“After Data Loss ID Theft Soars”….really?
November 20th, 2009 by cmark Posted in PCI DSSI have worked in payment card security since 2000 when I was involved with Visa in writing/re-writing/updating the CISP. Since that time I have had opportunity to work with Visa and MasterCard, work as a QSA, and QSA Trainer. During that time I have had many opportunities to work with compromised companies and review data forensic reports. I am disturbed by the article I found on MSNBC.com titled “After Data Loss ID Theft Soars”. One of the first paragraphs in the article provide language from what they refer to as the Dear John letters:
“Dear Consumer. We’ve lost your personal information. It’s fallen off a truck/was on a laptop that was lost/was stolen by a hacker. We’re sorry and we promise to be better in the future. Good luck.”
In my experience, I have seen few, if any companies actually LOSE data. I have seen it stolen many, many times. I find the assumption that somehow the victim was at fault troubling. There seems to be a perception among the media that the victim was at fault when data is compromised. It would be difficult to envision the same attitude being applied to a bank robbery, a burglary, or a kidnapping. Imagine the following: ”Dear Mark family, We’ve lost your son. He’s been lost from a ship off the coast of Eastern Africa that was hijacked/was attacked by a pirate.” Clearly this is ridiculous position to take in kidnapping yet we are quick the blame the victims of data breaches.
Now before the critics start talking about non-compliance, and other issues that are part of the reason the company was vulnerable. Clearly there are things that could have been done better. Hindsight is a wonderful characteristic. Unfortunately we don’t have the benefit of hindsight before an event occurs. The same argument can always be made about any activity. ”The ship should have avoided Eastern Africa so they are at fault.”…”The bank should have had thicker vault doors.” We can always second guess any situation and say that the victim should have done better.
The purpose of this post is not to say that companies who are compromised could not have done things better. In some cases, the companies were clearly negligent. The purposes is simply to say that companies that are compromised are not completely responsible and are victims of crime. They did not simply ‘lose’ the data.
![[del.icio.us]](http://images.del.icio.us/static/img/delicious.small.gif){kind=small}
One Response to ““After Data Loss ID Theft Soars”….really?”
By Jestep on Nov 20, 2009
This really reads clear when you look at the list of chronological data “breaches” - http://www.privacyrights.org/ar/ChronDataBreaches.htm
So many of these are lost or stolen laptops, or flash drives. There was one flash drive for example, lost with 115,000 SSN’s and names on it. Whether lost or stolen, just the fact that this exists is clearly negligence.
The breaches that really hit the hardest for me are the insider theft ones. These are virtually impossible to prevent, especially if the perpetrator ends up being a high-up executive or administrator.