Data Security – Who’s Responsible for Your Data?

We mentioned earlier how much data is worth now-a-days. And anything with value, will attempt to be stolen.

There seems to be a never ending series of stories in the news about data breaches occurring at all different types of organizations. If you do a search for Data Breaches in 2023, Google will return 366,000,000 results at the halfway point in the year. https://www.google.com/search?q=data+breach+2023

CNN listed the top 10 in 2023 at the halfway point for the year. They included two state government agencies, as well as several nationwide companies like T-Mobile. – https://www.crn.com/news/security/the-10-biggest-data-breaches-of-2023-so-far- In some cases, these breaches affected millions of accounts.

Therefore, you should constantly ask, who is responsible for your data security?

The Bad Actors

The bad actors are clearly people who are doing the evil deeds. These could be individuals, criminal organizations, and even countries in some cases. Sometimes these are done to disrupt a company, sometimes it is to steal company data. Remember how much data is collected by organizations. This could be company trade secrets such as information about a new product, or it could be data about your users. Both types of data have financial motives, as your data has value to both legitimate companies, as well as criminal organizations/individuals.

While the problem would go away if the “bad actors” simply quit doing what they did. However, while some might have a change of heart, the sad fact is there are more people who are going to take their place.

I don’t think we can expect bad actors to change their ways en mass.

The Organization

Most legislation says that the protection of data falls upon the organization who has collected it. This seems reasonable since they are the one’s who are holding on to it. However, most only require that the data be reasonably secured. What does this mean?

Well, think about your doctor’s office. There are patient records which are private. If the receptionist left all the documents out in public, they could not be considered reasonably secure. However, if they are in a cabinet that only staff have access to under normal circumstances, that is reasonably secure. When the office closes down, they make sure the doors are locked, and maybe the cabinets too, then it is considered reasonably secure.

However, let’s say a thief breaks in by picking the locks. The locks couldn’t keep them out, but it kept out normal, reasonable people. It’s just that someone went beyond reasonable…

This same idea applies. A business cannot foresee every possible way someone might break in. Likewise, a bad actor may have time and/or skills to break in even against hardened computer targets, to which no business can be completely secure.

That means that if a company detects there is a break in, then they need to report it. This is a secondary requirement for a lot of online regulations. Not all companies do this however, at least not in a timely manner. And not all companies know exactly how much data was taken, viewed, and/or manipulated. This can lead to both over and under reporting of the severity of a breech.

Yourself

You must also consider yourself and your role in privacy. Consider the fact that people often share photos of their kids, their kids names, vacation plans, etc online, where it is public visible. Imagine posting on the wall of your local store, church, etc your plans and when you weren’t going to be home!

What people post, and have gotten used to posting, allows for people to be easily hacked, manipulated, etc. Whether this is entering data into a “game” which starts off with “Most people can’t remember their first pet’s name…” or something similar.

We need to be careful how and what we share with people. As a habit, I don’t mention my children’s names online. Only “first son, middle son, and youngest son.” My friends all know who they are, and don’t have to ask. I do it so much, I found myself doing it in normal conversation, and a coworker who hadn’t met my sons but once or twice had to ask their names… I thought it was funny, but it also showed the lengths I went to protect their identities.

Recently, Mark Zuckerberg was called out for protecting the image of his kids by covering their faces with emojis. This is a good practice in general, but funny considering how much he wants us to share our entire lives, and how much his platforms support it. — https://www.cnn.com/2023/07/15/opinions/social-media-zuckerberg-instagram-children-privacy-kumar/index.html

You also have to think, do I need to share this information? Think of what is being asked. Do I really want that to go out to everyone?

In some cases you have little to no choice. If you apply for a job, they need your SSN, or if you are setting up an auto-bill pay, they need your bank account or credit card number. But there is a lot of time where we as individuals in a sharing society, over share information that we shouldn’t. As such, we need to be cautious to limit our exposure, and prevent unnecessary damage when a leak does occur, as it isn’t a matter of if, but when.

Ethical Questions

What is an appropriate punishment for people who steal/hack data from systems?

Should companies ever be let off the hook for lost/stolen data?

How much work should go into preventing data loss?

How much are we as individuals at fault?

Data Security – Who’s Responsible for Your Data? was originally found on Access 2 Learn