Saturday, March 17, 2007

Data Integrity: The Emerging Risk to SOX Reporting, E-Discovery and Information Protection


The Privacy Subcommittee coordinated a broad expert panel of speakers who taught us something of the potential threats to businesses who depend on data and how reliable it is. A few photographs were used to demonstrate some visible data integrity concerns -- The manipulation of photographs. We took a quick glance at some famous photo manipulations found on the Wired News site. Then Ted Claypool showed us a few examples of his own manipulations, including the photo at top which shows him as a member of a recent space shuttle team. (He's the Canadian team member on the top right by the way. Not.)

Our moderator was Ted Claypoole of Womble Carlyle's Charlotte office. Panelists were Mary Ann Davidson, Chief Security Officer of Oracle Corporation; Francoise Gilbert of IT Law Group in Palo Alto; Paul Doyle of ProofSpace, Inc.; and John Tomaszewski, the Vice President of Policy and Compliance at TRUSTe, the online privacy advocacy and certification organization.

The photograph of the panel that I took early on in the session was pretty good, but somehow Lenny seems to have managed to get into the records and altered it. I am checking into the integrity concerns.

Skipping past the fun stuff, we moved on to discussing how these issues may impact real data. As we have learned in past discussions about data security, data integrity is often more a matter of tracking what has happened than it is preventing that which probably cannot be prevented.
Of course, the panel first tried to define what it was talking about when it spoke of data integrity, something we all want but don't necessarily know what it is. The panel did agree that access/security is not the same thing as integrity, and that helping integrity does not mean the data is any more useful (or not) as Garbage In/Garbage Out still applies. Consensus seems to be that integrity is more of a question of consistency and the ability to link the data's state to a particular point in time.

The lawyers on the panel were more in line with the idea that showing that access had not happened would subsequently be evidence of integrity (the thought being that if nobody was in the room nobody could have changed it). The technologists felt that proof of access (or lack thereof) would not be the point, since we need to focus on somehow comparing the facts at one point to the facts on hand today that we purport are the same as the ones put in the room.

The number of questions from the audience spoke well to the interest in the topic.

3 comments:

Rob said...

Hi Michael,

This is something I am very interested to find out more about, please keep me posted.

I am the Director of Product Management for a software company in Europe addressing data integrity requirements. I would love to speak to you about the current technology that is available and what more is required.

I agree 100% that integrity is not about restricting access and encrypting information, it is about verification that data is the same from one point to another, usually the point it is created until it is changed or destroyed. Proof of access is really a secondary requirement, more of use to the lawyers than to the technologists I would think, i.e. the security of the data needs to be applied to the data, and if a change is made, then the proof of access needs to be found to aid any investigation or consequences of faslisfying data.

I would be very interested to hear more about your comittee discussions and decisions made in US law as it will have a direct effect on what we are doing now and in the future.

Michael Fleming said...

Rob:

Thanks for your comment --

If I can focus on one point you make in particular (out of many good points), it's that need to distinguish 'security' from 'integrity.' There are some obvious affinities between the two topics, but they are no less different than the old concept my high school chemistry teacher pounded into our heads (To wit, 'precision' and 'accuracy' are not the same thing! They clearly interact with each other, but unless you understand the difference between them you'll never understand how they interact.).

In any event -- I would also commend your blog to our readers (hit the link on Rob's name above). I was just scanning through your comments on the TJX fiasco, and particularly the line about how somebody at TJX might have made a business case before the break-in had occurred. We face that problem on an almost daily basis, both as lawyers and as technologists, and you may be right that the only way to get the heads of the business to sit up and take notice is to point out the corpses in the fields after somebody else has made the mistake. (Long, exasperated sigh...)

Stay in touch -- We don't blog as often as you do, but we hope to keep up our networking between the interested members of the legal community and the tech community.

Rob said...

I most certainly will! Thanks for the comment on my blog too. If there are any other juicy stories you think I should be reporting, just let me know.

Rob.