Backup Anytime

Data breach. Who is responsible?

Ultimately, the CEO of the company which is the source of the breach is responsible. This may or may not seem fair depending on the actual situation but holds near regardless of circumstances.

Others may be culpable such as staff with data backup responsibilities, outsource companies involved in data management functions, breach perpetrators who sought to cause a breach and even victims who failed to take adequate responsibility for their own data.

None of this however dilutes the CEO culpability to the point of immunity. Very large businesses tend to suffer less in the form of sanctions as a consequence of data breach due to caps on fines. A one million dollar fine will have limited consequences for a worldwide corporation but will close most small businesses.

Very large organisations also tend to suffer less from the publicity surrounding a breach. News of financial institutions suffering data breaches does the rounds daily and seems to have little affect on consumer choice. When a small business suffers data breach publicity, clients move and the publicity, regardless of the limited scope of press attention on small business is not something small business recovers easily from.

So, if you are in charge (of the business) then you are responsible for data breach. Any post breach defense by you based on your own limited or zero involvement in the data management function can be taken as confirmation that you failed utterly in your role as CEO to ensure your organisation took adequate measures to protect client information.

So, what should you do? Post breach you are looking at damage limitation which in reality is likely to be little more than manageing the negative PR and taking legal advice to protect you from state and industry sanction, criminalisation and breach victim civil action. None of this is pleasant. So, let’s avoid it. Take the pre breach action.

Pre data breach action for responsible small business managers.
Why is this section called pre data breach and not data breach prevention?
First off, there is no absolute data breach prevention technique. Data management is a process not a task. Anyone can suffer a breach. Your job is to ensure your organisation takes adequate steps which bring real improvement and provable risk reduction to your data processes. If you do this and subsequently suffer a breach you will be able to demonstrate that you did take your responsibilities seriously and made every reasonable effort to protect your data and that of third parties you store.

The following is a general approach which is appropriate to most small businesses. It is however no substitute for situation specific legal advice. The purpose of this article is to provide the stimulus for you to take action from a point in time. Nothing in this article is a substitute for situation specific I.T. and legal advice and make no allowance for industries which are subject to apt industry or Government legislation or regulation.

1. Appoint a data protection officer. This may be you or another member of staff. In a very small business this may be one of many roles the appointed person may have.
2. Draw up a data confidentiality, privacy and process permissions document which staff and outsource provider involved in processing your data should sign.
3. Ensure any remote connection sessions are used with adequate reason, full per session permission and session recording.
4. Ensure you are not storing information which you do not have the right to restore such as information about applicants you do not employ or do business with or marketing campaign information which is no longer needed.
5. Ensure you have an adequate, managed and verified data backup system.
6. Employ encryption on laptops or workstations which will be used outside the office.
7. Employ a password management system which ensures you use strong passwords and that these are changes at set periods and when an authorised user leaves the company or an outsource contract ends.
8. implement a sensible and manageable internet and email user policy document which limits risk without reducing effeciency and which is enforcable.
9. Add data protection to the recruitment process to ensure any new staff have respect for data and can apply their skills without increasing breach risk.
10. Write up a post breach document which outlines those you should contact in the event of a breach such as management, the company solicitors, the data protection commissioner, affected people and organisations and industry umbrella groups.   
11. Revisit your data protection processes frequently and apply new methods and technologies to the process as expert advice recommends.

The above is not intended to be seen as a complete data protection system. The above is a starting point. Data protection is a moving process which will change over time. The function of data protection processes is to protect data over time. The consequence is to offer protection to all genuine interested parties both from a breach and of the potential consequences should a breach occur.

You can be responsible for one of two things.
1. Not taking adequate protection.
2. Taking adequate protection.

Breach or no breach you want to be in the latter category.

House of Commons data debate 12 November

This House of commons debate is quite fresh being dated 12 November 2008

I follow UK blogs and Irish blogs. A few click away from a regular UK site I read I fount the following.

Want to have your say in a house of commons debate on data management? The one I am following deals specifically with not alone the Governments handling of data but their subsequent handling of the situation arising from handling data badly. The opposition may have ulterior motives but this aside they are good at voicing public concern when it suits.

You can have a read and even join in this house of Commons data debate. You can even have your say. If your comment picks up enough following you may even end up influencing Government action. OK, that may be unlikely but is a possibility. Your post could at least tutor the opposition.

This is a far cry from watching the Irish Government dillydally late at night and hours after the event with one way communications only. Maybe someone will post explaining that a similar Irish service is running. That would be nice.

All in all, the UK Government are being forced to take data (privacy, responsibility and legislation) seriously and this has to be a good thing.

