Simon Says – Musings of a Technology CTO

For the last few weeks I’ve been traveling around the country presenting at our Security Innovation Alliance roadshow. It’s been great meeting and presenting alongside some of the 60+ companies who’ve chosen to integrate their security products into McAfee’s ePO platform. Looking at the portfolio it seems that soon it might actually be possible to service any IT security need through one pane-of-glass management interface.

One question that came from the audience during one of the sessions surprised me, as it wasn’t about IT at all. The question was “What laws apply to PII in printouts?”

Well, unfortunately the simple and unfortunate answer is – all of them.

Though you may not know, the Personally Identifiable Information (PII) laws apply to data however it is stored, and regardless of the format, be it on hard disks, USB sticks, printouts, or even if you carve it in hieroglyphics on stone tablets. If you loose track of the data, if there’s a remote possibility of disclosure to unauthorized people, if you can’t prove the data was protected, you have a duty in the eyes of these laws to disclose.

The conversation in the presentation was an interesting one – we were discussing >how much< data has to be lost before it poses a problem.

The answer again is harsh – it really doesn’t matter how much – any is enough.

Take the example of a printout of a 25,000 person list of SSN’s, names and addresses – If ‘lost’ you’d probably find it obvious that you have to tell all 25,000 people about the fact and offer them protection. The law’s pretty clear on this – for example HB1633 in Illinois or SB1386 in California. Of course ‘lost’ is a relative term. It doesn’t mean ‘found outside control’ as most people seem to think. It means exactly what it says – if you can’t lay your hands on it, and you can’t prove it was destroyed, the disclosure laws apply.

Again, harsh I know…

Let’s dig deeper. What about if the printout was only 5 peoples records from the 25,000 list? Seems less harmful doesn’t it? An interesting follow-up question unfortunately needs to be asked though – “so, do you know WHICH 5?”.

Of course if you do, then you’re golden – you need to tell 5 people you lost their PII. No big deal, and probably not newsworthy enough to get you into the press or a fine. But hold on – what if you don’t know which 5? It could have been any 5 from the master list?

Damn, now you’re back to square one – you need to tell (and upset) 24,995 people unnecessarily that you might have lost their PII, along with 5 that you actually did. Something those people, and the press are going to really love to hear.

I’ll not go through the example of 1 person – I think you get the idea now.

A key point I’m making here is that it’s important you track PII, and though above we’ve been talking about printouts, the same rules apply across the board, be it USB sticks, laptops, DVD’s, IM or email. If you can track the amount of lost PII data (even if you don’t prevent it), you stand a chance of only upsetting the exact people who’s PII you lost, not the larger list of potentials.

Of course putting technological measures, training, and policy in place to minimize the chance of loss in the first place is a great idea as well, but even if you don’t feel you’re ready to control data movement or your internal climate won’t allow for it, there are plenty of solutions from McAfee and others which will at least audit and record it.

Wouldn’t you at least feel happier knowing who’s data you lost, rather than guessing the worst case?