March 25, 2014

From the Desk of David Childers – No Such Thing as Data Security

Toby Graham Big Data, CyberSecurity, NSA

During the past few weeks, I have been traveling extensively and learning more and more about the concerns that exist around the US related to cyber-security. A few times a year, I deliver a lecture to industry groups and graduate students regarding the current state of cyber-threats and the need for cyber-vigilance. The first thing that I must get everyone to agree with during my talk is that there is no such thing as data-security.

We also must accept that there is no such thing as data-privacy either. We are all so happy to have the convenience of Internet-based shopping, banking and social-interaction; but this machine-based interaction comes at a price. Keep that in mind when you’re pissed that you are a part of the big-data analytics discovery – get over it.

I recently attended the International Association of Privacy Professional’s (IAPP) Annual Summit and I had the pleasure to attend a session presented by Peter Swire, who was selected by President Obama to review the NSA’s activities and data collection. Swire’s session was very lucid and enlightening, and was quite respectful of the NSA’s activities, expressing several times that the NSA had done nothing illegal. Swire also said that in our “post 9-11” mind-set, the NSA had responded with a clear and demonstrable resolve to keep us safe; but he noted that these powers had been delivered during a time of crisis and that America should take this opportunity to review and refine the power of the NSA – something that has not been done since the late 1960’s.

There was also a great deal of “love” for Target at the summit. Seriously. The members all recognized that it could have been Wal-Mart, Lowes, Home Depot, Macy’s; you pick one, who took the hit. Bottom-line, it was going to be someone and everyone in the room knew it was bound to happen.

For all of us data breach is not a matter of if, but when.

When speaking on this subject, I ask people to raise their hands if they have experienced a data-breach first hand. In the last three years, I’ve seen the number of hands raised grow by a factor of five or six to where more than 70% of the audience has been affected. One of the things I share, and I hope you will think about this, is that I have a security service engaged to monitor my grandchildren. They are ages two, three and five, and thanks to an IRS requirement, they each have a social security number, birth record and viable address. Everything you need to generate a loan or open a credit card. So when my three-year-old grandson “buys a car” I will know about it, rather than waiting until he is older and realizing that his personal credit history is ruined.

Although there is a lot more to be said about data protection, the real issue is data collection. The important question is in a “big data” world, what is the acceptable use of the data that is collected?

Here is the best example I can leave you with:

You and your spouse determine to allow your automotive insurance company the right to track your driving habits in order to lower your premium rate. Unfortunately your spouse was involved in an accident. Should it be allowed that this data be used to determine if they had been at a tavern prior to the accident? Should your spouse, who is concerned you are cheating on them, be able to obtain these records to pinpoint your whereabouts? Is this the use that was designed for the data? No. But today it is wide open to any use and we are collecting more than 2.5 Exabyte (2.5×10¹⁸) of data on a daily basis (the Exabyte was defined in 2011). We collect more data every day than we did in total for the last 60 years.

So get over it – big data is here to stay. The question is how do we use it?

*Infographic courtesy of DOMO from the Domosphere