BreachExchange mailing list archives
Re: Is dataloss becoming the next 'computer virus' trend?
From: "Brannigan, Chris J - Washington, DC" <chris.j.brannigan () usps gov>
Date: Mon, 18 Dec 2006 11:36:20 -0500
Chris Walsh wrote:
...Off the top of my head, we would need:
1. A master list of breached records, or the individuals to whom they
relate.
3. A second group of records/individuals not known to have been
breached.
--------------
IMHO, any list of names originating from any federal govt agency breach
(including the VA laptop 26.5M vets) would be covered by the Privacy Act
of 1974, therefore very likely unavailable for such a use.
Such a disclosure would not technicall be permitted under the Privacy
Act, and very likely withholding the data would also come under a
covered exception under FOIA.
Chris Brannigan
CIPP/G
-----Original Message-----
From: dataloss-bounces () attrition org
[mailto:dataloss-bounces () attrition org] On Behalf Of Chris Walsh
Sent: Monday, December 18, 2006 11:04 AM
To: dataloss () attrition org
Subject: Re: [Dataloss] Is dataloss becoming the next 'computer virus'
trend?
On Mon, Dec 18, 2006 at 10:26:05AM -0500, Sean Steele wrote:
I think it's clear we need a landmark tracking / longitudinal study of
these breaches, their affected individuals, and ideally, the organizations in question, to assess whether there is a real crisis.
That is exactly what is needed.
We have people reading this list who are in a position to know about
things like fraud detection software, etc. What would it take to do
such a study?
Off the top of my head, we would need:
1. A master list of breached records, or the individuals to whom they
relate.
3. A second group of records/individuals not known to have been
breached.
3. A way to identify attempted/actual using the identifying info of
those individuals.
Who would/could have such data? What legal restrictions might there be
against its use? In principle, this is doable -- ID Analytics took a
crack at it, but their sample was one purely of convenience.
There may not be, as much as we think there is or might be.
And as much as the "no reason to believe the data were accessed..." crowd would like to think there is not. Chris _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 143 million compromised records in 512 incidents over 6 years. _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 143 million compromised records in 512 incidents over 6 years.
Current thread:
- Is dataloss becoming the next 'computer virus' trend? Richard Forno (Dec 17)
- Re: Is dataloss becoming the next 'computer virus' trend? security curmudgeon (Dec 17)
- Re: Is dataloss becoming the next 'computer virus' trend? blitz (Dec 17)
- <Possible follow-ups>
- Re: Is dataloss becoming the next 'computer virus' trend? Sean Steele (Dec 18)
- Re: Is dataloss becoming the next 'computer virus' trend? Brannigan, Chris J - Washington, DC (Dec 18)
- Re: Is dataloss becoming the next 'computer virus' trend? Chris Walsh (Dec 18)
- Re: Is dataloss becoming the next 'computer virus' trend? Brannigan, Chris J - Washington, DC (Dec 18)
- Re: Is dataloss becoming the next 'computer virus' trend? blitz (Dec 18)
- Re: Is dataloss becoming the next 'computer virus' trend? security curmudgeon (Dec 17)