[Dataloss] Data Loss versus Identity Theft

Walter Padworski wpadworski at fhcs.org
Fri Oct 27 14:23:21 EDT 2006 

Just a thought, but the distinction between the two won't really matter
if the "loss" or "theft" is being reported by NBC or CNN to 150,000
readers in the Cleveland or Tuscaloosa newspapers.  

Most companies are beginning to take a pro-active stance by "notifying
those whose information may or has been compromised."  Regardless of how
a company spins it they should realize that their reputation is on the
line - not to mention their pocket book. 

Have a fun day fella's and ladies ...

P.S. anyone up to a discussion on eDiscovery - The "law" goes into
effect Dec 1, 2006.

  

>>> Chris Walsh <cwalsh at cwalsh.org> 10/27/2006 >>>
IMO:


Data loss - The exposure of personal information to unauthorized
parties occuring via a mechanism other than deliberate or negligent
release by the person to whom the information pertains.

So, I put my SSN on a billboard != data loss

ID theft - the use of personal information about an individual other
than
the actor to obtain goods/services, typically via impersonation.

The distinction between the two is clear.  To me, a thornier issue is 
whether "data loss" is itself a misnomer.  In many cases, PII has been
exposed to possible loss, but we have no way of knowing whether it has
been obtained by any unauthorized people.

I would handle the encryption question the way many state laws do --
if you expose the key and the data, then encryption doesn't provide 
safe harbor.  To this I would add that the encryption must be using
algorithms and key lengths which conform with FIPS 140-2.  There's
some
handwaving in that last sentence, but the idea is we need to not allow
ROT13 or XOR to become escape clauses.

The "data center fire" example is an excellent one. 
Thought-provoking.

To Andy's statistician or mathematician point, I would add that unless
one has the raw data, one cannot begin.  I wish I knew more about
fraud
detection networks -- the approach ID Analytics took makes sense, if
only they could/would use a valid sample.  Unsure if this is possible,
however.

cw


On Fri, Oct 27, 2006 at 10:37:45AM -0400, DAIL, ANDY wrote:
> 
> How about a gray area, such as a back-up tape turning up missing,
but
> the data is highly encrypted, so very unlikely to be compromised?
> 
> If the same tape is unaccounted for in some type of catastrophe, such
as
> a data center fire, technically it is still a reportable data loss.
> 
> A scale measuring, or attempting to predict the risk of misuse of
> missing data might be helpful, but the statistical probability
> predictions would take a mathematician or statistician to achieve
any
> reasonable level of accuracy.
> 
_______________________________________________
Dataloss Mailing List (dataloss at attrition.org)
http://attrition.org/dataloss 
Tracking more than 139 million compromised records in 447 incidents
over 6 years.






This message and any attachments contain information that may be confidential 
and privileged.  If you have received this in error and are not the intended 
recipient, you may not use, copy or disclose this message or its contents to 
anyone.  If you have received this message in error, please advise the sender
by reply e-mail, and delete or destroy this message and its attachments.

More information about the Dataloss mailing list