Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

Yet another university data breach; Feinstein to demand encryption

From: David Farber <dave () farber net>
Date: Wed, 06 Apr 2005 16:13:54 -0400

------ Forwarded Message
From: Ross Stapleton-Gray <amicus () well com>
Date: Wed, 06 Apr 2005 10:57:18 -0700
To: <dave () farber net>, johnmac's living room <johnmacsgroup () yahoogroups com>
Subject: Yet another university data breach; Feinstein to demand encryption

The SF Chronicle's David Lazarus writes on yet another university data
breach, this time at UC San Francisco:
http://sfgate.com/cgi-bin/article.cgi?f=/c/a/2005/04/06/BUGEOC3L5N1.DTL

(Disclaimer: I was the first and only IT Security Officer (a policy
position) in the UC Office of the President; I was hired by a CIO who'd
been recruited away from the Pentagon, but who left UC shortly after I was
hired... my position was eliminated after about a year.  I do not think I
was effective, largely because management was unwilling to accord IT
security any real support.  Information management in a university
environment is chaotically crazy by nature, but decisions were also made
that demanding that we conform to our own IT management policies was
impermissibly "rocking the boat.")

The new wrinkle in the Lazarus article is the news that California Senator
Dianne Feinstein will "introduce federal legislation within the next few
days requiring encryption of all data stored for commercial
purposes.  "What this shows is that there is enormous sloppy handling of
personal data," Feinstein said."

It may be that UCSF is the final straw, but it feels like this is the
ChoicePoint breach talking.  Hopefully any (useful) requirements in a
Feinstein bill aren't confined to "data stored for commercial purposes,"
unless she's willing to define that to include such things as university
admissions data (a la the previous UC Berkeley breach).

But I say "useful"... merely mandating, "data must be encrypted," is like
finding spoiled food in the 'fridge, and mandating that all foods will be
in containers, without an acknowledgement that corrugated cardboard is
different from plastic, that foods have shelf lives, and that some require
special handling, e.g., child-proof tops on some pharmaceuticals.  And
goodness knows a poor implementation of encryption can be worse than none
at all.

At the root of this, really, is more a problem of records management than
one of IT security.  What I saw in my year at UC was local IT security
administrators fighting fires (e.g., installing anti-viral software,
tending to IDSes) in an abandoned and decrepit building: records management
was so woefully neglected that one couldn't identify all of the sensitive
information holdings, let alone who was responsible for them; awareness of
responsibilities of those who owned sensitive records was minimal; tools
for protecting sensitive information, e.g., deidentifying personal
information (there's far less of a problem in losing 100,000 records, if
each record is tagged with a pseudonymous serial, instead of a name and
SSN, say), absent; etc., etc.

The Chancellor of UC Berkeley has announced that he'll "engage one of the
nation's leading data-security management firms to conduct an immediate
external audit of how the campus handles all personal information," this in
response to their own March 11th breach (when a laptop with 100,000
personal records was stolen):
http://idalert.berkeley.edu/chancellorletter.html  I think the scope of
what's found will surprise him.

As another marker, I was intrigued while at UC to see a marked difference
in paper vs. electronic, in the area of forms soliciting personal
information.  By California law, such forms are required to include
something like eight different information elements, describing what the
information collected is to be used for, etc.  If you find *paper* forms
reproduced on the Web in PDF, on various UC campus sites, they do bear
those required elements.  If you find forms created for the Web, they often
do not.  Why?  Almost certainly because the former have passed through
well-worn, formal channels to publish administrative forms; the latter were
thrown up by anyone with a bright idea, a need and access to a Web server.

Ross






-----

Ross Stapleton-Gray, Ph.D.
Stapleton-Gray & Associates, Inc.
http://www.stapleton-gray.com




------ End of Forwarded Message


-------------------------------------
You are subscribed as lists-ip () insecure org
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: