BreachExchange mailing list archives
Re: Data Loss versus Identity Theft
From: "Brannigan, Chris J - Washington, DC" <chris.j.brannigan () usps gov>
Date: Fri, 27 Oct 2006 16:03:16 -0400
"data exposure" vs. "data loss" fwiw, I usually use the generic term "data exposure" to describe all types of data breaches, because it can include data records of any type or quantity being lost, stolen, presented on a public website inadvertently, sent by its owner to someone else by mistake, etc. In some very specific circumstances, by itself, "data exposure" can be a crime all by itself. for example, the Privacy Act of 1974 can be technically violated by a fed employee knowingly posting covered personal information on a public website. and that violation has no dependence on any one accessing or downloading that data, or making any criminal use of it. HIPAA can be violated without anyone making any use of the exposed data. "identity theft" describes a particular criminal activity defined in numerous state statutes which is performed with unauthorized personal information that may have been obtained through any number of different types of "data exposures", including loss, theft, public posting, via pre-texting, etc. Chris fwiw, CIPP/G -----Original Message----- From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of Adam Shostack Sent: Friday, October 27, 2006 3:11 PM To: Chris Walsh Cc: dataloss () attrition org Subject: Re: [Dataloss] Data Loss versus Identity Theft On Fri, Oct 27, 2006 at 01:03:01PM -0500, Chris Walsh wrote: | The distinction between the two is clear. To me, a thornier issue is | whether "data loss" is itself a misnomer. In many cases, PII has been | exposed to possible loss, but we have no way of knowing whether it has | been obtained by any unauthorized people. | I think 'data loss' or 'breach' refers to the loss of the ability of the organization to control the data. What happens after that is a result of that loss of control. Lets say you have a truck full of dollar bills, and it falls apart. Let's also say that good samaratians help you pick up all the money. Do you not wonder why the truck fell apart? Do you not count it as a serious event? Recovery of the money doesn't make your loss of control any less serious, it simply means you've lucked out of some of the more serious potential impacts. Substitute "good police work" for "good samaritian" and "laptop" for "dollars" and you have the VA laptop situation. Adam _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 139 million compromised records in 447 incidents over 6 years. _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 139 million compromised records in 447 incidents over 6 years.
Current thread:
- Data Loss versus Identity Theft lyger (Oct 26)
- Re: Data Loss versus Identity Theft George Toft (Oct 27)
- <Possible follow-ups>
- Re: Data Loss versus Identity Theft Casey, Troy # Atlanta (Oct 27)
- Re: Data Loss versus Identity Theft DAIL, ANDY (Oct 27)
- Re: Data Loss versus Identity Theft Chris Walsh (Oct 27)
- Re: Data Loss versus Identity Theft Adam Shostack (Oct 27)
- Re: Data Loss versus Identity Theft Brannigan, Chris J - Washington, DC (Oct 27)
- Re: Data Loss versus Identity Theft Chris Walsh (Oct 27)
- Re: Data Loss versus Identity Theft Henry Brown (Oct 27)
- Re: Data Loss versus Identity Theft Walter Padworski (Oct 27)