5 Naughty and Nice Ways to Love Your Data

It’s Valentine’s Day evening in North America.  I’m guessing that means that you and a loved one are waiting for a table at your favourite ChiBeeFridayGarden^TM.  Hopefully you’re not sitting in a crowded bar drinking sugary sweet margaritas that never came anywhere near a lime or real tequila.  But if you are, that also means you’re probably munching on some free chips and salsa.  Bueno.

As you know, I’m a data advocate…a data evangelist, even.  That means I want you to take care of your sweet snookums of data that you’ve entered into a commitment to love, honour and obey until the end of time.  Or at least until that next recruiter call comes.

So while working flying across Canada in my cubicle in the sky, I came up with these 5 tips for ensuring that your data feels loved, safe and warm.

1. Try some constraints.  I’m tired of seeing systems with no foreign key (FK) constraints or indexes on the data.  Vendors are especially straight-laced with their “we do all that enforcement in the application” answers as to why they don’t want to constrain their data.  That’s a subject of a future post. However, too many database designs lack even the most basic data quality rules.  There’s a whole lot of things we data professionals know about what makes for good (or good enough data).  Enforcing those rules as close as possible to the data is the best way to protect to that data.  To make it feel loved because it’s safe.

2. Be free. Don’t worry about backups.  What? No backups? No, that’s not what I said.  Don’t worry about backups; worry about restores.  You can have a perfect backup strategy in place and still not be able to restore because you’ve never tested that critical part of the process.  Sure, to restore there has to be a backup first, but too many people set that up and don’t realize that there’s another process out there deleting the backups, or destroying the tapes, or worse.  While you are at it, make sure you are monitoring the backups to see if they are actually working. Regular (and hopefully automated) restore testing will quickly point out failures in the backup and the restore strategy.

3. Put your data on a pedestal. I support systems with data that is more than a hundred years old. Over those decades, that data has been passed around between databases, systems, spreadsheets…well, you know how that works. Every professional who put their hands on that data had an opportunity to nurture it or to turn it into the broken, barely human data crying in a relation’s arms. There are certain data practices that make data less usable, less accurate and less strong. That weakness in the data translates in a general weakness in the entire system. That then translates into business weaknesses. Data last much longer than code. If you are optimizing database designs for the code, you may be harming it in a way that it can never love you back. Love it even on fast and agile projects.  Just enough design doesn’t mean no design; it means just enough to love it right.

4. Get familiar your data. Almost to the point of stalking it. You need to not only understand the structure of a database, but also what data is in it.  I can’t tell you how many times I’ve seen someone reverse engineer table and column names, then use only that information to analyze what data is contained in the database.  Big mistake.  Want to be surprised?  Go look at a bunch of columns called Notes or Description or Address Line 4 and see what you find.  I’d bet you a bag of naughty candy hearts that you’re going to find a brand new set of data that few people knew was held in that database.  You might even find credit card data, tax identifiers or insulting customer comments buried there.  I’ve seen all of that.   Data profiling is something you need to do for the life of a data structure.  Misuse of data structures happens more often than you think.

5. Cozy up with your team members. If you are data modeling or designing databases and you aren’t physically next to the people working with those designs, you’re missing out on a hundred opportunities a day to answer their questions, overhear their debates about the difference between Department and Division and generally not providing support for the project you delivered to them.  What? Those people work thousands of miles away?  You need to build a long distance relationships via Skype or GoToMeeting with these people.  You might even need to answer their questions in the middle of the night.  Just like in real life relationships.  The key is to send a message of availability and wiliness to help.  I’m pretty sure I’d better stop this analogy here, but you know what I mean.  You say your boss pulls you off a project as soon as version one of the data model is done and puts you on another one right away?  Well, there’s a name for that type of a boss.  I’ll stop here, too.

Your data really isn’t your data.  It belongs to your business users and some of it to customers.  When you don’t love your data enough, it knows.  And others will know, too.  So spend some time tomorrow ensuring that your data is loved, safe and warm.  It will do the same for you and your team.

Groan: Victims of Data Breach Receive Letters Intended for Others

I’ve blogged about this data breach before: Federal Department Bans Use of Portable Devices (YAFF).  To add insult to the injury, a “printer error” has led to recipients of notifications about the breach receiving letters intended for other victims.

The federal government is blaming a printing error for the fact that some student loan recipients who received letters to say their personal information had gone missing along with a portable hard drive also got letters addressed to someone else.

