I have been giving a great deal of consideration to the ethics of data storage and manipulation lately. I have documented in the past certain extreme lapses in database security and additional lapses are routinely reported. The recent indictment of
Albert Gonzalez (http://www.usdoj.gov/opa/pr/2009/August/09-crm-810.html ) is but one example.
In my own life, I have been the victim of data theft at least twice. In both cases, a credit card number was stolen. Once, by a waiter who swiped the magnet strip of my card twice – once for the restaurant and once to sell the data. The second time resulted from a hack of a vendor I have done some business with, though I do not know the exact nature of this hack. Just this morning, we were informed that one of my wife’s credit card numbers had been used for purchases outside of the USA. We do not know how this particular theft occurred yet.
Start with what should be a self evident proposition: when you are entrusted with sensitive information, you have a duty to prevent the misuse of that information. In Buddhism one has a duty to reduce the suffering in the world. In Islam, there is an affirmative duty to prevent crime. While no Bible or Torah quote springs to mind, I find it difficult to believe that a Rabbi or Christian minister would reject this proposition.
This duty arises from the basic, though unspoken, properties of the commercial transaction. I pay for goods or services via a credit card, thus providing the merchant with access to my line of credit for the limited purpose of obtaining the agreed upon funds. The merchant does not have permission to use or distribute that access to anyone else for any other purpose. I trust the merchant to limit access to this information for the limited purposes only. The merchant breaks that trust when he allows access by others to this information, whether intentionally or through their failure to exercise reasonable care.
Again and again I am amazed at the failure of organizations to take even the most basic steps to secure data, ensuring that people (myself included) will become the victims of identity theft. In the case of my wife and I, we were lucky that our credit card company caught the issue early (and bravo to whoever wrote the data mining programs at Citibank to catch these crimes early).
Others are not so lucky. Mr. Gonzalez and his associates are alleged to have stolen 130 million credit and debit card accounts from several companies. Radisson hotels recently revealed a security breach that resulted in theft of credit card data in the United States and Canada.
Yet, even with these reports in the news and with an ever increasing amount of cyber crime, I routinely find the cyber-security equivalent of a bank leaving piles of cash deposits in the lobby. I would like to propose that we, as database professionals, take onto ourselves a code of professional responsibility. I would love to get input on this, but I think the first step would be this commitment:
Recognizing that people entrust their identity, personal and financial data to me, I have taken on a sacred duty to protect that data and, thereby, protect the people who have placed their trust in me. I will take all reasonable steps to ensure the safety and security of that data in its storage and transmission.
Reasonable steps would include:
• Ensuring network protections are available to safeguard against unauthorized access
• Ensuring software is written to prevent SQL injection attacks
• Logging and auditing all data access
• Ensuring that access to system administration accounts and DBO accounts is limited to appropriate staff
• Strictly limiting data access to the data one needs to do one’s job, and no more
• Encrypting all sensitive data in storage
• Encrypting all sensitive data in transit
• Ensuring that all security patches, anti-virus and anti-intrusion software is working and up to date
• Prevent the storage of sensitive data on local systems, laptops and thumb drives.
• All users should use strong passwords.
Got any more?