Data Loss versus Identity Theft

[lyger <lyger () attrition org>]

Since the topic was recently discussed, just want to toss out a few ideas 
and/or questions about what may or may not be topical for the mail list, 
attrition.org Data Loss web page, and database (DLDOS).

Is it agreed that not every recorded event of "identity theft" should be 
considered a "data loss" event?  Generally, I've considered "data loss" to 
mean a third party was entrusted with personally identifiable confidential 
information and said data was lost or stolen either maliciously or 
accidentially.  Events like these wouldn't count:

1. A purse, wallet, or personal computer was stolen (whether secured or 
not), resulting in the information of a very small number of people being 
compromised

2. Phishing attacks, where the *end user* is ulitmately responsible for 
having their own information compromised through their own actions.

It's getting to the point where almost every media story is equating the 
theft or loss of personal data with "identity theft".  Some studies 
suggest there is little correlation between a "data loss" event and actual 
identity theft.  So, the questions:

1. At what point, for the mail list, the various breach lists, and DLDOS, 
should it be said, "no, this doesn't count"

2. Can anyone come up with a reasonable definition of "data loss" and how 
it would differ from a reasonable definition of "identity theft"?  It 
seems that we're crossing into grey areas in some events, so any feedback 
would be appreciated.

Lyger
_______________________________________________
Dataloss Mailing List (dataloss () attrition org)
http://attrition.org/dataloss
Tracking more than 139 million compromised records in 447 incidents over 6 years.