From: lyger (lygerattrition.org)
Date: Thu Oct 26 2006 - 23:05:58 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Since the topic was recently discussed, just want to toss out a few ideas
and/or questions about what may or may not be topical for the mail list,
attrition.org Data Loss web page, and database (DLDOS).

Is it agreed that not every recorded event of "identity theft" should be
considered a "data loss" event? Generally, I've considered "data loss" to
mean a third party was entrusted with personally identifiable confidential
information and said data was lost or stolen either maliciously or
accidentially. Events like these wouldn't count:

1. A purse, wallet, or personal computer was stolen (whether secured or
not), resulting in the information of a very small number of people being
compromised

2. Phishing attacks, where the *end user* is ulitmately responsible for
having their own information compromised through their own actions.

It's getting to the point where almost every media story is equating the
theft or loss of personal data with "identity theft". Some studies
suggest there is little correlation between a "data loss" event and actual
identity theft. So, the questions:

1. At what point, for the mail list, the various breach lists, and DLDOS,
should it be said, "no, this doesn't count"

2. Can anyone come up with a reasonable definition of "data loss" and how
it would differ from a reasonable definition of "identity theft"? It
seems that we're crossing into grey areas in some events, so any feedback
would be appreciated.

Lyger
_______________________________________________
Dataloss Mailing List (datalossattrition.org)
http://attrition.org/dataloss
Tracking more than 139 million compromised records in 447 incidents over 6 years.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]