The Honey Stick Project

Nobody really knows what the long term effects of data loss are. The main differences between losing data and losing solid assets are:

1. Data can be copied, or even broadcasted, instantaneously to many locations around the world. Once the bytes are out of the bag, you’ll never be able to round up all the copies. Just ask any celebrity who has had lies and slander written about them in the tabloids. You might get a retraction printed by the original source, but it’s too late.
2. Public data often gets indexed for free. If it’s on a server connected to the Internet, there’s a good chance it will get indexed by Google or any one of the dozens of search engine crawlers. This means that it can be found by anyone, with the right search query.

You can start to get the feel for how common data breaches are becoming by scanning through the history at the Data Breach Blog of SC Magazine (click HERE), the Breach Blog (click HERE), or simply doing a search on things like “data breach”, “breach disclosure”, or similar terms in places like Google News.

You might then notice that a large percentage of the breaches being reported these days are due to mobile copies of operational data that should not have left an Operations Zone unprotected. Whether it is via e-mail, laptop hard drive or USB memory drives, the result is usually the same:

1. The organization does it’s civil duty by reporting the breach and being publicly humiliated (although not as humiliated as its clients)
2. The organization announces that there is “No evidence of the personally identifiable information (PII) being misused for fraudulent purposes”… something they can only say until there IS evidence
3. The organization announces that it is providing a years’ worth of “Identity Theft Insurance” to the affected victims as a consolation prize… that’s just great, assuming the data has only monetary value, as opposed to embarrassment value, competitive value, trust value, etc….

Sorry, but it’s too late at this point, and you will never know for sure if the data has been contained to the point that nobody can use it further. It’s like telling SETI to recall all the messages we’ve been sending into outer space to announce our existence and location on planet earth (the ultimate PII). If there are bad aliens out there, they are going to find out about us now for sure.

Well, let’s get back to worrying about things we CAN do something about. We need to get organizations that handle our personal data to take this data persistence problem seriously. That means making sure they have policies for how they are going to PREVENT data loss before it happens. It means imposing tough love on all the sales, marketing and finance people (everybody, really) who feel they are immune to operational procedures for protecting data because their project is “special”. Sadly, this even includes the IT Department, who probably feels most entitled to be exempt from the rules, but need to set the example more than anyone.
The penalties should actually be so great that employees and contractors should not want to be in the position of having to carry any kind of PII out of their secure office building without it being encrypted.

So, the next time you’re copying data from an office computer onto your USB memory stick, think about what will happen to it if anyone else gets their hands on it. In fact, think about the data that’s on your USB memory stick RIGHT NOW. Do you know where it is? Do you know what you and your organization, not to mention your customers, will have to go through if it gets into the wrong hands, or even gets out of your possession for a moment?

You might be able to tell the jury to disregard the evidence, but they probably won’t.

Nobody really knows what the long term effects of data loss are. The main differences between losing data and losing solid assets are:

1. Data can be copied, or even broadcasted, instantaneously to many locations around the world. Once the bytes are out of the bag, you’ll never be able to round up all the copies. Just ask any celebrity who has had lies and slander written about them in the tabloids. You might get a retraction printed by the original source, but it’s too late.
2. Public data often gets indexed for free. If it’s on a server connected to the Internet, there’s a good chance it will get indexed by Google or any one of the dozens of search engine crawlers. This means that it can be found by anyone, with the right search query.

You can start to get the feel for how common data breaches are becoming by scanning through the history at the Data Breach Blog of SC Magazine (click HERE), the Breach Blog (click HERE), or simply doing a search on things like “data breach”, “breach disclosure”, or similar terms in places like Google News.

You might then notice that a large percentage of the breaches being reported these days are due to mobile copies of operational data that should not have left an Operations Zone unprotected. Whether it is via e-mail, laptop hard drive or USB memory drives, the result is usually the same:

1. The organization does it’s civil duty by reporting the breach and being publicly humiliated (although not as humiliated as its clients)
2. The organization announces that there is “No evidence of the personally identifiable information (PII) being misused for fraudulent purposes”… something they can only say until there IS evidence
3. The organization announces that it is providing a years’ worth of “Identity Theft Insurance” to the affected victims as a consolation prize… that’s just great, assuming the data has only monetary value, as opposed to embarrassment value, competitive value, trust value, etc….

Sorry, but it’s too late at this point, and you will never know for sure if the data has been contained to the point that nobody can use it further. It’s like telling SETI to recall all the messages we’ve been sending into outer space to announce our existence and location on planet earth (the ultimate PII). If there are bad aliens out there, they are going to find out about us now for sure.

Well, let’s get back to worrying about things we CAN do something about. We need to get organizations that handle our personal data to take this data persistence problem seriously. That means making sure they have policies for how they are going to PREVENT data loss before it happens. It means imposing tough love on all the sales, marketing and finance people (everybody, really) who feel they are immune to operational procedures for protecting data because their project is “special”. Sadly, this even includes the IT Department, who probably feels most entitled to be exempt from the rules, but need to set the example more than anyone.
The penalties should actually be so great that employees and contractors should not want to be in the position of having to carry any kind of PII out of their secure office building without it being encrypted.

So, the next time you’re copying data from an office computer onto your USB memory stick, think about what will happen to it if anyone else gets their hands on it. In fact, think about the data that’s on your USB memory stick RIGHT NOW. Do you know where it is? Do you know what you and your organization, not to mention your customers, will have to go through if it gets into the wrong hands, or even gets out of your possession for a moment?

You might be able to tell the jury to disregard the evidence, but they probably won’t.