 |
|
Removing sensitive Oracle data
Oracle Tips by Burleson Consulting
January 8, 2008 |
Trashing your data: An important Oracle DBA job
As CEO of a database software company, Larry Ellison knew
the value of archiving his corporate data. When a disgruntled ex-Oracle employee
(Adelyn Lee) concocted a false claim against Larry, Ellison used data archives
to prove that she had forged her evidence. The charges were dropped and Lee was
found guilty of perjury and sentenced to a year in jail and a $100,000 fine.
For the entertaining details, see Lee v. Oracle Corporation, (1999 WL 595455
(Cal App 1999)).
While this saved Ellison from unfounded charges, we must
ask if it is always a good idea to archive every detail of your operational
business processes. Today, many large companies are requiring complete purges
of sensitive data that might be misunderstood, and they are going to great pains
to have their Oracle DAB remove all traces of this information.
As disk prices fall to record lows, many corporations are
deciding to retain all of their corporate data, including all corporate
correspondence, everything from e-mails to customer queries. But is this a
prudent decision? Some experts are suggesting that it’s a big mistake to
archive all of your data, especially if it has not been carefully reviewed for
content.
During my work in Oracle forensics, I’ve helped many
litigants resurrect evidence that has helped to punish some bad guys and
vanquish people who have been treated unfairly. During these forensic
investigations, unscrupulous shops are shocked to discover that “smoking guns”
can be uncovered years after the data has been deleted from Oracle.
But it’s not just the bad guys who must trash their Oracle
data. In case after case, archived Oracle data is being abused by greedy
plaintiffs, and the Oracle community is starting to realize that a prudent data
retention policy must also include specific directions for trashing some Oracle
data.
In today’s litigious world, the conventional wisdom that
saving all corporate data can save the day is now being challenged. While data
is a valuable resource, blindly archiving data can have serious financial
consequences. Consider these examples:
- ABC Corporation had a big problem. A disgruntled
ex-employee was suing for sexual harassment. Even though the charges were
groundless, their own historical data was being used to hurt them. During
discovery, opposing counsel subpoenaed all corporate e-mails for the past
three years, over 20 million messages, finding hundreds of examples of
messages that could be construed as demeaning to women. Because ABC
archived all of their e-mails in their Oracle database, this data was used
against them to horrific effect, costing them over a million dollars in
damages.
- ZZZ Car Corporation was accused of cutting-corners on
their vehicle production costs, precipitating the deaths of over a dozen
motorists in the past decade. Using Oracle archived redo logs, the
Plaintiffs found evidence that ZZZ engineers could have made their car
safer, yet they chose not to do so because the extra costs would make their
cars non-competitive.
- YYY Corporation was found guilty of libel after it was
discovered that an ex-employee had published defamatory information on the
web using the company’s computers. The incident occurred four years ago and
even though management had no knowledge of the incident, but the Oracle log
files revealed the exact details, opening-up YYY for millions of dollars in
damages.
- During a lawsuit for age discrimination, XYZ
Corporation was ordered to produce confidential documents from their Oracle
HR module. Even though the data was deleted from the database, the archived
redo logs were used to reveal a pattern of age-related discrimination,
costing them over ten million dollars in damages.
What do these cases have in common? They were all Oracle
shops that made fatal errors in their data retention policy. They were all
drawn-in to a common misconception that because disk is cheap and Oracle can
easily manages all forms corporate data, that their data should be stored
forever.
The Oracle DBA as data custodian
While the intentional destruction of evidence
(“spoliation”) is highly illegal, it is prudent and responsible to purge data
that no longer has any value to the company, especially data that might be
misconstrued or used in a lawsuit.
In today’s litigious society, employers are held
responsible for the acts of their employees, and management must decide between
two unsavory options:
- Monitor and archive all employee correspondence (web
usage, telephone calls, e-mail).
- Deliberately throw-away all correspondence after 60
days.
The Orwellian tactic of monitoring employees is falling
from favor, and many large corporations now require that all corporate
correspondence be completely and totally destroyed after a reasonable period of
time.
So how does the savvy Oracle DBA mange data retention
policies?
As more and more information systems are consolidating all
of their operational information into Oracle databases, the Oracle DBA becomes
the custodian of a wealth of varied data, everything from confidential e-mails
to secret marketing plans. As many vendor products (e.g. Oracle Collaboration
Suite) now incorporate non-traditional data like spreadsheets and correspondence
into Oracle, the DBA must clearly understand what data is to be preserved and
what data must be expunged from the archives.
Let’s start by looking at the legal requirements for data
archiving and understand how to comply with Federal laws while eradicating
unwanted information.
Legal requirements for data archiving
The Oracle DBA presides over a vast amount of corporate
data and the DBA must often work with corporate attorneys to ensure that their
data retention policies comply with a host of Federal data requirements (see
Appendix A for a partial list).
