As you may know, California Senate Bill 1386
(and equivalent bills in many other states) impose a duty on data
controllers to notify the data subject if there has been an unwanted
disclosure of their personally identifiable information (PII).
There isn't an exact equivalence between SB1386 and the UK Data Protection Act, but the Information
Commissioner's Office 'Audit Checklist' for Data Protection Act
compliance does include an item asking 'how data subjects are made
aware of disclosures of their information'.
As described in this story on the BBC site, a UK local authority has just had to go through this the bad way.
I blogged back in December 2006 about the highly questionable practice
whereby the Audit Commission obtains the payroll details of an
arbitrary subset of public sector employees (and therefore in some
instances also the bank details of their spouses).
One of the questions raised then was what measures were taken to protect such data in transit. In this council's case, the data was password protected and written to CD. The CD was then posted to the Audit Commission, but didn't arrive. So a second copy was sent... but didn't arrive. The third copy did, but the council has written to all those concerned to notify them of the breach, and the possibility that the subjects' PII may be open to abuse.
At a recent conference on 'Civil Contingencies and the Critical National Infrastructure' I asked the audience the following question: "If you suspect you've had a Mass Data Compromise, what signs would you look for to see if your data is 'out in the wild'?"
One of the participants said "I seed my database with bogus employee records... so if we ever spot one of those in the wild, we know there's been a breach because that information doesn't exist anywhere else."
This raises a really interesting practical problem, particularly if public sector data sharing is to become as widespread as the government appears to intend: what do you do when (rather than suffering a breach) you have to disclose all the data to a third party?
- If you send everything except the bogus records, then they lose all their effectiveness as a forensic measure.
- If you send the bogus records as well, and they do later show up in the wild, you know someone's had a breach, but you don't know if it was you or the other party; the more other public sector bodies you have to share the data with, the more intractable this problem gets.
- There's also a very predictable short-term consequence, which is that if you include the bogus records, you'll get a deluge of fraud allegations from the Audit Commission because you appear to have a load of non-existent people on your payroll - with spurious bank details and everything.
It's a knotty problem.
![[RSS Newsfeed]](/themes/sotto/images/valid-rss.png)
![[This is a Roller site]](/themes/sotto/images/roller-logo.gif){kind=logo}
Posted by John Sandell on March 23, 2007 at 12:12 PM GMT+00:00 #
The Audit Commission are very bullish about the fact that this process has been operating for 8 years already, and they're not aware of any security exposures... My take on that is: given that this is a very stable many-to-one relationship, 8 years is quite long enough to have addressed the practicalities of providing adequate cryptographic protection for the sensitive data. Arguably, not to have done so indicates a lack of concern for the data subjects' privacy, whatever the Audit Commission's risk assessment may have indicated.
Incidentally, there may be more to this than meets the eye: 'suspension pending a disciplinary' seems relatively harsh if the council officer in question was merely implementing the procedure for sending this data in.
Apparently the Audit Commission's guidelines recommend using a courier, or at least recorded delivery...
Posted by Robin Wilton on March 23, 2007 at 12:34 PM GMT+00:00 #