More and more corporate data is going digital. Lots of people hype the benefits, but digital data also creates new risks and burdens. To understand the negative effects, I have been asking CIOs: “What bad thing happens if you can’t access your data?”
I learned that if an airline can’t access manifests and passenger lists, then their aircraft are not allowed to take off. After four hours, if they still can’t access their data, then every aircraft in the fleet is required to land at the nearest airport.
I learned that if a drug company can’t produce the right drug-testing data, even 10 or 20 years after the drug is approved, then the FDA can shut down worldwide production of that drug.
The CIO of a large bank told me that his biggest fear is a headline reading “Bank loses a million customer records” or “Hacker hits up to 8m credit cards”. His data centres write 100,000 back-up tapes a year, and he is keenly aware that losing any one of them could put his bank’s name in the headlines.
In all of these examples, there is not only a technical component – how do I store, manage and protect my data – but also a legal and sometimes even an ethical component.
The intersection of technology and ethics is most clear in the example of the lost back-up tape. Suppose a company loses private information, perhaps financial or medical, about a customer. Is it just carelessness if the data is unencrypted, or is it criminal negligence? What should the penalty be? Should the company be fined? Should someone go to jail? What if it’s not one customer but thousands or millions?
These are not hypothetical questions. Time Warner reported that it lost a shipment of back-up tapes containing personal information for 600,000 employees. MasterCard International reported that more than 40m credit cards may have been stolen.
Before computers, we might have considered the penalty for losing one customer’s private data, or data for a handful of customers, but losing data for millions of customers at once would be inconceivable. It boggles our ethical intuition.
Consider this: a single back-up tape can hold nearly a terabyte, which is enough space to store the name, address and credit card information of every person in the world.
To me, nothing highlights the difference between paper and digital data as dramatically as this one fact: a one terabyte back-up tape will fit in your pocket, but if you were to print all that data, the paper would weigh 20m pounds. Imagine trying to protect that much paper. You might hire guards, or build a locked warehouse, but you certainly wouldn’t worry about somebody sneaking away with it in their pocket.
When data goes digital, everything changes.
It’s clear that you can’t simply treat digital data the same as paper. Technology has advanced so rapidly that it’s been only a decade or two since we started storing large amounts of sensitive customer data on computers. Our laws and intuition have not caught up.
We must acknowledge that these issues will take time to solve. Laws will evolve as the public and legislators learn through experience what it means to have so much digital data. Hopefully it won’t take the hundreds of years we’ve already spent learning about data on paper; however, the amount of data and types of data continue to change so quickly that I expect these issues will be front and centre for at least another decade or two.
There are some obvious next steps. The storage industry must innovate to simplify data management tasks such as backing up data, keeping back-ups a safe distance from the original in case of disaster, and encrypting sensitive data.
That is technology, but there are also legal steps. The storage industry can help by representing the concerns of customers from various industries, and by helping legislators understand what is possible, given the state of technology, and what is not. Laws that are impossible to implement help no one.
■The author is the Founder and Executive Vice President of NetApp. His blog is at http://blogs.netapp.com/dave/