Misguided Security Managers

In the July / August edition of Infosecurity Magazine, there is a fairly interesting article on security matters, and differences, in the public and private sectors. I cant find this article online so you will have to trust me.

There is a quote in the article, from an “anonymous” security manager which sadly echoes comments I have heard right across the public sector, when public servants discuss the need to protect public privacy:

One senior manager at a local council – who ask not to be named – told infosecurity that he would rather be brought before the courts for an information security charge, than because a child or other vulnerable person has been harmed as a result of data not being shared.

(Here, I get visions of Reverend Lovejoy’s wife crying out “wont anyone think of the children”)

In the article this is presented as a dilemma public sector information security professionals face on a regular basis. My experience of said individuals supports this. It is very tabloid friendly. It is also complete nonsense that infuriates me to the point of wanting to choke the life out of the idiots who say it. (note for any future court action – this is purely imaginary, I am not really planning to kill anyone now or in the future)

There are so many things wrong with this it is hard to know where to start.

This person is paid to be a security manager. They are not a child protection professional. They are there to manage the security of the information that the public have entrusted to the council. Nothing else. If their job description means they have to ensure that vulnerable persons are safe in their homes, then I suspect there is something seriously wrong going on.

As a public servant, this “senior manager” is paid by the public, who you would rightly assume should have some expectation of his behaviour. Unless we’ve moved into some weird world where the vulnerable pay more for their services he has no right to unilaterally assume what laws he will follow and what laws he will break. He has no right or authority to compromise my privacy and personal data because he thinks that doing so 100,000 times might save one vulnerable person.

Equally this “manager” (sneer quotes intended) has no way of knowing if he is placing the safety of vulnerable people in further danger. Privacy laws and restrictions on how your personal data can be handled are there to protect everyone. Yes this includes criminals but it also includes vulnerable people. If this senior manager feels sending a copy of the addresses of everyone “at risk” to an agency across town would be helpful sharing of their data, what would he do if it got lost? What is his defence if his information security failures allow a predator to get the details of the vulnerable people he seeks to protect?

Equally importantly, what about those who only become vulnerable because of his lackadaisical attitude? This idea that passing private information and personal data is inherently a GOODTHING™© is insane. An otherwise fine person who has their home address details passed into the hands of a criminal becomes a vulnerable person. They have, through no fault of their own, become open to a vastly different threat – one they may not be prepared for. Is this acceptable behaviour for public servants? Imagine a serial rapist who gets hold of modified electoral roll data indicating addresses (and telephone numbers) of every house in the area where a single female lives. Would you be happy with the response that he would rather be in court over an Infosec case?

I suspect the real problem is that privacy and information security statutes don’t have enough teeth. If this senior manager was facing 20 years in jail for an infosec compromise, I am sure he would think differently. As it stands, nothing he does will get him properly punished in a court of law, so he must be talking about the court of public opinion. This is, sadly, so seriously misled by the tabloids that it is easy to see he would be hounded to the brink of suicide if it turned out he had withheld data that might have possibly prevented the death of a child. In a similar manner, if it turned out he had lost a disk containing the personal details of 250,000 people it would get, maybe, a few column inches.

To an extent this is our fault. We want easy to digest news. We ignore the mights and possibilities in the first instance, so we can get to the meat of saving the child. In the second case, its too technical, too distant and probably doesn’t affect “us” so we don’t really care about it. We, the public, are stupid.