title for Data Losses note
home | about | site use | resources | publications | timeline |::| blaw

overview

networks

tapes

laptops

sale

law

prevention

responses

studies

costs



















related pages icon
related
Guides:

Security &
InfoCrime

Consumers
& Trust

Privacy

Secrecy &
Confidentiality



Identity
Crime



related pages icon
related
Profiles
& Notes:

Pretexting

















section heading icon     overview

This note highlights examples of large scale exposure of consumer information through hacking of databases, loss of computer tapes in transit or theft of laptops.

It covers -

  • networks - losses through unauthorised access to personal computers and corporate networks
  • tapes - losses through theft or disappearance of computer tapes, floppy disks and CD-ROMS
  • laptops - losses through theft, disappearance or merely inadequate cleanup of laptops, PCs and servers
  • sale - losses through data custodians selling data to criminal entities or merely publishing the data unintentionally
  • law - questions about liability and legislation
  • prevention - minimising data losses through network management, vetting and other mechanisms
  • responses - official prosecutions, regulators, apologies, alerts and class actions
  • studies - pointers to the legal and other literature
  • costs - how much do data losses cost?

It supplements discussion in the Security & InfoCrime, Consumer Protection and Identity Crime pages elsewhere on this site.

     introduction

 The incidents highlighted in the following pages are of interest as indicators of -

  • the persistence of media such as computer tapes in the transfer of data from one location to another, contrary to claims that all organisations do (or will) use private/public networks
  • vulnerabilities in the form of laptops and desktop machines - the server may be guarded 24/7 but data is accessible when it is embodied in a laptop that can be stolen in one minute
  • the importance of pretexting and other social engineering - why crack code or break doors when data is yours for the asking if you ask nicely, look plausible and hand over an access fee to custodians who do not appear to rigorously authenticate your bona fides?
  • institutional/corporate irresponsibility in failing to encrypt sensitive information or to ensure that data is removed from devices that are sold by that organisation
  • the significance of legislation that requires organisations to alert consumers about breaches
  • the reluctance of organisations to provide such alerts and to accept responsibility for breaches.

     how many breaches

It is clear that organisations (including some public and private sector entities that promote their sensitivity to consumer concerns or their expertise in data management) expose personal information that has been placed in their custody.

Some of that information has little detail or is otherwise of low value, particularly in isolation. Some information, in contrast, is highly detailed and comprehensive. Some occurs in formats that are not readily mis-usable by unauthorised people. Other formats can be easily read by specialists, novice or even people with no training in writing code. Some exposure is attributable to incompetence; other exposure is intentional and involves improper action by people inside/outside an organisation.

The extent to which exposure occurs during a given period is unclear.

It is not possible to provide comprehensive and highly accurate figures on how many credit card numbers, personal history files, incident reports or other consumer information were exposed in a particular jurisdiction or a particular time. Many of the published figures are hedged with uncertainties. Others are simply invented, on the basis that they make a good headline (or a good promotional statement) and are unlikely to be dissected in detail.

That uncertainty reflects several factors.

One reason for uncertainty is that organisations simply are not aware that there has been a breach, whether through release of information by an insider or for example through hacking by someone outside that organisation.

Another reason is that disclosure of problems potentially results in negative publicity ("would you deal with a business that doesn't bother to safeguard your information"), attention by regulators, unwanted compliance costs (eg funding credit watch reports for affected consumers and bearing increased insurance rates) and even litigation by aggrieved consumers.

Some organisations thus preserve market share, executive bonuses and share prices by keeping quiet about problems. Others conclude that silence will serve to starve the hacking industry: keeping quiet will not not stimulate emulation or alert criminals to potential weaknesses in network security arrangements. One legislative response, increasingly common in the US, is to mandate reporting by organisations to affected consumers.

A third reason is that there are few organisations collecting and rigorously analysing the disclosures that are made. Analysis is important for making sense of data losses. Not all losses are of equal significance.

Some stolen laptops, for example, may contain sensitive information but that information is inaccessible because it has been encrypted. Some may contain sensitive information but that data is of no interest to the thief (or to anyone who buys the device when it is on-sold) and is accordingly deleted.

A fourth reason is that it is often difficult to establish a clear chain of causation between the exposure of particular data (often reported grudgingly) and identity theft or other impacts on individuals.

It is thus common in the US, for example, to issue carefully crafted legal statements indicating that the organisation is "not aware" that exposure of information has resulted in identity theft and offering a short term palliative such as free credit reference report.

Critics respond that of course the organisation's executives and lawyers are formally unaware, as the victims have not yet realised theft has taken place and attributed that to the organisation's ineptitude.

As later pages of this note indicate, those critics also comment that identity theft may be a lifetime experience: the risk does not necessarily cease after six months when the free report expires.

One point of reference is Ragib Hasan & William Yurcik's 2006 paper Beyond Media Hype: Empirical Analysis of Disclosed Privacy Breaches 2005-2006 and a DataSet/Database Foundation for Future Work.

     are they significant?

There has been no large-scale analysis of the cost to national economies through exposure of data and much of the literature about the impact on individual organisations is decidedly anecdotal.

Surveys suggest that consumers do respond negatively to data losses, which result in erosion of an organisation's 'brand' and support for legal measures (including new legislation and class-based litigation).

The intensity of those responses appears to be increasing as consumers become more privacy conscious and as publicity is given to some of the more egregious breaches, especially those where the data custodian addressed concerns in a grudging way.

Many consumers and third parties have noted that in practice switching costs may be high and opportunities to move from one organisation to another may be small.

One critic of recurrent losses of data by E&Y for example commented that its performance may have been poor but major corporate clients cannot readily move to another auditor. Another said

if you can't trust EDS and Citigroup, who can you trust? Do you think their competitors are going to be better: they just haven't been caught

Others have noted that you don't have a choice of dealing with government, which maintains a wide range of registers and other data collections.

Some observers have used different perspectives, looking at the impact on individuals or at the costs of reengineering corporate practices to prevent losses. Much of that reengineering is predicated on the idea that loss of a device or a data carrier need not mean exposure of information, with laptops for example being protected by passwords (and files on that device being encrypted).






icon for link to next page   next page (networks)

 


this site
the web

Google

version of May 2006
© Bruce Arnold
caslon.com.au | caslon analytics