The Breach Reporting Dillema
Over at Emergent Chaos, Adam raises the question of whether we are seeing more data breaches, or just more data breach reporting. His post is inspired by a release from the Identity Theft Resource Center stating that they’ve already matched the 2007 breach numbers this year.
Personally, I think it’s a bit of both, and we’re many years away from any accurate statistics for a few reasons:
- Breaches are underreported. As shown in the TJX case, not every company performs a breach notification (TJX reported, other organizations did not). I know of a case where a payment processor was compromised, records lost for some financial services firms that ran through them, and only 1 of 3-4 companies involved performed any breach notification. Let’s be clear: they absolutely knew they had a legal requirement to report and that their customer information was breached, but they didn’t.
- Breaches are underdetected. I picked on some of the other companies fleeced along with TJX that later failed to report, but it’s reasonable that at least some of them never knew they were breached. I’d say less than 10% of companies with PII even have the means to detect a breach.
- Breaches do not correlate with fraud. Something else we’ve discussed here before. In short, there isn’t necessary any correlation between a “breach” notification and any actual fraud. Thus the value of breach notification statistics is limited. A lost backup tape may contain 10 million records, yet we don’t have a singe case that I can find where a lost tape correlated with fraud. My gut is that hacking attacks result in more fraud, but even that is essentially impossible to prove with today’s accounting.
- There’s no national standard for a breach, never mind an international standard. Every jurisdiction has its own definition. While many follow the California standard, many others do not.
Crime statistics are some of the most difficult to gather and normalize on the planet. Cybercrime statistics are even worse.
With all that said I need to go call Bank of America since we just got a breach notification letter from them, but it doesn’t reveal which third party lost our information. This is our third letter in the past few years, and we haven’t suffered any losses yet.
-rich
Kevin Rowney Sep 24
We too believe both causes are driving these numbers up.
More disclosures are happening because:
a) More laws demand it
b) More employees are aware of the requirements of those laws
c) Rates of data exposure do not appear to be decelerating
The first two points are just common sense and public fact. The last point is supported by what we see in first-time DLP risk assessments. Measuring exposure rates of confidential data is one way, I’d argue , to predict future breach risk. These numbers continue to show the same approximate levels of risk now as they did years ago.
I’d agree that there is not always a direct correlation between “breach” events and fraud. Above, I’ve tried to use language like “exposure events” instead of the more inflammatory term “breach” since there’s large amounts of confidential data exposure out there right now. Only a fraction of these events lead directly to fraud, intellectual property theft, competitive intelligence leaks, ID theft etc… The complexity here is that although many data exposure events do not convert directly to fraud, these events still represent really significant risk (i.e. possible future exposure to damage.) Again, exposure rates are a good candidate predictor for future breach.
Making every single exposure event disclosable would just not be productive. Trust me, there’s way too many of them for that to be useful. At the same time, significant exposure events with a high likelihood of conversion to fraud seem like what the spirit of the disclosure laws intend. That’s also what most people mean when they talk about “breach”.
So I would agree that there is room for improvement in the methods and circumstances in which an organization should actually disclose data loss.
Kevin Rowney
Founder, Data Loss Prevention Division
Symantec Inc.
Benjamin Wright Sep 25
Rich: I argue that most all data in commercial and government systems are “exposed” or “compromised” to one degree or another virtually all the time. Should each citizen therefore be mailed 100 breach notices every day? Legally and ethically speaking, we do not have a competent definition of what is and is not a security breach. The result is confusion and excessive anxiety on the part of data holders, data subjects, legal authorities and the media. What do you think? –Ben http://hack-igations.blogspot.com/2007/09/definition-of-data-security-breach.html
rmogull Sep 26
@ben,
I think we need the breach notification laws since we don’t have an alternative way of shaming companies into doing the right thing (since they don’t otherwise bear the losses after the breach). Of course, said laws are losing their value the more breaches we see and the less “shame” is involved.