Some of the comments on the theyworkforyou site are also quite good and demonstrate a keen insight in to the importance of data management by the British public.

The participants (mostly male) can be bitchy but with a surprising amount of hidden and readily available ammunition. David Heathcoat-Amory hits hard. Not the type of man you want outside the tent shouting in. Being a conservative he is about as far outside the tent as people have wanted the conservatives for quite some time. So, enlighten me. What Irish service along these lines have I been missing?

I follow a few Irish politics sites and the Authors on twitter and despite a high standard I don’t know of anything with the time or resource to run at this standard.

Ask the data experts.

New! (October 2008)

Following of from the continuing success of the “Who’s who in data” interview series we have decided to allow you to ask the questions! Simply respond to this post using the standard comment option below. Present your question in the comment. Given the question is appropriate we will publish it and ask it of an expert from the “Who’s who in data” interview series. The expert asked will be chosen based on the relevance of their experience and expertise to your question and their willingness to answer. The chosen expert may therefore be from a past, present or yet to be published interview.

The real benefit here is that information on this page will be provided in order of readers wishes rather than the interview chronological order of the main “Who’s who in data” section.

Appropriate questions may be asked regarding any of the following.

Data protection, data management, data law, data backup, data security, data storage, data de-duplicattion, data technology, data privacy and yes you’ve got it. anything of relevance to the data industry.

Go ahead, all you have to do is ask! Click on comment and type your question.

Managing backup sets from a backup set viewpoint rather than an overall backup viewpoint is something which is not commonly considered. In many cases, a single backup set is employed which at specific frequency and intended regularity backs up the selected data.

A backup system can in fact utilize many backup sets. A data administrator may for example decide that the main backup set should run every week day and a second backup set run at the weekend. This can be implemented for a variety reasons as outlined here.

To prevent inordinate data quantities specific to one application from reducing the number of general backups which can be completed per week. All other data would therefore be backed up online nightly whereas the application data which was too significant in size to allow the backup window to be conducive to nightly backup is backed up at the weekend only.

To ensure that the most frequently run backup set contains the most important data and that less frequently run backup sets while offering fewer backup points or versions have however a greater chance of success.

To provide backup reporting specifically to interested parties only listing the backups which relate to them and allowing the backup sets to be named in a manner which makes it obvious who the interested parties are. This option is often overlooked. An example would be an office where department “A” looks after accounts and department “B” looks after payroll. In a traditional backup system the online backup pertaining  to both would be managed together and reporting would be directed to I.T. administration. More recent trends show that confidence, improved management and monitoring and greater backup protection and utilization may be the result of splitting these backups and reporting on a relevant department basis rather than on an I.T. management basis.

The above examples may or may not be appropriate to your organisation. What is important is that people are aware of these options and are willing to explore them to the intended betterment of data management.

The purpose of this post is to try to alert people to the fact that online backup sets as a numeric quantity and the associated potential benefits are often overlooked. Also, and not necessarily of any less importance are the benefits of using appropriate backup set names and reporting directions. There are fewer things in data management more important and more mind numbing than taking notice of repetitive generically named backup sets. If they are spread out in a manner which results in recipients being high end from the viewpoint of the data their reports relate to, this may give rise to more understanding, verification, issue alert and report management.

If you would like some guidance on implementing additional backup sets, contact backupanytime in absolute confidence.

The backupanytime team.

Following on the success of the interview with Rob Cosgrove from Remote Backup Systems we are going to run a regular feature of interviews with major figures in the data management industry.

Rob Cosgrove has made the job of finding candidates much easier than it would have been had he not made himself available for the first interview so we intend to run one interview a week rather than the original plan of one a month.

We had a number of interviews lined up before Robs Cosgroves interview but we intended running the Remote Backup Systems interview first as Rob Cosgroves company were the first to use remote backup. Indeed Rod is the founding father of the data backup industry.

A number of other possible candidates have contacted us since the interview. This will make life much easier for us as it appears (things could change) that we will not have to scour the world if they make contact with us first.

We do intend to keep the standard of interviewee very high and will if necessary reduce the number of interviews per month rather than the standard of interviewee. Again, this does not look like a likely requirement for the near future.

Already scheduled are Sekar Vembu of Vembu technologies (confirmed he will participate and intended date suggested, actual date not set yet) and Brian R. Bondy of VisionWorks for Friday 5th of September. Indeed Brian has recommended another very exciting possible candidate. I can not name him yet as I do not have confirmation. Suffice to say Brian has a close working relationship with this person (from a different company) and has recommended him as a candidate for us to interview. We will provide more detail as, if or when this becomes appropriate.

Thanks again to all those who have contributed with regard to interviews, introductions, recommendations, type setting and keeping within schedules.