Current events with regard to public and private officials handling sensitive data have given rise to the larger question, beyond legal requirements, what is the right thing to do when it comes to handling sensitive data? Indeed, data handlers in both the public and private sectors have a responsibility to handle that data with integrity and keeping in mind who they are serving while handling the data. We’ll explore some of the different considerations here:
Sensitive Data Handling in the Private Sector
There’s no doubt that data security and the threats posed from both internal and external data breach perpetrators has become a very hot topic in recent months. External hacking attacks upon the systems at eBay, Home Depot, Staples, Google and Anthem are just a few of the high-profile examples of the external threats that exist with regard to data security. But what ethical obligation do those companies have with regard to handling your sensitive data? I would suggest that the base-level of ethical responsibility is the same across the board, no matter the industry. Whether the company is handling your credit card number or your healthcare records, they all have a basic ethical responsibility to treat the trust their customers place in them with the highest regard. As consumers, we all have a choice of who earns and keeps our business. The waters get a little muddier when the data handler is an employer-sponsored insurance company, but the fact remains that you still have a choice. Fortunately, it appears that most companies do understand this ethical obligation, even if only after a breach has occurred and when “prosecuted” in the court of public opinion.
Beyond credit card numbers, email address & other personal information, certain industries have an even higher ethical responsibility to handle your data securely. The obvious recent example is the data breach at Anthem, an extremely large health insurance company which warehouses the healthcare information for millions of customers. There are several reasons why the doctor-patient legal privilege exists, not the least of which is the sensitivity of the information shared between patients and their healthcare providers. Regulations and laws such as HIPAA are in place to try and force healthcare providers and their associated industries (i.e., insurance companies) to do the right things insofar as patient privacy, but we still see outdated, insecure practices like pen-and-paper sign-in clipboards in doctor’s offices and examining room doors being left open while awaiting treatment or while under treatment. These violations are minor in comparison to a large data breach, but they signal a larger systemic problem in healthcare data security, HIPAA compliance and patient privacy – the oneness for patient confidentiality is ultimately on the healthcare provider and carelessness or complacency is no excuse to sacrifice patient information security.
However, we as the “consumers” of health care need to also educate ourselves to the best practices of patient privacy and hold our healthcare providers to those standards.
It bears noting that healthcare is only one example of this ethical responsibility. Other industries that bear an ethical and often times legal responsibility for client information security are legal practitioners, financial institutions and the government.
Ethical Data Handling in the Public Sector
The “pink elephant in the room” example with this particular subject is the recent story of Hillary Clinton and her handling (or rather mishandling) of potentially vital emails through use of a personal email address for official U.S. State Department business. While the media pundits and critics from both sides of the political spectrum will debate her actions as legal or illegal, the more poignant question is, was it ethical? I submit the answer is a resounding “NO!”
Political ideology aside, let’s explore the common-sense side of data storage that is potentially vital to our national security on a private email server. The first consideration is accountability. It was reported today that Clinton may have “deleted” upwards of 30,000 emails from this personal server, and by her own admission used the personal email for official business, but it was legal because there’s no law against it. This would seem to be an obvious example of an instance where the law has not yet caught up with technology, which is a repeated theme in the legislature and court decisions. Public officials are placed in positions of public trust. The higher the position, the more the public has implied trust in the person holding that position. But trust is backed up by verification, or in this case, transparency. Unfortunately, transparency is out the window because Clinton allegedly deleted half of the emails lying on the server. Does that mean our trust should be out the window too?
The other notable area with regard to ethical data handling by public officials is the security of that data. The Federal Government has regulations, standards & practices in place for secure data handling. If a public official handles his or her data privately, they are not necessarily subject to those standards, presenting a very convenient loophole. Even if they are subject to data security standards, the government may have trouble compelling an employee to turn over personal data, even when mixed with official communications. However, those data security standards are in place because there are other nations that would be very interested in any and all data from the public sector they can get their hands upon to exploit. I recently saw a tweet from an information security professional that read: “Maybe the American People didn’t know Hillary had a private email server, but the enemies of our State sure did!” No truer words have been spoken. If Clinton was handling official business on a private email server, as she has admitted, what security measures were in place to handle the data? What server logging, monitoring, incident response or data encryption was in place? If we take Clinton at her word, she used one email and one device “for convenience”. Is it possible none of these security measures were put in place because of the same convenience mindset?
Was anyone really over her shoulder looking? (Picture credit: ABC News)
While Hillary Clinton’s mishandling of sensitive data has provided a great example here, the responsibility for ethical data handling is not limited to the Federal Government or officials in high-ranking positions. Federal, State & Local officials at every level bear the same responsibility. Local and State Departments of Social Services not only warehouse client information, but may also have healthcare-related and highly sensitive and confidential information about their clients. Local and State public safety agencies warehouse data for every ambulance call, police report, traffic stop and personal encounter with virtually everyone they come into contact with, including those involved in a personal health crisis. While these incidents may be exempt from HIPAA, that doesn’t mean the data any less sensitive. These examples are just two of many that illustrate the need and responsibility for ethical data handling at all levels of the government.
High-profile cases have certainly created an increased awareness of data security, but the practice and implementation of real data security measures is still reactionary at best. To be sure, virtually everyone in every industry (including digital forensic consultants & bloggers) is responsible for some sort of sensitive data and bears responsibility for ethical data handling that goes beyond simple legal requirements. The Golden Rule applies across the board, no matter your industry and can be applied to data handling as well – Handle other’s data as you would handle your own.
In the end, ethics and integrity go hand-in-hand. Integrity means doing the right thing, even if no one is watching. So let’s all start taking the proactive measures required to handle sensitive data not just to the legal standard, but to high ethical standards worthy of the trust of our clients, customers and the public at-large.Author:
Patrick J. Siewert, SCERS, BCERT, LCE
Professional Digital Forensic Consulting, LLC
Based in Richmond, Virginia