Cover Your A** (And don’t be stupid)
I was recently called up for Jury Duty by the Dallas County court system (for the first time in my life). Though I cringed when they called my name as a selected juror, it did teach me about and remind me of a lot of very important things that forget or take for granted as highly privileged administrators. This case (yes I’m allowed to talk about it now without repercussions) was specific to the alleged theft of company trade secrets by former employees and distributors who then joined and supposedly fast tracked the start up of a competing company. The “IT Guy” had full sysadmin rights to the SQL Server database hosted by the cloud provider and therefore had the motive, ability and circumstance to take any of the data he thought necessary and provide it to the new company. Now, we never got any direct evidence of that and therefore didn’t find against him, other than the fact that he broke his employment contract and we agreed he should pay back his “double salary” while working at both companies for nearly a month (secretly I might add). 99% of the evidence in the case was circumstantial (almost all emails!) that the prosecution used to put together the timeline and the story of what happened…and just as importantly what didn’t happen (such as following data access policies, asking for approval before pulling data, etc.).
- Fiduciary Duty: This is not a term used only for company executives my friends. No…every employee (and in some cases non-employees, contractors, etc.) can be bound by a fiduciary duty to their employer. Fiduciary Duty is defined as a level of extraordinary trust and confidence placed in a person to work and act in the best interest of the company. Extraordinary trust is any additional level of trust placed in a person greater than the inherent trust placed in any employee hired by the company.
- So as DBA’s we are trusted with what is typically some of the most sensitive data there is in the company. Typically given unlimited access to all data in all databases on all servers in an effort to perpetuate our ability to quickly, efficiently and proactively administer systems and tune data access “in the companies best interest”. We tend to have access to company secrets: formulas, custom developed software, code, HR and pay information, distributor/manufacturer/customer lists, etc. As DBA’s we have just as solid a fiduciary duty to our companies as any of the executives, if not more.
- Data Access: Along with that comes the need to be fully educated on our companies policies for data access and control. You really can’t use the excuse that you were in a hurry and just gave them admin access, or you thought it was okay. If your company is audited for SOX or HIPPA (or any other number of auditing regulations that look at data security and access) then you need a very solid policy and you need to follow it. There should be data owners for every piece of data (every database at least) in the company and those people should be doing periodic reviews of everyone that can access data and what level of access they have.
- It is far too easy for a lawsuit (that has nothing to do with you!) to get out of hand very quickly! So the title of this posting is quite adequate…Cover Your A**. Don’t do things that could be misconstrued as helping someone get access to data, always ask why/for how long/exactly what do you need access to/who approved this…and get it in email or a ticketing system.
- Communications: Obviously communication is essential to getting the job done, but be conscious of your method of communication. Cover Your A** means that you get everything to do with administration in writing (email, instant messaging as long as it has a historical repository, ticketing system, etc.). Now don’t go so overboard that everyone hates you, but make sure you are asking the questions and getting responses in writing after having a verbal conversation about how to get something done.
- If some of the guys in this case had asked the questions in email then there would have been a record and they wouldn’t have been defendants at all. In other cases, the defendants put way too much in an email and it made them look extremely suspect.
- Secondarily, always use your company email when sending official communications. One defendant kept explicitly using everyone’s personal email addresses…which looks really sketchy when you are sitting in a jury box and a prosecutor is talking about conspiracy!