[Dataloss] Is dataloss becoming the next 'computer virus' trend?

Brannigan, Chris J - Washington, DC chris.j.brannigan at usps.gov
Mon Dec 18 10:44:40 EST 2006


All true, but just to add one more recent consequence, besides the MA
$25K fine, the FTC Choicepoint $15M fine included $5M for consumer
redress, those first letters from the FTC have finally gone out to
identified ID theft victims of the Choicepoint breach...

Chris Brannigan 
CIPP/G

-----------

FTC Mails Refund Forms To ChoicePoint Data Breach Victims 
InformationWeek 
By Gregg Keizer,  
Dec. 7, 2006 
URL:
http://www.informationweek.com/story/showArticle.jhtml?articleID=1966023
58 


Nearly two years after data broker ChoicePoint revealed that it had sold
identity information to criminals, the Federal Trade Commission on
Wednesday announced it had mailed claim forms to over 1,400 victims who
can now file for refunds on money they spent setting things straight. 

Early in 2005, ChoicePoint reported it had handed over consumers' names,
addresses, Social Security numbers, and credit reports to fraudsters
working out of Los Angeles County. In February 2005, it sent 145,000
notifications to residents in 50 states whose personal information may
have been sold to the identity thieves in the fall of 2004. 

After an FTC investigation, the commission and ChoicePoint agreed to a
settlement in January 2006 that, among other things, required the
company to pay up to $5 million to reimburse consumers. 

According to the FTC, the reparation forms must be postmarked by Feb. 4
to be considered. "The amount applicants receive will depend on a number
of factors, including the total number and amount of claims that the
agency receives," the FTC said in a statement. 

Claim forms have also been posted on the FTC's Web site in both English
and Spanish, and a toll-free telephone number and e-mail address have
been set up to take questions from affected consumers. 


===========================



-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Sean Steele
Sent: Monday, December 18, 2006 10:26 AM
To: dataloss at attrition.org
Subject: Re: [Dataloss] Is dataloss becoming the next 'computer virus'
trend?


The points you raise are good ones, perhaps the most important in this
entire larger discussion.

>From where I'm sitting, it appears few of these data breaches/losses 
>are
becoming, over time, either ID theft problems for the affected
individuals, or corporate security calls-to-action for the organizations
at fault.  Many laptops in particular are stolen as targets of
opportunity, for their hardware resale value (not specifically targeted
for the data that may reside on them).

We see few compliance or regulatory sanctions, little in the way of
public flogging (the VA laptop loss being a notable exception), and an
ocassional slap on the wrist (e.g., MA Dept of State's whopping $25k
fine against Ameriprise Financial for losing a laptop with data about
230,000 customers and financial advisers).

You're right, these losses are weekly if not daily news items. They're
so commonplace, however, that I'd propose we're (collectively) becoming
desensitized: we're tuning out the ongoing "noise".  

I think it's clear we need a landmark tracking / longitudinal study of
these breaches, their affected individuals, and ideally, the
organizations in question, to assess whether there is a real crisis.
There may not be, as much as we think there is or might be.

--
Sean Steele, CISSP
infoLock Technologies
703.310.6478  direct
202.270.8672  mobile
ssteele at infolocktech.com

-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Richard Forno
Sent: Sunday, December 17, 2006 11:51 AM
To: dataloss at attrition.org
Subject: [Dataloss] Is dataloss becoming the next 'computer virus'
trend?


We see these reports of data loss, laptop theft, databse compromises,
etc, etc, etc on a weekly, if not daily basis.  Some of these are quite
large, too. Yet after the initial hysteria of "yet another theft of
data" story making the rounds in the media, is anyone tracking not just
the number of events, but the outcome of such events over time?

I can't remember too many dataloss cases that had much of a "tail" to
them after the initial event was reported in the media: What happens
after the organization in question notifies their victims?  Does it
engage in any [effective] corrective action to remedy the problem that
caused the data loss?  Does anyone get fired? Fined? Arrested?  Do the
victims sue?  Do regulators (state/federal/local) get involved? Or does
life just go on and the organization in question (or victims) just brush
the event off as another consequence of doing business in the
information age, much like dealing with the latest Windows
worm/virus/trojan?

Consequently, I wonder if "data loss" is fast becoming the new computer
virus in terms of what I sense is a growing "routine-ness" about how the
media covers such events -- especially if nothing much ever is done to
deal with it by the affected entities or to hold their feet to the
proverbial (and public) fire of accountability.  Which raises the
question, I think, of how seriously folks (companies and individuals
alike) take this entire issue in a broad sense.

Thoughts? 

-rick
Infowarrior.org


_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss Tracking more than 143 million compromised
records in 512 incidents over 6 years.




More information about the Dataloss mailing list