Who is Responsible for Security?

On September 30, 2011, SANS Institute NewsBites reported the following story:

--European Union to Introduce Liability Rules for Cloud Vendors (September 28 & 29, 2011) The European Union (EU) plans to introduce the "Binding Safe Processor Rules," which would hold vendors of cloud services in the EU liable for data security breaches. Vendors would sign up for what amounts to an accreditation. Consumers are likely to feel safer doing business with a company that is willing to stand behind its services. The rules are an update to the Data Protection Directive. The companies will be required to demonstrate their compliance with certain data protection standards for approval under the rules. Current law holds data owners responsible for data loss.

They cited two sources, SC Magazine and V3.co.UK, The Frontline.

http://www.scmagazine.com.au/News/275173,eu-cloud-vendors-liable-for-breaches.aspx

http://www.v3.co.uk/v3-uk/the-frontline-blog/2112906/eu-rules-allow-cloud-companies-legally-customer

The NewsBites editor added the following comment by me.

[Editor's Note (Murray): The devil is in the details and the rules may be helpful. However, the idea that one can transfer the responsibility for protecting the data from the owner to the custodian by fiat, or any other way, is absurd on its face. The decisions about protecting the data cannot be separated from the decisions about collecting it and using it.]

While I confess I misread the details, they are where the devil is hiding. It turns out that this rule is nothing like it sounds either in its name or in this report. Instead it was sought by Amazon, Google, and others to say that EU enterprises may rely for security of their data upon service providers that are certified by an EU country as complying with these rules and without regard to location. It is a response, in part, to the fact that Europeans will not do business with US service providers because they are subject to the USA Patriot Act. They are concerned that they would be accused of improper reliance. The EU has never been happy with the idea of data on Europeans being stored in the US.

This week NewsBites reported this story:

--Stanford Hospital Pins Breach Responsibility on Third-Party Billing Contractor (October 6, 2011) Stanford Hospital & Clinics says that a data security breach that compromised the personal information of 20,000 patients is the fault of a third-party contractor. One of the patients filed a US $20 million lawsuit against Stanford following the breach disclosure last month. The data were exposed because a spreadsheet handled by a billing contractor somehow was posted to a student homework help website. The compromised information includes names, diagnosis codes and admission and discharge dates.

http://www.computerworld.com/s/article/9220626/Stanford_Hospital_blames_contractor_for_data_breach?taxonomyId=17

Now, I have to tell you, the Hospital tells a really great tale. Mind you, it does not excuse them for the breach. However it might have confused a jury if they had not attempted it to try it out in the media first.

Seems they turned the data over to a collection service, MCSC, in encrypted form. This is allowed under HIPAA rules but requires that they have security of the data as part of their agreement with the service provider.

Needless to say the collection agency, MCSC, decrypted the data. It converted it to a spread-sheet before turning it over to an "unauthorized" third party, This third party posted it, as an attachment to a request for assistance, to a site called Student of Fortune where it remained for a year. Student of Fortune is a site where students can solicit assistance with their homework assignments. It seems this third party wanted assistance with a graphical representation of the data in the spreadsheet. It would probably be unfair for one to infer that someone familiar with such a site is a recent student. There must be some truth here. You can't make this stuff up.

It seems clear that there is plenty of blame to go around here. However, the question is not blame but responsibility, ethical, legal, financial, and otherwise.

Public and private enterprises are increasingly relying upon contractors and other enterprises, "partners," to carry out duties and responsibilities that historically have been performed by employees and within the enterprise. Therefore, it is timely to revisit the question of responsibility.

Both of these stories suggest that the responsibility rests with the custodians of the data, The first story suggests that the responsibility can be assigned to the custodian by order of the state or the consent of the custodian. The second suggests that the responsibility moves with the data.

Ultimately, the legal questions raised by these stories will be decided by courts. I can hardly wait. I am a great fan of court records and decisions. While subject to error, they are much more reliable than the statements of the parties.

In Information Assurance, we have traditionally assigned protection duties and responsibilities in terms of roles, i.e., management, staff, owners, custodians, and users. We have argued that, by definition and default, the responsibility to protect the data rests with the "owner," the manager responsible for all the decisions about the data.

For example, the owner makes the decision to collect and store the data. The owner, again by definition, makes the decisions about who can use the data. The owner makes the decision as to the sensitivity of the data, how much to spend on protection and how much risk to accept. The owner's responsibility includes communicating these decisions to custodians and users.

It is difficult to see how this control and discretion can be separated from the responsibility for its exercise.

Our colleague, Bob Johnston, likes to argue that "When entrusted to process, you are obligated to safeguard." However, as a custodian I would respond by asking how much and at whose expense? Clearly a custodian would not want to spend more than the owner would and would expect to be reimbursed or compensated for what he does spend.

What is really at issue here is how we identify and select custodians, describe their duties, compensate them for those duties, what penalties they must pay for breach of those duties, and to whom. Obviously, this begins with negotiations between the owner and the custodian. I will continue to argue, both as matters of definition and practicality, that the responsibility for the results, the success, of those negotiations must start and end with the owner.

As a matter of law and good public policy, we want the responsibility in the same hands as the discretion. The alternative would permit the owner to pick the low cost service provider and then escape responsibility for any consequences. One might call that moral hazard.

Service providers are in the role of custodians of the data. Their duty is to the owner of the data, the party that pays them, not to the subjects of the data. They must be diligent in the execution of the duties that they have agreed to and for which, in part, they are being paid.

Stanford Hospital had a duty to their patients to protect the data. That duty did not go down when, for their own convenience and efficiency, they decided to give a copy to another party, a party of their choice. That they encrypted it for purpose of transfer, did not protect it from that agency, to whom they also gave the key. The agency's duty was to Stanford Health, to protect the data in accordance with their agreement, the provisions of which we are left to guess. While it is unlikely that Stanford Hospital specifically contemplated the possibility that MCSC would give a copy to a contractor, their agreement should have resisted it.

One might argue that as a collection agency, the agency owed a duty to the subjects of the data. However, it would be hard to argue that that duty relieved Stanford Health of its responsibility..

As security staff, some for the owners, some for the custodians, our role is to assist the business managers and lawyers in expressing the security requirements in such a way that all parties understand their duties and are likely to discharge them in manner that will produce the intended results. Our job does not stop there; we must go on to measure and report the results, note variances from the expected and intended, and recommend timely corrective action on a timely basis. "Timely" is before, rather than after, any breach. To the extent that this is difficult, we are called professionals and are paid the big bucks.