[Dataloss] Data Loss versus Identity Theft

[Casey, Troy # Atlanta]

The distinction seems rather clear and simple to me.  Data Loss is
precisely as Lyger has defined it: A third party entrusted with
personally identifiable confidential information fails to maintain the
confidentiality of the information, resulting in the data being lost or
stolen.

I would agree with the examples of things that don't count, with one
caveat: if the "personal computer" in example 1 is an asset of a third
party entrusted with data as described above, it's still data loss.  If
we're talking about an individual's PC with that individual's or his/her
family's information only, it's not.  If in the latter case the
individual has (rightly or wrongly) placed his/her employer's data on
the PC and it includes personally identifiable confidential information
on third party personages with which the employer (and by proxy, the
individual PC owner) is entrusted, it's again data loss.

Despite the modern usage, "Identity Theft" is actually two crimes:
first, other people's confidential information must be obtained.  Then,
the perpetrator(s) impersonate the people whose information they have -
usually to commit some fraudulent transaction.  In the absence of the
impersonation (and/or other fraud), it's just data theft (or data loss),
not "Identity Theft".  So we're really talking about two very different
things, and data loss may or may not lead to identity theft (although
the media loves to sensationalize and will raise the spectre of identity
theft wherever data loss happens).

Given that, maybe the second example sheds some light on an appropriate
distinction: if an individual, whether through carelessness or
ignorance, loses his/her own information and that of persons well-known
to them (or under their guardianship), that may be termed data loss, but
I don't think it's what the subscribers to this list are interested in.
Speaking for myself, I'm monitoring for data lost by Corporations and
other Businesses, Non-Profits, Educational Organizations, and Government
Agencies.  I really could care less how many individual internet users
have gotten "Phished" or if someone's home is broken into and their
personal records compromised.

Finally, I might suggest an additional distinction as to preventability
of the loss or cases where the data holder was in some way negligent or
failed to practice good security.  If a third-party entity as described
above makes the ill-advised decision to place confidential information
on a machine connected to the internet, for example, they should be seen
as responsible for the loss even if they had other safeguards in place;
if on the other hand, they're evicted by the Sheriff and the Deputies
place confidential information on the curb for anyone to pick up, the
Sheriff is responsible for the data loss, IMHO.  Caveat: IANAL.

Hope this helps,
Troy

-----Original Message-----
From: dataloss-bounces at attrition.org
[mailto:dataloss-bounces at attrition.org] On Behalf Of lyger
Sent: Friday, October 27, 2006 12:06 AM
To: dataloss at attrition.org
Subject: [Dataloss] Data Loss versus Identity Theft


Since the topic was recently discussed, just want to toss out a few
ideas and/or questions about what may or may not be topical for the mail
list, attrition.org Data Loss web page, and database (DLDOS).

Is it agreed that not every recorded event of "identity theft" should be
considered a "data loss" event?  Generally, I've considered "data loss"
to mean a third party was entrusted with personally identifiable
confidential information and said data was lost or stolen either
maliciously or accidentially.  Events like these wouldn't count:

1. A purse, wallet, or personal computer was stolen (whether secured or
not), resulting in the information of a very small number of people
being compromised

2. Phishing attacks, where the *end user* is ulitmately responsible for
having their own information compromised through their own actions.

It's getting to the point where almost every media story is equating the
theft or loss of personal data with "identity theft".  Some studies
suggest there is little correlation between a "data loss" event and
actual identity theft.  So, the questions:

1. At what point, for the mail list, the various breach lists, and
DLDOS, should it be said, "no, this doesn't count"

2. Can anyone come up with a reasonable definition of "data loss" and
how it would differ from a reasonable definition of "identity theft"?
It seems that we're crossing into grey areas in some events, so any
feedback would be appreciated.

Lyger
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss Tracking more than 139 million compromised
records in 447 incidents over 6 years.