The other day, Minnumer proposed to fine the company for leaking personal data for amounts up to 3% of annual turnover. From the outside, it seems like three percent is a trifle, but in reality it is as if an ordinary employee were fined several monthly salaries, that is incredibly painful.
A personal data leak is when the Internet leaks a customer database of a pizzeria that lists the number and address of the customers, or a commentator’s database of an entertainment site that contains unencrypted passwords in addition to login addresses.
If you seriously punish companies for leaks, I think the problem will be solved quickly. From a technical point of view, it is easy to minimize leaks. There’s one reason why data leaks so often – corporations don’t give a damn about protecting customer data. Well, the company with billionth revolutions will leak the data of a million customers. Well, she will be fined 100 thousand rubles for this. And what? It’s cheaper to pay such fines every month than to add at least one devops to the staff, let alone give him enough authority to work.
Here are a few of my thoughts on data protection – what could be done and what is not done so far.
- All bureaucracy with the consent of customers for the processing of personal data should be abolished. It’s zero times zero, zero times zero, and the harm is quite substantial. First, it takes an invaluable resource, time, to complete all these agreements. Nationwide, millions of man-hours spent on stupid forms.
For reference, a year consists of 2,000 working hours, and the entire career of an ordinary person – 70,000 working hours. If we spend 7 million man-hours of consent time nationwide every year, it’s as if we cut off hundreds of students’ hands every year, depriving them of the opportunity to work productively. Stealing time is a huge, little-understood trouble.
In addition, the collection of customer data is a normal practice, responsible business is directly obliged to study their clientele to better meet their needs. If the chef in the pizzeria sees the mark «Rudolf Glujorin needs a double portion of cheese» – there is no damage. The problem is not that the chef sees the mark, but that the manager of the pizzeria drains the database to hackers for 15 thousand rubles, and then all the data collected about Rudolf leaks into public access.
- I will continue the example with pizza and cook. Chef does not need to see Rudolph’s name and address. The courier doesn’t need to see Rudolph’s last name and taste buddies. The Support Manager only needs to see the part of Rudolf’s data that relates to the problem that Rudolph is calling him with. Rudolf’s password should not be seen at all, it is enough to store it in encrypted form (in the form of salt hashes).
This is called «access rights demarcation», and security professionals have been able to configure it since ancient times, when it is not like computers, even mechanical clocks have not yet been invented.
Yes, it takes time and effort to set up access rights, so it is easier to give everyone full rights. But if corporations have minimal motivation, they can surely set up access rights so that everyone sees only the narrow area they need.
- Also about the narrow sections. Let’s say the pizzeria has 200 restaurants across the country. It can store all customer data locally, separately for each of the restaurants. Then from the office in Belogorsk in the worst case it will be possible to steal only data on clients from Belogorsk. And if a client from Belogorsk goes to rest, for example, in Chernogorsk, from there you can send an automatic request to Belogorsk: so and so, give out the data on such-something client, which are stored at you. If more than five requests a week are received from Montenegro, the NSA bell will ring and it will start checking manually whether the hackers are trying to remove the base remotely.
- Another option, also a working, well-protected base in a bunker near Moscow, which gives out customer data piece by piece. Works, say, a courier in Zadonsk, delivers 30 pizzas a day. Each time he receives an order, he applies to the central database, from where he is personally given the address and first name (not surname) of a particular customer. At the same time, the database records: such a courier is given such data.
Stealing the database in this way is difficult, as neither the courier, nor the managers, nor the cooks simply do not have access to the database – they receive data piece by piece, as needed. In this case, each data release is recorded, and if the data later surfaced by hackers, it is easy to calculate: Yeah, these are the names requested by a tech support worker from such a city, so he must have left them and leaked them.
- There are other proven ways to protect data technically – any information security specialist can spend hours talking about simple, cheap and effective server defense recipes.
However, there is also a human factor. Now there is virtually no punishment for leaking the database to the left. This is not fair, as personal data leaks are damaging to millions of people – as if intruders were pouring cholera bacilli into the city’s water supply. It would be right if the penalty for leaking official data corresponded to the crime – that is, a few years of actual imprisonment.
In the same pizzeria there are cashiers, and in the cashiers – cash. Theoretically, any cashier can take out 100 thousand rubles from the cashier and put in his pocket. However, such cases are rare, as everyone understands – will look, find, put in prison. When stealing data, worry clerks. Even if they are sought and found, they are at risk of reprimand or dismissal, nothing more.
Corporations are great at lobbying for laws. Let me remind you that just this year, corporations lobbied a monstrous law to destroy the small jewelry business, thus causing Russian business climate, perhaps the most serious one-off damage in the last 10 years
It is clear that with such opportunities, it will not be difficult for corporations to lobby for changes to the Criminal Code to make the punishment for data theft commensurate with the gravity of the crime. Once again, they don’t do this for exactly one reason – they don’t care about leaks of customer data.
Thus, if Minnumer succeeds in forcing corporations to pay fines, corporations will solve leaks very quickly, and within a year or two leaks will almost stop.
As for the paperwork, I don’t see any light at the end of the tunnel. The state will start to fight bureaucracy seriously only after society has learned to value its time. So far, we have it bad: an unfair fine of 100 rubles causes an outbreak of noble fury, and excessive bureaucracy, stealing 20 hours of personal time, is perceived as a minor and unavoidable inconvenience.
