BreachExchange mailing list archives
Re: Data Loss versus Identity Theft
From: George Toft <george () myitaz com>
Date: Fri, 27 Oct 2006 08:10:11 -0700
I guess I am a fan of Arizona's Notification of Compromised Personal Information law that defines a reportable event where unredacted/unencrypted personal information is exposed through a compromise of a security system. (This is my high-level interpretation - it gets more specific about having to perform an evaluation to ensure a security control was compromised, but that could take a long time before notification is made.) This definition makes no mention of 3rd parties, or number of people. It's just an event. It also covers laptops stolen out of cars. Strangely enough, I think giant loophole in the law is if there are no security controls in place, no reporting is required as security was not compromised. Common sense states otherwise. Read the text of the new AZ law here: http://www.azleg.gov/FormatDocument.asp?inDoc=/legtext/47leg/2r/bills/sb1338h.htm George Toft, CISSP, MSIS lyger wrote:
Since the topic was recently discussed, just want to toss out a few ideas and/or questions about what may or may not be topical for the mail list, attrition.org Data Loss web page, and database (DLDOS). Is it agreed that not every recorded event of "identity theft" should be considered a "data loss" event? Generally, I've considered "data loss" to mean a third party was entrusted with personally identifiable confidential information and said data was lost or stolen either maliciously or accidentially. Events like these wouldn't count: 1. A purse, wallet, or personal computer was stolen (whether secured or not), resulting in the information of a very small number of people being compromised 2. Phishing attacks, where the *end user* is ulitmately responsible for having their own information compromised through their own actions. It's getting to the point where almost every media story is equating the theft or loss of personal data with "identity theft". Some studies suggest there is little correlation between a "data loss" event and actual identity theft. So, the questions: 1. At what point, for the mail list, the various breach lists, and DLDOS, should it be said, "no, this doesn't count" 2. Can anyone come up with a reasonable definition of "data loss" and how it would differ from a reasonable definition of "identity theft"? It seems that we're crossing into grey areas in some events, so any feedback would be appreciated. Lyger _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 139 million compromised records in 447 incidents over 6 years.
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 139 million compromised records in 447 incidents over 6 years.
Current thread:
- Data Loss versus Identity Theft lyger (Oct 26)
- Re: Data Loss versus Identity Theft George Toft (Oct 27)
- <Possible follow-ups>
- Re: Data Loss versus Identity Theft Casey, Troy # Atlanta (Oct 27)
- Re: Data Loss versus Identity Theft DAIL, ANDY (Oct 27)
- Re: Data Loss versus Identity Theft Chris Walsh (Oct 27)
- Re: Data Loss versus Identity Theft Adam Shostack (Oct 27)
- Re: Data Loss versus Identity Theft Brannigan, Chris J - Washington, DC (Oct 27)
- Re: Data Loss versus Identity Theft Chris Walsh (Oct 27)
- Re: Data Loss versus Identity Theft Henry Brown (Oct 27)
- Re: Data Loss versus Identity Theft Walter Padworski (Oct 27)