[Dataloss] Data Loss versus Identity Theft

George Toft george at myitaz.com
Fri Oct 27 11:10:11 EDT 2006 

I guess I am a fan of Arizona's Notification of Compromised Personal 
Information law that defines a reportable event where 
unredacted/unencrypted personal information is exposed through a 
compromise of a security system.  (This is my high-level interpretation 
- it gets more specific about having to perform an evaluation to ensure 
a security control was compromised, but that could take a long time 
before notification is made.)

This definition makes no mention of 3rd parties, or number of people. 
It's just an event.  It also covers laptops stolen out of cars. 
Strangely enough, I think giant loophole in the law is if there are no 
security controls in place, no reporting is required as security was not 
compromised.  Common sense states otherwise.

Read the text of the new AZ law here:
http://www.azleg.gov/FormatDocument.asp?inDoc=/legtext/47leg/2r/bills/sb1338h.htm

George Toft, CISSP, MSIS


lyger wrote:
> Since the topic was recently discussed, just want to toss out a few ideas 
> and/or questions about what may or may not be topical for the mail list, 
> attrition.org Data Loss web page, and database (DLDOS).
> 
> Is it agreed that not every recorded event of "identity theft" should be 
> considered a "data loss" event?  Generally, I've considered "data loss" to 
> mean a third party was entrusted with personally identifiable confidential 
> information and said data was lost or stolen either maliciously or 
> accidentially.  Events like these wouldn't count:
> 
> 1. A purse, wallet, or personal computer was stolen (whether secured or 
> not), resulting in the information of a very small number of people being 
> compromised
> 
> 2. Phishing attacks, where the *end user* is ulitmately responsible for 
> having their own information compromised through their own actions.
> 
> It's getting to the point where almost every media story is equating the 
> theft or loss of personal data with "identity theft".  Some studies 
> suggest there is little correlation between a "data loss" event and actual 
> identity theft.  So, the questions:
> 
> 1. At what point, for the mail list, the various breach lists, and DLDOS, 
> should it be said, "no, this doesn't count"
> 
> 2. Can anyone come up with a reasonable definition of "data loss" and how 
> it would differ from a reasonable definition of "identity theft"?  It 
> seems that we're crossing into grey areas in some events, so any feedback 
> would be appreciated.
> 
> Lyger
> _______________________________________________
> Dataloss Mailing List (dataloss at attrition.org)
> http://attrition.org/dataloss
> Tracking more than 139 million compromised records in 447 incidents over 6 years.
> 
> 
> 
>

More information about the Dataloss mailing list