Dear Editor,

There were two stories aired on Channel 7’s evening news on Dec. 2 which caught my attention and urged some great concerns about our personal data and the use of technology to conduct business in Belize.

By extension, I am also worried about Belize’s cybersecurity culture. In the first instance, I reference a news story titled, “Major police security breach via lost Special Branch flash

drive”.

This story informs that the police department, through what could be deemed negligence, lost a USB flash drive which contained sensitive data.

Such an act could render the police department inefficient, since criminals now have information on their plans and operations. If it is true that the police informants’ data was also contained on that device, then again the criminals could make much use of such confidential information and such informants could be found dead.

The second news article is “JL’s wants SSB data for credit database”. This is a very serious issue, since the Social Security Board (SSB) possesses the most sensitive data about each person in this beautiful nation of ours. Identity theft is on the rise globally, and it behooves us to acknowledge that it is happening here in Belize too — just listen to the evening news! Legislation/policies are very important in keeping our clients’ data safe.

While hardware and software can keep us safe to a certain extent, we must have the necessary legislation and policy to complement technology. In the US, for example, the banking industry has to abide by the “Graham-Leach-Bliley Act” (GBLA), the health industry is legislated by the “Health Insurance Portability and Accountability Act” (HIPPA), and after the infamous Enron saga the accounting industry adheres to the Sarbanes-Oxley Act (SOX).

I can tell, from my almost 20 yrs. experience in IT/S in the United States, that these legislations outline “data holders” responsibilities: what is acceptable sharing, and the consequences if clients’ data is lost or their system compromised. Punishment for the latter may also include imprisonment for C-Level officers, if found negligent.

I ponder, in the case of the police, why was the external drive not encrypted? Did the officer sign a confidentiality agreement which outlined what was permitted and the consequences of losing such data? As she and her superior can best decipher, did this officer lose the device while on official duty or was it a result of being reckless?

In the other case, I believe Mrs. Ozaeta from SSB provided the best response in her capacity.

In truth what Belize needs is a Certificate Authority (CA) which serves as “middleman” between SSB and business organizations. In an ideal situation this would be the Department of Motor Vehicles (DMV) or in local parlance the Department of Transport (DoT). The credentials offered by the DoT should be enough, without the need to have access to SSB data. But we know our reality, thus we would really need to consider other options.

In the absence of the DoT’s ability to be used as a CA (I will confess at this point that I do not truly know the intent nor needs of JL’s, but I offer a general opinion), SSB should be able to provide a database view, which will render information needed for verification purposes only. This view will return answers only in the affirmative or negative based on submission of relatively innocuous data (i.e. First, Middle, Last Name, SSN) and responses from the customer to a few security questions.

Submitting such questions to the SSB database will render “confirm” or “not confirmed”; no personal data will be offered by SSB. I would think that the applicant would provide a SS card which will contain this information and they would know the answers to the secret questions if they are who they say they really are.

While there are many more questions than answers and many scenarios to consider with regards to these news stories, I hope this highlights the need for us, as a country, to recognise the influence of technology on our society.

With the ubiquitous use of computers, the line between privacy and access has become exponentially thinner. There is a need for a technological paradigm shift which we must adapt in the motherland to be competitive in the global market, but we can only do so, after considering cybersecurity significance and proper governance for our ICT’s (information and communication technology).

Regards,

Greg Dominguez
PhD. (ABD) – Information Security and Assurance
[email protected]

References: (7newsbelize.com)