Getting Security Right … Santa Style!
14th December 2014
We’ve spent much of 2014 watching the information security mishaps in the global empires of Home Depot, Wal-Mart and Sony, to name but a few. But have we overlooked the risks associated with the largest data controller in the world? It all starts with sacks full of envelopes addressed, in best crayon, to “Father chrismus, Norf pole” (assuming that the local postal service actually delivers them).
The volumes of data handled at this time of year by Mr F. Christmas (also known as Mr S. Claus) and his colourfully costumed, vertically-challenged assistants cross pretty much every national boundary, which at face value would seem to present us with a whole host of data protection challenges.
According to Wikipedia, we’re most likely to find this Data Controller located in the mountains of Korvatunturi in the Lapland Province of Finland. That would subject this global gift procurement and distribution operation to the Finnish Personal Data Act of 1999 (or Henkilotietolaki 1999/523 if you’re a local). From Barbie to Nintendo, we’re not simply talking about a large list of the latest toys, games and gadgets here. Closer examination reveals names, addresses (how else will the big chap know where to deliver), the gender, and possibly ages or dates of birth of quite a lot of children.
Quite a lot? Another quick dip into the internet shows that we now have over 2.2 billion children on this spinning orb we call Earth. Discounting the faiths and cultures in which Santa does not feature, that still leaves us approximately 400 million kids wishing for a reindeer-powered sleigh to land on their roof on Christmas Eve. For now, we’ll overlook the practicalities of landing a heavy sleigh (best estimate = c.320,000 tonnes) laden with presents on a 45 degree pitched roof of an average semi-detached house, or the eye-watering estimated 650 miles a second or 1,000 visits a second needed to visit them all (depending on which crazy facts website you read). We’ll also gloss over the 200,000+ cousins of Rudolph that a sleigh of this weight would require just to get moving.
Putting our information security hat back on for a moment, you do have to admire how Santa does all this and has yet to be the subject of a global security breach or data protection fine of any sort. Whilst data protection is well structured within the EEA (European Economic Area) within which Santa Enterprises has its headquarters, each year he plans on visiting a good number of nations whose data protection performance is decidedly less robust. Just how is this mountain of delivery data being securely transported on the big night? Does it involve reams of printed documents or the latest in cloud-based Santa-nav apps borrowing unsecured wireless networks he finds along the way? And how is this all being kept secure on the open sleigh as the jolly chap travels up and down far-too-small-for-his-waist chimneys in fractions of a second? Can we assume that Comet and Blitzen may have been trained on sleigh close-protection duties? And when it’s all over, in line with data protection legislation on keeping personal data for no longer than absolutely necessary, how are all these sensitive records properly disposed of on Boxing Day?
I guess we’ll never know. But credit where credit’s due, Father Christmas has done a fantastic job ensuring that order and delivery data has been kept secure for centuries. Once the busy season is over, the red coat has gone in to the dry cleaners, the reindeer are frolicking in the meadow and the sleigh has passed its annual MOT (mountains of toys) test, we should all be looking out for a hand-written CV for that CISO role, complete with Finnish postmark. It may be the best hire we ever made.
Respecting customer confidentiality, we can neither confirm nor deny rumours that Santa is using InfoSaaS to help manage his information security this year. In the meantime, we would like to wish all InfoSaaS customers and partners a Merry Christmas and a happy, prosperous and secure New Year.