Business Ethics – Page 18 – IS Survivor Publishing

This time it’s Anthem.

The good news about Anthem’s loss of 80 million customer records is that no personal health information was stolen. Were I an Anthem customer, I’m quite sure I’d be thinking to myself, “All the thieves can do is steal my identity. Thank heavens they didn’t find out what I’m allergic to!”

Look forward to the usual rehashing of what Anthem should and shouldn’t have done. KJR won’t pile on, because there’s really no point.

Forget that. Of course KJR will pile on because really, how am I supposed to resist the temptation?

And so:

In Anthem’s official statement on the subject its CEO, Joseph Swedish, described what happened as a “… highly sophisticated external data attack.” Some aspects of the attack probably were highly sophisticated. But it also turns out the stolen “personally identifiable information” (PII), including customers’ social security numbers, was not encrypted in Anthem’s databases.

While I’ve never claimed to be an authority in information security, I know enough to give this advice: Don’t make it easy.

This is why you lock your car. It won’t stymie a professional car thief. It will, however, keep it out of the hands of amateur joy-riders while making stealing someone else’s car the easier choice for the professionals, and, by the way, satisfy your insurance company.

Anthem’s defenders point out that, like many other companies, it has to connect its customers’ data to data in external sources, and especially data in government databases. The social security number is the only choice for JOINing data about individuals when you don’t control the data design.

To encrypt it or not to encrypt it, that is the question.

No, I won’t go all Hamlet on you. Here there’s only one answer: Encrypt.

At this stage of the game, there really is no excuse for any company to use social security numbers as the primary identification key for customer and employee records. Assigning a sequential or randomly-generated identification number when first creating a customer master record is routine. It isn’t “best practice.” It’s the minimum standard of basic professionalism.

This way, JOINing records from internal databases doesn’t have to rely on social security numbers, so the inconvenience and difficulties associated with encrypting social security numbers, as pointed out in a Wall Street Journal story on the subject, doesn’t apply to processing that involves no external data.

But medical information doesn’t stay within any single corporation. For both treatment and payment purposes, medical records, including insurance information, has to be shared externally, and right now the social security number is, in the United States, the single universal identification key.

Whether used by an insurance company to add external information to its internal records for analytics purposes, or used by healthcare providers to link medical records from multiple sources so as to improve treatment, at some point in the proceedings, unencrypted social security numbers have to make an appearance.

Security professionals, along with those of us who like to pretend to more sophistication in the field than we actually have, differentiate data in motion from data at rest. Anthem encrypted its data in motion but not its data at rest, on the theory that hardening its perimeter constituted sufficient protection of its information assets.

This gets it exactly backward. For several years now it’s been understood by security professionals that just about every major trend affecting systems and information access, but in particular the rise of the cloud, more off-premises computing, and the increasing reliance of cyber-attackers on phishing attacks and Trojan horses, all result in a decrease in effectiveness of perimeter hardening and an increase in the importance of hardening assets.

When it comes to hardening information assets, encryption might not be the whole story but it certainly is the starting point. And JOINing two tables based on encrypted social security numbers isn’t all that hard. Properly authorized individuals can be given access to the decryption function, through which they can create temporary tables that have unencrypted social security numbers. They can use these tables for whatever analysis they like, destroying them as soon as they’re finished with them.

But hard, I’ll bet, isn’t the issue. Here’s what is: Converting decades of accumulated reports, queries and other computing flotsam and jetsam, combined with organizational habits built up over the same span of decades, that all rely on having access to unencrypted PII.

Tracking them all down and replacing them with more-secure alternatives would cost a lot of time and money, with an unmeasurable payoff. It’s a risk management issue mentioned in this space from time to time: Successful prevention is indistinguishable from absence of risk.

Sadly for the Anthems of the world, failed prevention is not.

From the KJR mailbag regarding last week’s column on performance improvement plans (PIPs):

Hi Bob …

The only time I received a PIP, it was clearly to start building a documentation trail (your point about the recipient building his own trail cannot be over-emphasized) that would lead to my termination, ostensibly for cause.

My prior performance reviews had also been excellent. I continued to perform to the best of my abilities while conducting what little job search I could due to the enormous demands that the job placed on my time.

In due course, I was pulled into the resign-or-be-fired meeting and given 15 minutes to collect my personal effects and leave. The company subsequently fought my unemployment claim all the way to a judicial hearing (I won). Of course, the CEO said it was not personal. Of course, I did not (and do not to this day) believe her.

The story ends well. It prompted my move from Long Beach, CA to [current location], converting a long-distance relationship to one that ended in a fulfilling marriage. My journey led me to [employer name], where I have found meaningful work that has brought fulfillment.

Bob says: First, thanks for sharing your story. Second … of course it’s personal. Criticism might not be personal for the critic, but it’s always personal for the criticized, by definition. Beyond that, many managers don’t differentiate between “your performance is substandard” and “I don’t like you.”

Often, they’re yellers.

Third, you give me too much credit. You’re right that “my point about the recipient building an independent document trail cannot be overemphasized,” except for one thing: I neglected to say it. On behalf of everyone reading this, thanks for filling the gap.

* * *

Bob …

My experience is that PIPs are rigged against the employee. Their manager has already decided to fire them, but has to jump through legal hoops and have some “justification” so the company can’t be sued.

The best thing is for the guy to do the minimum, devoting his time to the job search.

Maybe also see a lawyer and send a registered letter to the company noting how the PIP is impossible and rigged for failure, to negotiate a better severance.

Bob says:

Depends on the company, and the manager. Some PIPs are sincere and legitimate. You’re right often enough to taint the whole process, but not so often that it’s a safe generality. Also, as most companies are “at will employers,” the lawsuit threat is overblown. They can and often do terminate employees with no stated cause at all.

Still, most of your advice is sound, except that employees on PIPs do need to be open minded about the possibility that they really do need to make some changes.

* * *

Bob …

Having been on all sides of this:

Good managers will tell you they’re unhappy long before you get a PIP. Bad ones may not.

If you’re reporting to a new manager, read your past appraisals to see if there is anything to suggest your previous managers had the same concerns but didn’t want to go to the trouble of going through the process. Your new manager might just be the first one willing to do so.

One way to know if the PIP is real and not window dressing or the result of a hidden agenda: What you need to do will be totally within your control and you will have what you need when you need it.

If you have a bad manager, hitting the PIP’s goals would save your job, but you may not get the support you need when you need it to hit them.

If you have a manager with an agenda, it won’t matter how hard you work, and factors beyond your control — factors that aren’t obvious to anyone in HR — may conspire to keep you from reaching the PIP’s goals. Example: needing the support of other people for whom you and your goals are a low priority at best.

Might you have annoyed a higher-level manager, whether directly or indirectly? You might be dealing with “delegated discipline,” at which point you have a manager with an agenda.

Ask HR what rights you have. Then ask someone who’s been around a while the same question. If HR seems to be leaving things out, you probably have a boss with an agenda and HR is backing them.

Bob says …

This is excellent advice. Thanks!

Someone once said we’re all smarter than any of us are. Thanks to all who, by writing, helped demonstrate the point.

All Posts in Business Ethics

More insecurity

From the mailbag, about PIPs