I’m admittedly a “data guy.” After having worked with databases—and data—for several decades now, I am wary of how much information various organizations have on me and those I care about. Some I absolutely don’t trust with my data; those, I avoid doing business with. There’s that word again: trust. In the digital trust ecosystem, how an organization handles its data, especially sensitive data or personally identifiable information (PII), impacts the trust others have in it.
An organization or individual may ask any number of questions when considering building a business relationship with another entity. Is the other party merely doing the minimum to protect data, or is it making an additional effort by putting extra controls in place? How much data is the organization in question collecting, and does it really need all of that data? How does the organization handle data breaches? Is it forthcoming with the appropriate facts, such as who and what was affected? Or does it provide a single story and only later come out with other important details? If any of these answers are not up to par, then the organization in question may find customers taking their business elsewhere.
Doing Just Enough to Be Legal
There’s an understanding in information security, particularly surrounding data security, that if all an organization does to meet regulatory and legal requirements is the minimum, then there are going to be gaps in its security. Furthermore, if an organization has competitors willing to show that they go beyond the bare minimum, the organization doing just enough to be compliant is going to find it hard to compete. For instance, consider what Amazon publishes about Amazon Web Services (AWS): the lengthy lists of security standards it meets and certifications it possesses.1 Depending on the customer, some of those certifications and/or standards may be mandatory. In those cases, it’s not a question of trust; rather, the customer cannot lawfully choose to patronize the organization lacking the appropriate credentials.
But returning to the idea of doing just enough to meet compliance requirements (or just enough to be legal), if an organization is expending minimal effort with regard to data, the implication is that the organization is going to expend minimal effort in other areas of the business. When I think of all the services I might need from an organization (e.g., customer support), it’s hard to believe that the organization would willingly give more than the minimal effort, unless there was overwhelming evidence to the contrary. Even if there is proof that the organization goes above and beyond in all its endeavors, uncertainty still lingers. What is stopping the organization from sliding to the minimum in those areas? What do the areas I can’t see, such as data security, look like?
Data Security
Minimal effort isn’t sufficient when it comes to data security. The reality is that data security is hard. It’s especially difficult when workers require access to a particular set of data only at certain times depending on a series of conditions. It may be challenging to develop a technical solution for these particular circumstances. As a result, many technical systems are configured to always grant access. Compensating controls, such as detective controls, are used to determine when an employee has accessed data improperly.
For instance, consider healthcare systems. Nurses or doctors often have need to look at patient health records within the system, especially if they are the one tending to the patient during treatment. Given the urgency that may be required, especially during a medical emergency, we would expect the system to permit such access and provide an audit trail of who accessed what and at what time. Even when employees have knowledge of such controls, the data can still prove tempting.2
However, even with proper auditing in place, organizations can still be subjected to fines. For instance, the Ronald Reagan University of California–Los Angeles (UCLA) Medical Center incurred fines from the US State of California when employees improperly accessed music artist Michael Jackson’s medical records.3 The fines were issued despite the fact that the hospital self-reported the violations. UCLA, for its part, decided to accept the fines.
In short, data security is a critical part of digital trust. If an organization fails to handle data securely, it will lose the trust of its customers, and that can have a direct impact on whether or not they will continue to do business with said organization. Keep in mind that poor data security does not always lead to data breaches as they are commonly understood (i.e., when data leaves the organization and is transported to an external entity). In UCLA’s case, the data was accessed by employees, so it stayed within the organization. However, would you want to do business with an organization where employees who should not be able to see your data could do so, especially if there had been occurrences where employees abused their access to view data that they should not have? Perhaps not.
More Data = More Data Security
Back when I was in the military, there was a special project that took a few weeks to complete and required additional security. The project took up a handful of rooms in a much larger building. There were two ways to approach its security requirements: Implement additional security measures throughout the building or solely around the rooms where the work was being done. Logically, the latter is the better option, as it requires fewer personnel. Also, the area to protect was significantly smaller, meaning it would be harder to slip in without detection. So, that’s what was done: Guards were assigned to the specific area where the work was being performed.
Think of protecting data like protecting physical space. The more data an organization has, the more space it is responsible for protecting, especially if the data is sensitive or considered PII. From a work perspective, collecting only what’s needed is a good idea because it reduces the amount that needs protecting. This raises a critical question: Exactly what data is considered necessary to the organization? And that’s where things get murky.
