By Daniel J. Solove
Data Revolution discusses emerging trends and challenges related to healthcare data and its ever changing life cycle. This month’s article is a guest post and originally appeared on Daniel Solove’s LinkedIn blog on April 29, 2015. It is republished here with permission.
. . . the Empire would have won. A search of records would have revealed where Luke Skywalker was living on Tatooine. A more efficient collection and aggregation of Jawa records would have located the droids immediately. Simple data analysis would have revealed that Ben Kenobi was really Obi Wan Kenobi. A search of birth records would have revealed that Princess Leia was Luke’s sister. Had the Empire had anything like the NSA, it would have had all the data it needed, and it could have swept up the droids and everyone else, and that would have been that.
There is an important lesson to be learned from Star Wars: If you are trying to establish and maintain a ruthless Empire, you can greatly benefit from better data aggregation and analysis.
The Empire also could have benefited from a better knowledge of data security:
- Key hardware and controls should be secured in a locked area. The controls to the Death Star tractor beam should have been located in a less open location.
- Strong authentication is essential. Any droid shouldn’t be able to plug right in and access all data on the Death Star. For example, had two-factor authentication been used, the rebellion would have been crushed in the trash compactor.
- Good data breach response is essential. A better response to the improper accessing of the plans to the Death Star might have averted catastrophe for the Empire.
- Encryption should be used to protect important data. Encrypting the plans to the Death Star would have been a wise thing to do.
Unfortunately for the Empire, its understanding of data was poor. Had the Empire conducted routine risk analysis, invested adequately in its security program, performed annual training of key personnel, and otherwise maintained reasonable administrative, physical, and technical controls, the problems could have been averted, and the Empire would have won.
Star Wars is essentially a movie about data breach response—one that failed rather miserably. With all due respect to all the hard work and late nights that Darth Vader spent responding to the breach, the breach could have been averted, and the response would have been effective had the Empire employed experts on the use and protection of data.
The Rebel Alliance certainly didn’t win by being more savvy than the Empire. Obi Wan Kenobi needed to learn better techniques of data de-identification. Most experts will advise you that if you want to hide someone as important as the son of Anakin Skywalker, you shouldn’t have him use the Skywalker last name. With all due respect, if Obi Wan Kenobi wants to go into hiding, the name Ben Kenobi is a rather poor attempt at cloaking his identity.
The ultimate lesson in all this is that it isn’t enough to use light sabers and the Force, battleships and blasters, and an endless supply of Stormtroopers. It’s knowledge about data that is key. Darth Vader and Obi Wan Kenobi should both have been fired and replaced with privacy and security professionals!
Daniel J. Solove (firstname.lastname@example.org) is the John Marshall Harlan Research Professor of Law at George Washington University Law School and the founder of TeachPrivacy, a privacy/data security training company. Solove is co-organizer of the Privacy + Security Forum (Oct. 21-23, 2015 in Washington, DC) and the instructor of a series of HIPAA training courses developed with AHIMA and available for review on the TeachPrivacy website. The views in this article are the personal views of Daniel Solove and do not represent any organization with which he is affiliated.