Partial Truths: A Guide to Legally Covering Up a Data Loss Incident

Thu Jul 19 19:05:40 EST 2007

d2d


Steps required:

  1. DO NOT TELL THE PRESS.
  2. Comply with state laws, as your in-house counsel conveniently interprets them.
  3. If you must tell the press:

In truth, none of the above-mentioned methods truly cover up a data loss incident, but they do make them significantly less painful for the companies who experience the losses. They also do not have nearly the impact on consumers that breaches reported with full disclosure might. It is a rather simple process of deception: tell the truth only where you have to, and tell only the partial truth as required by law.

The IBM tape loss earlier this year is a fantastic example of how to make a significant breach receive little press. The breach was widely reported, but since IBM released no numbers there was little scope, and as such the incident was quickly forgotten. Since IBM won't disclose the numbers, we assume it was in the millions and if you had dealings with IBM, worked for IBM, bought from IBM or thought of IBM in a sensual dream, you are probably affected.

North Carolina's Security Breach notification log (courtesy Chris Walsh) shows that an IBM tape loss affected 53,529 residents of North Carolina. IBM has 355,766 employees worldwide according to their website, and the breach covered former employees as well (supposedly more-so former employees). It could well be that every current and former employee of IBM had their private data lost with those tapes, which would create a much larger number for "total affected". Since they did not report a total, the story has no staying power.

Next we move on to Alta Resources. From their website: "Do you really know her? We can tell you everything". Damn right they can, and possibly the world too. Never a mention of their incident in the press until the story was dug up forcibly. A (now former) employee of Alta Resources allegedly stole an undisclosed number of credit cards, and subsequently attempted to sell them to undercover law enforcement, per Paul McNamara's article. This data loss was reported as being Disney Movie Club members' credit card information, as well as names and addresses.

Apparently, Alta Resources also lost data for another client: Johnson & Johnson. We didn't find this in the press, however. We found it via the Granite State (Live free or die!!). The state of New Hampshire posts their data loss notification letters online, and a letter dated July 9th, 2007 blames Alta Resources for a data loss incident, and mentions the same "employee fraud" situation as the Disney breach. Unless Alta Resources has had TWO employees defect with customer data, then this could be the same breach as the aforementioned Disney breach.

This might indicate that Alta Resources had a much more significant breach than has been reported (or not reported, as it were). What other companies' clients lost data through Alta's possibly rogue employee? Neither Alta Resources, nor Disney, nor Johnson & Johnson have released any totals with the exception of where states require it (and even then, it is generally the total affected in that state). Since nobody is willing to disclose anything beyond what individual states require, we can't say for sure. Why are a handful of drunks running a volunteer site having to do the complex relationship maps to determine what the hell really happened? Disclosure laws should make these fucknuts disclose.

The basic premise is: people LOVE big huge numbers (TJX). If there are no big huge numbers, then nobody cares, including the media.

( No press = No breach && No totals = Little Press ) = Under-Informed Citizen

Federal data loss reporting legislation anyone? [an error occurred while processing this directive]