Only Enough Data
I would argue that organizations need only the bare minimum of my data to do business with me. However, data is valuable. If the organization wants to use the data for other reasons, especially if it is looking to sell data, the organization will likely conclude that it should collect more data than I want it to collect. It comes down to the ethics of the organization and how they want to do business. How bad can it be? In 2023, security.org ranked big tech companies by how much data they collect. Google was considered the worst (i.e., collected the most data) and Apple was ranked the best.4
Why is Google the worst? Google’s entire business model is based on data. From targeting ads to training artificial intelligence (AI) models, Google needs data, and lots of it. Apple, on the other hand, is primarily a hardware company. As a result, Apple only stores what it needs to maintain customer accounts. Competitors know the score. For instance, the search engine DuckDuckGo has run ads encouraging customers to switch over from Google because of all the data that Google collects. DuckDuckGo knows that the facts support the ads it is running. DuckDuckGo is not touting itself as a superior product so much as it is attacking the trust people have in Google. Along the same lines, DuckDuckGo personnel have testified to how default settings keep Google in the driver’s seat.5 Therefore, people are not going to switch search engines on a whim. DuckDuckGo has to make its case to potential consumers that they should not trust Google. If DuckDuckGo is able to do that, then and only then will it impact Google’s bottom line. It is possible that a government entity will rule against Google and order some change, such as what happened in United States vs. Microsoft,6 but short of that, DuckDuckGo wins by causing a loss of trust in Google.
The (Data) Golden Rule
When it comes to data and digital trust, organizations and the decision makers within those organizations should handle data how they would want someone else to handle their data. This is reminiscent of the Golden Rule: “Treat others how you want to be treated.”7 Organizations that fail to do so will see impact to their reputations and the trust others have in them. This ultimately will affect their performance in the ecosystem. Organizations that do the bare minimum, have issues with data security, or are found to collect too much data not only face business loss, but could also face fines and penalties, such as in the case of UCLA. Casting doubt on the ethics and trustworthiness of one’s competition is a tried-and-true tactic, especially in the political arena. Used correctly, it can increase vote share.8 The same can happen within the digital ecosystem. The message is clear: Handle data improperly and face the consequences.
Endnotes
1 Amazon, “AWS Compliance,” http://aws.amazon.com/compliance/
2 Ornstein, C.; “Celebrities’ Medical Records Tempt Hospital Workers to Snoop,” NPR, 10 December 2015, http://www.npr.org/sections/health-shots/2015/12/10/458939656/celebrities-medical-records-tempt-hospital-workers-to-snoop
3 Hennessy-Fiske, M.; “UCLA Hospital Fined Over Privacy Breaches That Sources Say Involve Michael Jackson’s Records,” LA Times, 11 June 2010, http://www.latimes.com/archives/la-xpm-2010-jun-11-la-me-ucla-privacy-20100611-story.html
4 Vigderman, A.; G. Turner; “The Data Big Tech Companies Have on You,” Security.org, 12 October 2023, http://www.security.org/resources/data-tech-companies-have/
5 Wiseman, P.; M. Liedtke; T.A. Press; “DuckDuckGo CEO Says Google Kills Competition Through Phone Deals That Make it Hard for Users to Switch Search Engines: ‘It’s Too Many Steps’,” Fortune, 21 September 2023, http://fortune.com/2023/09/21/duckduckgo-google-competition-lawsuit/
6 Team, C.; “Microsoft Antitrust Case,” CFI, http://corporatefinanceinstitute.com/resources/management/microsoft-antitrust-case/
7 Britannica, E.O.; “Golden Rule,” Brittanica, http://www.britannica.com/topic/Golden-Rule
8 Gordon, B.; M.J. Lovett; B. Luo; et al.; “How Much Do Campaign Ads Matter?,” Kellogg School of Management at Northwestern University (Illinois, USA), 1 November 2021, http://insight.kellogg.northwestern.edu/article/how-much-do-campaign-ads-matter
K. BRIAN KELLEY | CISA, CDPSE, CSPO, MCSE, SECURITY+
Is an author and columnist focusing primarily on Microsoft SQL Server and Windows security. He currently serves as a data architect and an independent infrastructure/security architect concentrating on Active Directory, SQL Server, and Windows Server. He has served in a myriad of other positions, including senior database administrator, data warehouse architect, web developer, incident response team lead, and project manager. Kelley has spoken at 24 Hours of PASS, IT/Dev Connections, SQLConnections, the TechnoSecurity and Forensics Investigation Conference, the IT GRC Forum, SyntaxCon, and at various SQL Saturdays, Code Camps, and user groups.