All of the following is strictly a matter of opinion. I do not presume to convey anything more and more should not be implied by the reader.

I do not think that we are looking at this matter from the correct perspective.

In the US, at least, we see information related to an individual as belonging to the collector or aggregator of it. That is the general perspective of our laws. While a patient can get a copy of his x-ray, he cannot get a copy of the data maintained on him by the umbrella organization for health insurers.

In my opinion, ownership of information does not transfer, ever. In my opinion, ownership of information remains with the individual to whom it refers and is tendered to others only on the basis of a trust that is conditional on its safekeeping.

It is my considered opinion that any collector or aggregator of information about an individual is ethically responsible for maintaining that information inviolate. This applies whether they handle the material directly or contract with others for its handling. Even if they lose control of the data, they do not lose responsibility for its use. This is analogous to a gun owner who leaves loaded weapons in unlocked storage that are stolen from his home and later used in the commission of crimes. Even if his is not the finger that pulled the trigger, he is the one who provided the ammunition and the weapon.

My message would be: "If you cannot leap this hurdle, don't collect this information."

Right now information collectors and aggregators are free to leave the henhouse door open because they know a posse will be formed to get that rotten fox and because they know that they will be seen as the injured party, not the one causing the injury.

Under my government, once the posse has chased down that rotten fox, they would circle back to the farmhouse and chase down the person who left the door open and prosecute them as the accomplice of the fox. That's right: if you do a poor job of storing sensitive information you should get the same jail sentence (less thirty days) as the hacker. If the mechanism of the hack was (or should have been) previously known to you, you should get the same sentence as the hacker plus thirty days.

The responsibility for safeguarding information begins with the collector of it and extends equally to all subsequent possesors of it as they are the heirs of the original trust.

The principal of 'attractive nuisance' should apply here. A data store is an attractive nuisance in the sense that it challenges a hacker to overcome its hurdles the same as a backyard swimming pool invites a midnight dip. It is the responsibility of a swimming pool owner to take reasonable steps to safeguard it against predictable avenues of unauthorized use. It should be the responsibility of a data store custodian to do the same.

Those of whom the information is required have a reasonable expectation that their information will be adequately safeguarded by the requesting entity. They should have readily enforceable and significant recourse in the event their information is not adequately safeguarded since they often face significant exposure to harm from the release of this information to unknown third parties.

Can you say "identity theft"? I didn't see those HBS records that were exposed to public view, but I'd guess that they contained SSN's, DOB's, current addresses, names of family members and other revealing data that both the schools and their contractor were negligent in their handling of.

HBS and the other schools failed in their responsibility. The first, and deepest, breach of ethics was theirs because theirs was the breach that permitted the others to succeed. The 'hack' that succeeded (hardly worthy of the name) would have failed had ANY of the schools met their fiduciary responsibility to properly verify the security of their vendor.

So why are the prospective students being punished at all? Access to their records was made a matter of public information through the negligence of others. The students' trust was betrayed.

Apparently those applicants who looked at their own records were examining information that applied only to them. These records ought to have been secured against casual snooping. The injured party was not HBS, it was the applicant whose information was thus made, however inadvertantly, publicly available.

HBS is punishing the applicants for its own failure. There is a principle that states that engaging in an activity implies a knowledge of the rules pertaining to that activity (such as driving a car) and a willingness to abide by those rules.

HBS knows, or should have known, that data held in publicly accessible computers is open to attack and was therefore responsible for making the material subject to the attack.

HBS is clearly out of its league if it cannot keep confidential information confidential against totally unsophisticated attacks or hire others competent to do so and it misled the applicants about this ability when it accepted their trust during the submission of the information.

Apparently the responsibility to safeguard information placed in trust needs to be codified into law because it is otherwise widely dishonored and it needs to be applied across the board without any exception or exemption.

Information is power. Information about an individual is power over that individual.

HBS, etc, through sloppy data handling processes, gave power over the individuals who had trusted it over to un-named third parties of unknown intentions.

THERE'S the real crime.

I hate to temper the impact of these strongly held opinions with this repeat notice, but I want to make unequivocally clear that I am not in a position of authority nor do I have professional training in this matter and thus my opinions carry exactly NO weight in this matter.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/309/31184#31184