These data archiving laws impose huge burdens on Oracle
shops, especially laws like HIPAA which mandate the auditing of anyone who views
confidential patient data. These audits can exceed the size of the database
every day, and the DBA is further challenged by law requiring reporting. For
example, a Oracle DBA in a hospital only has a few hours to spin-through
terabytes of HIPAA data to show everyone who has viewed a particular patient’s
records.
This
article titled
Documentation and recordkeeping
describes the wide variety of Oracle data that must be retained and archived:
|
Data |
Law Requiring
Retention |
|
Basic data (name, address,
birth date) |
FLSA |
|
Job advertisements
|
ADEA, FLSA and ADA |
|
Employment applications
|
ADA/Title VII ADEA, and
OFCCP |
|
Offers and hiring records |
ADA, Title VII, Vet’s Act |
|
Promotions, demotions, and
transfers |
ADA, ADEA, and Title VII |
Many of these laws impose criminal sanctions against any
DBA who fails to comply, and some DBA’s will simply retain everything in order
to ensure compliance.
However, that’s often a huge mistake. For example, a
well-intentioned e-mail that states “Joe is in the hospital for VD treatment,
in case anyone wants to send flowers” could be used as evidence for a HIPAA
lawsuit for disclosing confidential medical information.
Removing stale Oracledata
All Oracle DBA’s must be vigilant to ensure database
recoverability while ensuring that sensitive or confidential data is completely
obliterated. Most Oracle DBA’s develop a sophisticated data retention policy
that ensures recoverability, but they fail to develop policies for completely
removing “stale” data.
In the article
What you must have, should have, and never want to see in your company’s records),
we see that that all Oracle database information should be cleansed before
archiving, removing all traces (including the redo logs) for any “smoking gun”
data. This information could be buried deep inside Oracle Applications or
Oracle Collaboration Suite:
- References to personal status - Any Oracle data
referencing pre-employment background checks, deviant sexual orientation,
disabilities, politics and criminal history should be routinely purged.
- Statements admitting wrongdoing by the company.
Even simple notations within Oracle Applications comment fields must be
carefully examined. For example, a comment within Oracle AP stating “We
are postponing payment as long as possible”, could be used in a lawsuit.
- Subjective remarks - Some employees tend to
include subjective comments in Oracle Apps, statements that can prove
dangerous in litigation.
- Inaccurate information - . The publication of
false and defamatory information could result in a claim for libel or
slander.
So, how does the DBA manage these conflicting
requirements? In order to be effective, the end-user community must be
intimately involved in the purging of stale data from the Oracle tables, but it
is up to the DBA to ensure that none of this stale data is retained inside
export files, audit trails or archived redo log files.
A sample retention policy should also spell-out the
specific acts to ensure the through destruction of the data. Remember, audit
trails almost always contain confidential data, and the audit trail tapes should
be thoroughly incinerated.
In some shops with threats of 3rd party
litigation, the corporate attorneys have developed through procedures for
destroying Oracle data, even going as far as cremating the archived backup
tapes. They notes that un-cataloging the archived redo log tapes is not
sufficient because they could be reconstructed by an Oracle forensics expert,
and archived redo that is sent to a “safe site” must also be completely
destroyed.
Archives kept on disk also require special treatment. The
disk files should be physically erased, and it’s not enough to just remove the
files. Here are some high-level best practices for Oracle data destruction:
- Destroy stale data – Many Oracle Apps shops
require their end-users to purge sensitive data periodically, and some shops
run keyword searches against all comment columns, seeking inadvertent
failures.
- Destroy archived redo logs – Archived redo logs
can contain unwanted data (especially for Oracle Collaboration Suite and
Oracle eBusiness Suite) and all redo logs must be completely destroyed as
soon as they are no longer needed for database recovery.
- Destroy audit trails – Many shops use a job
scheduler to mark audit trails for destruction as soon as the legal
requirements are met.
In sum, the Oracle DBA has become the important custodian
of critical corporate data, a job that requires attention to retention as well
as destruction.
Appendix A
U.S. Statures mandating Oracle data archiving include:
- The Health Insurance Portability & Accountability Act
(HIPAA)
- The Sarbanes Oxley Act (SOX)
- The Graham/Leach/Bliley Act (GLB)
- The Federal Insurance Contribution Act (FICA)
- The Federal Unemployment Tax (FUTA), Americans with
Disabilities Act (ADA)
- The Age Discrimination in Employment Act (ADEA)
- The Equal Pay Act
- The Family and Medical Leave Act (FMLA)
- The Fair Labor Standards Act (FLSA)
- Title VII of the Civil Rights Act of 1964 (Title VII)
- The Immigration Reform and Control Act (IRCA)
- The Occupational Safety and Health Act (OSHA)
- The Employee Retirement Income Security Act (ERISA)
References:
 |
If you like Oracle tuning, see the book "Oracle
Tuning: The Definitive Reference", with 950 pages of tuning tips and
scripts.
You can buy it direct from the publisher for 30%-off and get
instant access to the code depot of Oracle tuning scripts. |
