.com/0107846/stories/2002/11/08/bpcsDocSources.html
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/errata/dataloss/
Current thread:
- Firms play Data Protection roulette lyger (Jul 08)
- Re: Firms play Data Protection roulette Al Mac (Jul 08)
- Re: Firms play Data Protection roulette Saundra Kae Rubel (Jul 08)
- Re: Firms play Data Protection roulette Adam Shostack (Jul 08)
- Re: Firms play Data Protection roulette George Toft (Jul 09)
- Re: Firms play Data Protection roulette Peter Wood (Jul 10)
- Re: Firms play Data Protection roulette George Toft (Jul 10)
- Re: Firms play Data Protection roulette Saundra Kae Rubel (Jul 10)
- Re: Firms play Data Protection roulette Al Mac (Jul 08)
- Re: Firms play Data Protection roulette Chris Walsh (Jul 09)
- <Possible follow-ups>
- Re: Firms play Data Protection roulette Al Mac (Jul 10)