[Dataloss] Data Loss versus Identity Theft

Chris Walsh cwalsh at cwalsh.org
Fri Oct 27 14:03:01 EDT 2006


IMO:


Data loss - The exposure of personal information to unauthorized
parties occuring via a mechanism other than deliberate or negligent
release by the person to whom the information pertains.

So, I put my SSN on a billboard != data loss

ID theft - the use of personal information about an individual other than
the actor to obtain goods/services, typically via impersonation.

The distinction between the two is clear.  To me, a thornier issue is 
whether "data loss" is itself a misnomer.  In many cases, PII has been
exposed to possible loss, but we have no way of knowing whether it has
been obtained by any unauthorized people.

I would handle the encryption question the way many state laws do --
if you expose the key and the data, then encryption doesn't provide 
safe harbor.  To this I would add that the encryption must be using
algorithms and key lengths which conform with FIPS 140-2.  There's some
handwaving in that last sentence, but the idea is we need to not allow
ROT13 or XOR to become escape clauses.

The "data center fire" example is an excellent one.  Thought-provoking.

To Andy's statistician or mathematician point, I would add that unless
one has the raw data, one cannot begin.  I wish I knew more about fraud
detection networks -- the approach ID Analytics took makes sense, if
only they could/would use a valid sample.  Unsure if this is possible,
however.

cw


On Fri, Oct 27, 2006 at 10:37:45AM -0400, DAIL, ANDY wrote:
> 
> How about a gray area, such as a back-up tape turning up missing, but
> the data is highly encrypted, so very unlikely to be compromised?
> 
> If the same tape is unaccounted for in some type of catastrophe, such as
> a data center fire, technically it is still a reportable data loss.
> 
> A scale measuring, or attempting to predict the risk of misuse of
> missing data might be helpful, but the statistical probability
> predictions would take a mathematician or statistician to achieve any
> reasonable level of accuracy.
> 


More information about the Dataloss mailing list