Florida police officer Leonel Marines resigned after a police investigation revealed the 12-year veteran of the Bradenton Police Department had been using police databases like a dating app to locate potential women for fun and maybe more. He'd been doing it for years.
While it's surprising this 5-0 Romeo actually got some dates playing fast and loose with his access to driver's license and vehicle registration databases, the more shocking thing about this story is that it could have happened in the first place. It is an object lesson on how much organizations need to learn about cybersecurity.
Protect and Serve, Meet Self-Service.
The situation at the Bradenton Police Department is more complex than it might initially appear. At first blush, outrage seems like the only response. How could this wholesale slaughter of our Constitutionally guaranteed privacy be allowed? Who needs to be fired?
While there must be a zero-tolerance policy regarding members of the law enforcement community who abuse their privileged access to databases that contain sensitive personal information, we can't lose sight of why it is imperative they have such access. Law enforcement officers' lives are on the line every day, and they regularly need to know who they're dealing with fast. There is no time to ask for permission to access data that could drastically affect the outcome of a dangerous situation unfolding in real time. The presumption is that law enforcement officers will not abuse their access to data, any more than they might the power of a gun and a badge.
Marines was that unhoped-for aberration that never fails to highlight a cybersecurity fail, albeit in perfect hindsight. According to reports, he looked up 150 women, connecting names to social media accounts, used phone numbers on file to contact "potential dates," stalked them and asked a number of them out as the spirit moved him.
There is no denying that this is some bad stuff, perhaps even shocking. But really the only shock here is that at this late stage of our cyber-insecurity such a scheme could work. Marines actually got some dates--that is, until it failed spectacularly (if the charges stick). But still: A shocker. How come no safeguards were in place.
What Safeguards, You Ask...
You can read the gnarly details of the Bradenton case here, because I'm only interested in the story as a pivot to move the ball down the field when it comes to cyber. Here's the deal: While police officers need access to sensitive data, not everyone does. This basic truth is a foundational truth in cybersecurity protocols. Here's another: Even though police need access to sensitive data, there are ways to gateway that data, and make it hard for research such as the kind detailed above.
Indeed, the main takeaway from the Bradenton story is that even among police, there can and should be a review--whether automated or random--of information accessed on a database.
In a perfect cyber situation, the alleged "data set as dating app" stalker cop would have set off alarms, because he checked the files of mainly women, and specifically Latina women. It would be easy enough to create some rules so that kind of search behavior would trigger an alarm. It would only require that cyber best practices were baked into the search system used.
Baking in Security from the Start
Increasingly cybersecurity is baked in, and this is where the main cybersecurity lesson here can be found. We need to use our imagination when it comes to protecting data.
Most organizations don't face the kind of life and death situations associated with law enforcement where not knowing about a person could result in instant death. As a result, it is possible and preferable to have a credential system where users have access to only that information which their credentials will allow, saving the most sensitive access to the most trusted people in an organization.
Cybersecurity is all about thinking what-if (i.e., what if a rogue, randy cop wants to swipe right and left on a driver license data base?) and then what can be done to make that behavior trip an alarm?
Don't ask, "What if everything at our organization isn't secure?" You can be certain it is not. Ask instead, "How can our systems be more secure?" That's the first important question in a long series of queries that if answered meticulously will make our organizations harder to hit, and less vulnerable to the unforeseen ways shoddy data protection can lead to unwanted attention and serious consequences.