[Dataloss] Is dataloss becoming the next 'computer virus' trend?

[Sean Steele]

The points you raise are good ones, perhaps the most important in this
entire larger discussion.

>From where I'm sitting, it appears few of these data breaches/losses are
becoming, over time, either ID theft problems for the affected
individuals, or corporate security calls-to-action for the organizations
at fault.  Many laptops in particular are stolen as targets of
opportunity, for their hardware resale value (not specifically targeted
for the data that may reside on them).

We see few compliance or regulatory sanctions, little in the way of
public flogging (the VA laptop loss being a notable exception), and an
ocassional slap on the wrist (e.g., MA Dept of State's whopping $25k
fine against Ameriprise Financial for losing a laptop with data about
230,000 customers and financial advisers).

You're right, these losses are weekly if not daily news items. They're
so commonplace, however, that I'd propose we're (collectively) becoming
desensitized: we're tuning out the ongoing "noise".  

I think it's clear we need a landmark tracking / longitudinal study of
these breaches, their affected individuals, and ideally, the
organizations in question, to assess whether there is a real crisis.
There may not be, as much as we think there is or might be.

--
Sean Steele, CISSP
infoLock Technologies
703.310.6478  direct
202.270.8672  mobile
ssteele at infolocktech.com

-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of Richard Forno
Sent: Sunday, December 17, 2006 11:51 AM
To: dataloss at attrition.org
Subject: [Dataloss] Is dataloss becoming the next 'computer virus'
trend?


We see these reports of data loss, laptop theft, databse compromises,
etc,
etc, etc on a weekly, if not daily basis.  Some of these are quite
large,
too. Yet after the initial hysteria of "yet another theft of data" story
making the rounds in the media, is anyone tracking not just the number
of
events, but the outcome of such events over time?

I can't remember too many dataloss cases that had much of a "tail" to
them
after the initial event was reported in the media: What happens after
the
organization in question notifies their victims?  Does it engage in any
[effective] corrective action to remedy the problem that caused the data
loss?  Does anyone get fired? Fined? Arrested?  Do the victims sue?  Do
regulators (state/federal/local) get involved? Or does life just go on
and
the organization in question (or victims) just brush the event off as
another consequence of doing business in the information age, much like
dealing with the latest Windows worm/virus/trojan?

Consequently, I wonder if "data loss" is fast becoming the new computer
virus in terms of what I sense is a growing "routine-ness" about how the
media covers such events -- especially if nothing much ever is done to
deal
with it by the affected entities or to hold their feet to the proverbial
(and public) fire of accountability.  Which raises the question, I
think, of
how seriously folks (companies and individuals alike) take this entire
issue
in a broad sense.

Thoughts? 

-rick
Infowarrior.org


_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss
Tracking more than 143 million compromised records in 507 incidents over
6 years.