Over at Emergent Chaos, Adam raises the question of whether we are seeing more data breaches, or just more data breach reporting. His post is inspired by a release from the Identity Theft Resource Center stating that they’ve already matched the 2007 breach numbers this year.
Personally, I think it’s a bit of both, and we’re many years away from any accurate statistics for a few reasons:
- Breaches are underreported. As shown in the TJX case, not every company performs a breach notification (TJX reported, other organizations did not). I know of a case where a payment processor was compromised, records lost for some financial services firms that ran through them, and only 1 of 3-4 of the companies involved performed their breach notification. Let’s be clear, they absolutely knew they had a legal requirement to report and that their customer information was breached, and they didn’t.
- Breaches are underdetected. I picked on some of the other companies fleeced along with TJX that later failed to report, but it’s reasonable that at least some of them never knew they were breached. I’d say less than 10% of companies with PII even have the means to detect a breach.
- Breaches do not correlate with fraud. Something else we’ve discussed here before. In short, there isn’t necessary any correlation between a “breach” notification and any actual fraud. Thus the value of breach notification statistics is limited. A lost backup tape may contain 10 million records, yet we don’t have a singe case that I can find where a lost tape correlated with fraud. My gut is that hacking attacks result in more fraud, but even that is essentially impossible to prove with today’s accounting.
- There’s no national standard for a breach, never mind an international standard. Every jurisdiction has their own definition. While many follow the California standard, many others do not.
Crime statistics are some of the most difficult to gather and normalize on the planet. Cybercrime statistics are even worse.
With all that said I need to go call Bank of America since we just got a breach notification letter from them, but it doesn’t reveal which third party lost our information. This is our third letter in the past few years, and we haven’t suffered any losses yet.
Reader interactions
6 Replies to “The Breach Reporting Dillema”
I found this from the Heartland breach link. I think the type of breach should be part of the answer. A hard drive is stolen. Does anything happen? Maybe there should be 2 levels. 1) a law requiring general posting on an approved web site fraud center for a ‘‘potential’’ data breach such as the stolen laptop 2) public/personal notification if the fraud was malicious. ie if its reasonable to assume the data is stolen for the purpose of fraud (such as malware in a payment processor network as at Heartland)then a different type of notification needs to occur? This is probably too vague, but someone could clean it up.
[…] The Breach Reporting Dilemma. We really need to start looking at breach reporting differently, but I don’t expect it to […]
I think we need the breach notification laws since we don’‘t have an alternative way of shaming companies into doing the right thing (since they don’‘t otherwise bear the losses after the breach). Of course, said laws are losing their value the more breaches we see and the less “shame” is involved.
Rich: I argue that most all data in commercial and government systems are “exposed” or “compromised” to one degree or another virtually all the time. Should each citizen therefore be mailed 100 breach notices every day? Legally and ethically speaking, we do not have a competent definition of what is and is not a security breach. The result is confusion and excessive anxiety on the part of data holders, data subjects, legal authorities and the media. What do you think? –Ben http://hack-igations.blogspot.com/2007/09/definition-of-data-security-breach.html
We too believe both causes are driving these numbers up.
More disclosures are happening because:
a) More laws demand it
b) More employees are aware of the requirements of those laws
c) Rates of data exposure do not appear to be decelerating
The first two points are just common sense and public fact. The last point is supported by what we see in first-time DLP risk assessments. Measuring exposure rates of confidential data is one way, I’‘d argue , to predict future breach risk. These numbers continue to show the same approximate levels of risk now as they did years ago.
I’‘d agree that there is not always a direct correlation between “breach” events and fraud. Above, I’‘ve tried to use language like “exposure events” instead of the more inflammatory term “breach” since there’s large amounts of confidential data exposure out there right now. Only a fraction of these events lead directly to fraud, intellectual property theft, competitive intelligence leaks, ID theft etc… The complexity here is that although many data exposure events do not convert directly to fraud, these events still represent really significant risk (i.e. possible future exposure to damage.) Again, exposure rates are a good candidate predictor for future breach.
Making every single exposure event disclosable would just not be productive. Trust me, there’s way too many of them for that to be useful. At the same time, significant exposure events with a high likelihood of conversion to fraud seem like what the spirit of the disclosure laws intend. That’s also what most people mean when they talk about “breach”.
So I would agree that there is room for improvement in the methods and circumstances in which an organization should actually disclose data loss.
Kevin Rowney
Founder, Data Loss Prevention Division
Symantec Inc.
[…] on Securosis, Rick Mogull responds to a question Adam Shostack of Emergent Chaos posted in response to a blog entry of mine here. […]