Human Resources and Skills Development Canada revealed last month that a hard drive containing the personal information of some 583,000 Canadians had gone missing. The data included social insurance numbers and dates of birth of people who had received student loans between 2002 and 2006.

via Victims of student loan data breach get letters addressed to others | CTV News.

Sure, these sorts of errors do happen, especially when using automated printing and envelope stuffing equipment. I’ve got to say, though, that the timing on this error is more than … difficult.  I’m wondering if the IT teams are being blamed here, or just the outsourcing company that provides mailing services.

#CSATweetup Trip Prep Fun #spacestache

Because everyone needs more moustache in their lives, right? 

I can’t wait to visit with Commander Hadfield via the International Space Station this Thursday at the Canadian Space Agency Day in the Life of Chris Hadfield CSATweetup.  There’s even a phone call with William Shatner.  We’ll also hear from CSA scientists and investigators and Astronaut Jeremy Hansen (@astro_jeremy)

There may be photos and tweets.  Set your filters to stun.

Got Health Data? Your Penalty Exposures for Data Breaches Just Increased

I’ve been blogging about health data breaches lately, but I’m not sure if there are more of them or if the reporting requirements are more strict.  I suspect the latter.

One of the things I’ve noticed is that many of the breaches seem to be of multiple exposures by the same organization, which has led to recent legislative changes to the HITECH Act.  You can see from the quote below that not only has the limit to the penalty been increased, but the penalties for repeat violators are higher. 

Given the sensitive nature of health data, I’m still thinking that we need to move more towards criminal penalties for wilful neglect and repeat violations.

In addition to redefining the scope and liabilities of business associates in the healthcare industry, the final HIPAA omnibus rule includes revisions to the penalties applied to each HIPAA violation category. While the American Recovery and Reinvestment Act of 2009 (ARRA) initially established a tiered penalty structure, it hasn’t been revised until now.

Section 160.404 refers to the amount of civil monetary penalty as administered under the HITECH (Health Information Technology for Economic and Clinical Health) Act. The original penalty structure used to be:

via HIPAA Violation Penalties Rise in Response to Data Breaches | SmartData Collective.

Do you think companies are bearing enough of the responsibility for protecting our data?  Do you as a data professional get enough support from management to ensure that data is protected?

What IT Really Thinks of Business/IT Alignment

http://geek-and-poke.com/2008/11/how-to-confess-failure.html

Federal Department Bans Use of Portable Devices (YAFF)

I thought I had blogged about this Canadian data breach, but I guess not.  All these data breaches are coming so fast it’s hard to keep up. In this report, we have another YAFF: a portable hard drive being used as a backup device.

It looks like Human Resources and Skills Development Canada (HRSDC) will be taking a three-pronged approach to protecting our data: first, a new policy banning portable storage devices; second, use of data loss protection technologies and third, establishing consequences for staff that cause a data breach.

OTTAWA — The federal department at the centre of a massive data breach says it is banning the use of portable data devices in its offices, using new technology to prevent information from being easily removed from the network and warning any staff that violation of the new rules could mean the loss of their job.

Human Resources and Skills Development Canada (HRSDC) said Monday that it will start using “data loss technology,” which would allow the department to restrict when, where and which staff can remove information from government systems. Reviews have already started to see what risks the use of secured, portable data devices, such as USB memory sticks, carry in the department’s work and whether there are enough safeguards to prevent another massive breach of personal information from happening again.

via Federal department bans use of portable devices after personal data breach | canada.com.

Their loss of more than half a million student loan borrowers’ data has led to class action lawsuits.  A missing external hard drive is the hardware piece of this breach; the fact that this drive contained unencrypted backups is the behavioural issue.  Perhaps we need to start thinking about how to train end users on the consequences of moving data from “the system” to any place else, even for backup purposes.

Is there a solution?

I have more questions than solutions here, though.  Usually enterprise backup solutions involve software plus a server or external service.  I’m not sure why HRSDC was using a portable hard drive for backup.  They are harder to manage, they tend to walk away, and they aren’t that reliable.  So I’m going to guess here that this device was a personal device or being used to sneakernet files from one location to another.  Perhaps from office to home, or from office to office.  Both of those scenarios bother me because they most likely were not official methods for doing these tasks. 

I don’t think there’s one answer.  Training, policy, inspections, consequences, real monitoring and protection, more training, more inspections, some tough decisions.  It’s a complex issue that will require complex responses.  I’d like to hear what other organizations are doing to mitigate data breaches.