Re: Data Loss versus Identity Theft

[Adam Shostack <adam () homeport org>]

On Fri, Oct 27, 2006 at 01:03:01PM -0500, Chris Walsh wrote:

| The distinction between the two is clear.  To me, a thornier issue is 
| whether "data loss" is itself a misnomer.  In many cases, PII has been
| exposed to possible loss, but we have no way of knowing whether it has
| been obtained by any unauthorized people.
| 

I think 'data loss' or 'breach' refers to the loss of the ability of
the organization to control the data.  What happens after that is a
result of that loss of control.  Lets say you have a truck full of
dollar bills, and it falls apart. Let's also say that good samaratians
help you pick up all the money.  Do you not wonder why the truck fell
apart?  Do you not count it as a serious event?

Recovery of the money doesn't make your loss of control any less
serious, it simply means you've lucked out of some of the more serious
potential impacts.

Substitute "good police work" for "good samaritian" and "laptop" for
"dollars" and you have the VA laptop situation.

Adam
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 139 million compromised records in 447 incidents over 6 years.