Yesterday I talked a bit about the regulations that might affect all of us with regard to securing and managing our databases. Knowing which regulations affect you and what must be done to comply is only a portion of the issue. The other one is liability.
I was amazed by this blog post about liabilities for data breaches, written after the Best Western security hack. I can sympathize with the problems, but I'm not sure where the liability should be. If you want to see some extreme suggestions, browse the Slashdot discussion. Note that the Best Western case might not even be as bad as originally reported.
The crux of the issue for me is the liability portion. Who is liable for the loss of data. In the case of Best Western is it the employee that clicked on something and had a trojan installed on their machine? If there were trojan software on multiple machines, do all those people share liability? Is it the server administrators for not securing the machines properly? Is it the firewall people for their security methods? Is it the director of IT, the CIO, the CEO, or all of the above? Or is it merely the corporation?
While it's easy to punish the corporation, and possibly the executive officers, and they should have some liability, to what extent are they responsible for the technical configuration of the machines? Do we examine the budget and workload to determine if they allocated enough resources to do a reasonable job?
Or do we go to the individual people responsible for securing machines: the DBAs, the developers, the system administrators. Are we going to penalize them for improperly developing things? What about mistakes like clicking the wrong checkbox? A blank password gets you sued, but a certificate used for logins protects you? I know if I'm personally liable, I'm not going to store much data at all and certainly no credit card data.
Determining liability for these data breaches is hard. People do dumb things all the time and get away with them. They shouldn't be allowed, but when we place restrictions on them, especially IT people, they complain to no end about the shackles that prevent them from doing their job. It's almost a no win battle, and each individual's decision not to comply with the rules and regulations is as much a problem as the lack of staff, budget, or time to do the job right.
Computer systems are a big expense to any company, and staff even more so. While the pace of work might need to slow to accommodate staffing, rather than the other way around, each of us doing our part to follow best practices and not take those short cuts. It's up to each individual to hold the line, or perhaps, secure a release from liability from management. However you can't be grossly negligent at your job either. Failing to implement a password, or a strong password, might expose you to some liability.
I hate to recommend it, but I think this is a place where government regulations should come into play to protect each person's ability to do a job and ensure that companies spend adequate resources (time and money) to properly secure things. And they should provide for whistleblower protections: otherwise companies will threaten people's jobs while trying to skirt regulations.
Steve Jones
The Voice of the DBA Podcasts
The podcast feeds are now available at sqlservercentral.mevio.com to get better bandwidth and maybe a little more exposure :). Comments are definitely appreciated and wanted, and you can get feeds from there.
or now on iTunes!
- Windows Media Podcast - 44.7MB WMV
- iPod Video Podcast - 34.4MB MP4
- MP3 Audio Podcast - 6.9MB
Today's podcast features music by Everyday Jones. No relation, but I stumbled on to them and really like the music. Support this great duo at www.everydayjones.com.
I really appreciate and value feedback on the podcasts. Let us know what you like, don't like, or even send in ideas for the show. If you'd like to comment, post something here. The boss will be sure to read it.