BreachExchange mailing list archives
Re: Data Loss versus Identity Theft
From: "Casey, Troy # Atlanta" <Troy.Casey () per-se com>
Date: Fri, 27 Oct 2006 09:04:10 -0400
The distinction seems rather clear and simple to me. Data Loss is precisely as Lyger has defined it: A third party entrusted with personally identifiable confidential information fails to maintain the confidentiality of the information, resulting in the data being lost or stolen. I would agree with the examples of things that don't count, with one caveat: if the "personal computer" in example 1 is an asset of a third party entrusted with data as described above, it's still data loss. If we're talking about an individual's PC with that individual's or his/her family's information only, it's not. If in the latter case the individual has (rightly or wrongly) placed his/her employer's data on the PC and it includes personally identifiable confidential information on third party personages with which the employer (and by proxy, the individual PC owner) is entrusted, it's again data loss. Despite the modern usage, "Identity Theft" is actually two crimes: first, other people's confidential information must be obtained. Then, the perpetrator(s) impersonate the people whose information they have - usually to commit some fraudulent transaction. In the absence of the impersonation (and/or other fraud), it's just data theft (or data loss), not "Identity Theft". So we're really talking about two very different things, and data loss may or may not lead to identity theft (although the media loves to sensationalize and will raise the spectre of identity theft wherever data loss happens). Given that, maybe the second example sheds some light on an appropriate distinction: if an individual, whether through carelessness or ignorance, loses his/her own information and that of persons well-known to them (or under their guardianship), that may be termed data loss, but I don't think it's what the subscribers to this list are interested in. Speaking for myself, I'm monitoring for data lost by Corporations and other Businesses, Non-Profits, Educational Organizations, and Government Agencies. I really could care less how many individual internet users have gotten "Phished" or if someone's home is broken into and their personal records compromised. Finally, I might suggest an additional distinction as to preventability of the loss or cases where the data holder was in some way negligent or failed to practice good security. If a third-party entity as described above makes the ill-advised decision to place confidential information on a machine connected to the internet, for example, they should be seen as responsible for the loss even if they had other safeguards in place; if on the other hand, they're evicted by the Sheriff and the Deputies place confidential information on the curb for anyone to pick up, the Sheriff is responsible for the data loss, IMHO. Caveat: IANAL. Hope this helps, Troy -----Original Message----- From: dataloss-bounces () attrition org [mailto:dataloss-bounces () attrition org] On Behalf Of lyger Sent: Friday, October 27, 2006 12:06 AM To: dataloss () attrition org Subject: [Dataloss] Data Loss versus Identity Theft Since the topic was recently discussed, just want to toss out a few ideas and/or questions about what may or may not be topical for the mail list, attrition.org Data Loss web page, and database (DLDOS). Is it agreed that not every recorded event of "identity theft" should be considered a "data loss" event? Generally, I've considered "data loss" to mean a third party was entrusted with personally identifiable confidential information and said data was lost or stolen either maliciously or accidentially. Events like these wouldn't count: 1. A purse, wallet, or personal computer was stolen (whether secured or not), resulting in the information of a very small number of people being compromised 2. Phishing attacks, where the *end user* is ulitmately responsible for having their own information compromised through their own actions. It's getting to the point where almost every media story is equating the theft or loss of personal data with "identity theft". Some studies suggest there is little correlation between a "data loss" event and actual identity theft. So, the questions: 1. At what point, for the mail list, the various breach lists, and DLDOS, should it be said, "no, this doesn't count" 2. Can anyone come up with a reasonable definition of "data loss" and how it would differ from a reasonable definition of "identity theft"? It seems that we're crossing into grey areas in some events, so any feedback would be appreciated. Lyger _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 139 million compromised records in 447 incidents over 6 years. _______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 139 million compromised records in 447 incidents over 6 years.
Current thread:
- Data Loss versus Identity Theft lyger (Oct 26)
- Re: Data Loss versus Identity Theft George Toft (Oct 27)
- <Possible follow-ups>
- Re: Data Loss versus Identity Theft Casey, Troy # Atlanta (Oct 27)
- Re: Data Loss versus Identity Theft DAIL, ANDY (Oct 27)
- Re: Data Loss versus Identity Theft Chris Walsh (Oct 27)
- Re: Data Loss versus Identity Theft Adam Shostack (Oct 27)
- Re: Data Loss versus Identity Theft Brannigan, Chris J - Washington, DC (Oct 27)
- Re: Data Loss versus Identity Theft Chris Walsh (Oct 27)
- Re: Data Loss versus Identity Theft Henry Brown (Oct 27)
- Re: Data Loss versus Identity Theft Walter Padworski (Oct 27)