BreachExchange mailing list archives
Re: Data Loss versus Identity Theft
From: Chris Walsh <cwalsh () cwalsh org>
Date: Fri, 27 Oct 2006 13:03:01 -0500
IMO: Data loss - The exposure of personal information to unauthorized parties occuring via a mechanism other than deliberate or negligent release by the person to whom the information pertains. So, I put my SSN on a billboard != data loss ID theft - the use of personal information about an individual other than the actor to obtain goods/services, typically via impersonation. The distinction between the two is clear. To me, a thornier issue is whether "data loss" is itself a misnomer. In many cases, PII has been exposed to possible loss, but we have no way of knowing whether it has been obtained by any unauthorized people. I would handle the encryption question the way many state laws do -- if you expose the key and the data, then encryption doesn't provide safe harbor. To this I would add that the encryption must be using algorithms and key lengths which conform with FIPS 140-2. There's some handwaving in that last sentence, but the idea is we need to not allow ROT13 or XOR to become escape clauses. The "data center fire" example is an excellent one. Thought-provoking. To Andy's statistician or mathematician point, I would add that unless one has the raw data, one cannot begin. I wish I knew more about fraud detection networks -- the approach ID Analytics took makes sense, if only they could/would use a valid sample. Unsure if this is possible, however. cw On Fri, Oct 27, 2006 at 10:37:45AM -0400, DAIL, ANDY wrote:
How about a gray area, such as a back-up tape turning up missing, but the data is highly encrypted, so very unlikely to be compromised? If the same tape is unaccounted for in some type of catastrophe, such as a data center fire, technically it is still a reportable data loss. A scale measuring, or attempting to predict the risk of misuse of missing data might be helpful, but the statistical probability predictions would take a mathematician or statistician to achieve any reasonable level of accuracy.
_______________________________________________ Dataloss Mailing List (dataloss () attrition org) http://attrition.org/dataloss Tracking more than 139 million compromised records in 447 incidents over 6 years.
Current thread:
- Data Loss versus Identity Theft lyger (Oct 26)
- Re: Data Loss versus Identity Theft George Toft (Oct 27)
- <Possible follow-ups>
- Re: Data Loss versus Identity Theft Casey, Troy # Atlanta (Oct 27)
- Re: Data Loss versus Identity Theft DAIL, ANDY (Oct 27)
- Re: Data Loss versus Identity Theft Chris Walsh (Oct 27)
- Re: Data Loss versus Identity Theft Adam Shostack (Oct 27)
- Re: Data Loss versus Identity Theft Brannigan, Chris J - Washington, DC (Oct 27)
- Re: Data Loss versus Identity Theft Chris Walsh (Oct 27)
- Re: Data Loss versus Identity Theft Henry Brown (Oct 27)
- Re: Data Loss versus Identity Theft Walter Padworski (Oct 27)