March 11, 2015
Ethical Sensitive Data Handling
Current events with regard to public and private officials
handling sensitive data have given rise to the larger question, beyond legal
requirements, what is the right thing
to do when it comes to handling sensitive data?
Indeed, data handlers in both the public and private sectors have a
responsibility to handle that data with integrity and keeping in mind who they
are serving while handling the data. We’ll
explore some of the different considerations here:
Sensitive Data Handling in the Private Sector
There’s no doubt that data security and the threats posed
from both internal and external data breach perpetrators has become a very hot
topic in recent months. External hacking
attacks upon the systems at eBay, Home Depot, Staples, Google and Anthem are
just a few of the high-profile examples of the external threats that exist with
regard to data security. But what ethical
obligation do those companies have with regard to handling your sensitive
data? I would suggest that the base-level
of ethical responsibility is the same across the board, no matter the
industry. Whether the company is
handling your credit card number or your healthcare records, they all have a
basic ethical responsibility to treat the trust their customers place in them
with the highest regard. As consumers,
we all have a choice of who earns and keeps our business. The waters get a little muddier when the data
handler is an employer-sponsored insurance company, but the fact remains that
you still have a choice. Fortunately, it
appears that most companies do understand this ethical obligation, even if only
after a breach has occurred and when “prosecuted” in the court of public
opinion.
Beyond credit card numbers, email address & other
personal information, certain industries have an even higher ethical
responsibility to handle your data securely.
The obvious recent example is the data breach at Anthem, an extremely
large health insurance company which warehouses the healthcare information for
millions of customers. There are several
reasons why the doctor-patient legal privilege exists, not the least of which
is the sensitivity of the information shared between patients and their
healthcare providers. Regulations and
laws such as HIPAA are in place to try and force healthcare providers and their
associated industries (i.e., insurance companies) to do the right things
insofar as patient privacy, but we still see outdated, insecure practices like
pen-and-paper sign-in clipboards in doctor’s offices and examining room doors
being left open while awaiting treatment or while under treatment. These violations are minor in comparison to a
large data breach, but they signal a larger systemic problem in healthcare data
security, HIPAA compliance and patient privacy – the oneness for patient
confidentiality is ultimately on the healthcare provider and carelessness or
complacency is no excuse to sacrifice patient information security.
However, we as the “consumers” of health care
need to also educate ourselves to the best practices of patient privacy and
hold our healthcare providers to those standards.
It bears noting that healthcare is only one example of this
ethical responsibility. Other industries
that bear an ethical and often times legal responsibility for client
information security are legal practitioners, financial institutions and the
government.
Ethical Data Handling in the Public Sector
The “pink elephant in the room” example with this particular
subject is the recent story of Hillary Clinton and her handling (or rather
mishandling) of potentially vital emails through use of a personal email
address for official U.S. State Department business. While the media pundits and critics from both
sides of the political spectrum will debate her actions as legal or illegal,
the more poignant question is, was it
ethical? I submit the answer is a
resounding “NO!”
Political ideology aside, let’s explore the common-sense
side of data storage that is potentially vital to our national security on a
private email server. The first
consideration is accountability. It was
reported today that Clinton may have “deleted” upwards of 30,000 emails from
this personal server, and by her own admission used the personal email for
official business, but it was legal because there’s no law against it. This would seem to be an obvious example of
an instance where the law has not yet caught up with technology, which is a
repeated theme in the legislature and court decisions. Public officials are placed in positions of
public trust. The higher the position,
the more the public has implied trust in the person holding that position. But trust is backed up by verification, or in
this case, transparency. Unfortunately,
transparency is out the window because Clinton allegedly deleted half of the
emails lying on the server. Does that
mean our trust should be out the window too?
The other notable area with regard to ethical data handling
by public officials is the security of that data. The Federal Government has regulations,
standards & practices in place for secure data handling. If a public official handles his or her data
privately, they are not necessarily subject to those standards, presenting a
very convenient loophole. Even if they
are subject to data security standards, the government may have trouble
compelling an employee to turn over personal data, even when mixed with
official communications. However, those data
security standards are in place because there are other nations that would be
very interested in any and all data from the public sector they can get their
hands upon to exploit. I recently saw a
tweet from an information security professional that read: “Maybe the American
People didn’t know Hillary had a private email server, but the enemies of our
State sure did!” No truer words have
been spoken. If Clinton was handling
official business on a private email server, as she has admitted, what security
measures were in place to handle the data?
What server logging, monitoring, incident response or data encryption
was in place? If we take Clinton at her
word, she used one email and one device “for convenience”. Is it possible none of these security
measures were put in place because of the same convenience mindset?
 |
| Was anyone really over her shoulder looking? (Picture credit: ABC News) |
While Hillary Clinton’s mishandling of sensitive data has provided
a great example here, the responsibility for ethical data handling is not
limited to the Federal Government or officials in high-ranking positions. Federal, State & Local officials at every
level bear the same responsibility.
Local and State Departments of Social Services not only warehouse client
information, but may also have healthcare-related and highly sensitive and
confidential information about their clients. Local and State public safety agencies
warehouse data for every ambulance call, police report, traffic stop and
personal encounter with virtually everyone they come into contact with,
including those involved in a personal health crisis. While these incidents may be exempt from
HIPAA, that doesn’t mean the data any less sensitive. These examples are just two of many that
illustrate the need and responsibility for ethical data handling at all levels
of the government.
Conclusions
High-profile cases have certainly created an increased
awareness of data security, but the practice and implementation of real data
security measures is still reactionary at best.
To be sure, virtually everyone in every industry (including digital
forensic consultants & bloggers) is responsible for some sort of sensitive
data and bears responsibility for ethical data handling that goes beyond simple
legal requirements. The Golden Rule
applies across the board, no matter your industry and can be applied to data
handling as well – Handle other’s data as
you would handle your own.
In the end, ethics and integrity go hand-in-hand. Integrity means doing the right thing, even
if no one is watching. So let’s all
start taking the proactive measures required to handle sensitive data not just
to the legal standard, but to high ethical standards worthy of the trust of our
clients, customers and the public at-large.
Author:
Patrick J. Siewert, SCERS, BCERT, LCE
Principal Consultant
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia
Available Globally
Twitter: ProDigital4n6
