BreachExchange mailing list archives

Re: Data Loss versus Identity Theft

From: George Toft <george () myitaz com>
Date: Fri, 27 Oct 2006 08:10:11 -0700

I guess I am a fan of Arizona's Notification of Compromised Personal 
Information law that defines a reportable event where 
unredacted/unencrypted personal information is exposed through a 
compromise of a security system.  (This is my high-level interpretation 
- it gets more specific about having to perform an evaluation to ensure 
a security control was compromised, but that could take a long time 
before notification is made.)

This definition makes no mention of 3rd parties, or number of people. 
It's just an event.  It also covers laptops stolen out of cars. 
Strangely enough, I think giant loophole in the law is if there are no 
security controls in place, no reporting is required as security was not 
compromised.  Common sense states otherwise.

Read the text of the new AZ law here:
http://www.azleg.gov/FormatDocument.asp?inDoc=/legtext/47leg/2r/bills/sb1338h.htm

George Toft, CISSP, MSIS


lyger wrote:

Since the topic was recently discussed, just want to toss out a few ideas 
and/or questions about what may or may not be topical for the mail list, 
attrition.org Data Loss web page, and database (DLDOS).

Is it agreed that not every recorded event of "identity theft" should be 
considered a "data loss" event?  Generally, I've considered "data loss" to 
mean a third party was entrusted with personally identifiable confidential 
information and said data was lost or stolen either maliciously or 
accidentially.  Events like these wouldn't count:

1. A purse, wallet, or personal computer was stolen (whether secured or 
not), resulting in the information of a very small number of people being 
compromised

2. Phishing attacks, where the *end user* is ulitmately responsible for 
having their own information compromised through their own actions.

It's getting to the point where almost every media story is equating the 
theft or loss of personal data with "identity theft".  Some studies 
suggest there is little correlation between a "data loss" event and actual 
identity theft.  So, the questions:

1. At what point, for the mail list, the various breach lists, and DLDOS, 
should it be said, "no, this doesn't count"

2. Can anyone come up with a reasonable definition of "data loss" and how 
it would differ from a reasonable definition of "identity theft"?  It 
seems that we're crossing into grey areas in some events, so any feedback 
would be appreciated.

Lyger
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 139 million compromised records in 447 incidents over 6 years.

_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 139 million compromised records in 447 incidents over 6 years.

Current thread:

Data Loss versus Identity Theft lyger (Oct 26)
- Re: Data Loss versus Identity Theft George Toft (Oct 27)
- <Possible follow-ups>
- Re: Data Loss versus Identity Theft Casey, Troy # Atlanta (Oct 27)
- Re: Data Loss versus Identity Theft DAIL, ANDY (Oct 27)
  - Re: Data Loss versus Identity Theft Chris Walsh (Oct 27)
    - Re: Data Loss versus Identity Theft Adam Shostack (Oct 27)
    - Re: Data Loss versus Identity Theft Brannigan, Chris J - Washington, DC (Oct 27)
- Re: Data Loss versus Identity Theft Henry Brown (Oct 27)
- Re: Data Loss versus Identity Theft Walter Padworski (Oct 27)