Identity Exposure is an Architecture Failure

Today’s software story is on the front page of the day’s news: 

Monday, May 22, 2006; Posted: 5:46 p.m. EDT (21:46 GMT)

WASHINGTON (CNN) — Personal information on 26.5 million veterans was stolen from the home of a data analyst in what appears to have been a random burglary, Veterans Affairs Secretary Jim Nicholson said Monday.

The computer records include names, Social Security numbers and dates of birth, Nicholson said. The Department of Veterans Affairs disclosed the theft Monday and said it has seen no indication that the information has been misused.

The analyst took the data home without authorization, Nicholson said. Department spokesman Matt Burns said the employee has been put on administrative leave while the investigation is conducted.

What makes this a story about software? Exactly this: Why did the software architecture permit this personal data to be available to anyone in the VA?

I don’t work for the VA, but I can’t imagine any analysis that requires the exact personal identifying data of every veteran (and spouse of a veteran). Given the concerns and regulations applied to privacy these days, a proper data and software architecture should make all data anonymous. Period.

The analyst who took the data home is going to be punished. But the investigation should target those responsible for making the data available in the first place:

  • the Chief Architect, Solution Architect, Software Architect, or whatever title is given to the architect "in charge". It is the architect’s responsibility to recognize the importance of ensuring personal privacy of the veterans who are stakeholders in this system. The fact that the data could be combined and taken anywhere is an architectural failure.
  • the Data Architect or Information Architect. It is the data architect’s responsibility to place an "arms-length" separation between personally identifiable information (PII).
  • the  Security Architect. It is the security architect’s responsibility to block physical access to PII, applying firewalls, encryption and other means.

A well-architected software system would have made it impossible for the analyst to collect this data in any usable form. Okay, maybe not "impossible", but certainly hard enough to require something more than a routine lookup or download.

Given the circumstances, it’s reasonable that the employee be "put on administrative leave". I would suggest, however, that the architects responsible for the definition, storage and security of the data should be put on leave as well, until the investigation is completed.

 

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s