Wednesday, July 11, 2007

Nobody Is That Dumb ... Oh, Wait! - III

Another day, another installment in our aperiodic :-) series "Nobody Is That Dumb ... Oh, Wait!" featuring GAO report on data breaches [PDF]. As you recall :-), a blog post under that rubric should contain the word "assclown."

So, the report in question seem to imply that

a) there is no link between data loss/theft and subsequent identity theft, and
b) as a result, mandatory notifications (such as those prescribed by CA 1386) are a waste of resources.

But you know what? Data theft (as well as, mind you, a negligent data loss!) is a crime even if whoever took off with the data didn't use it for nefarious purposes. To me it sounds akin to "the bank robber who didn't spend the money on more crimes" or (more remote ...) "a carjacker who didn't cause a traffic incident." Mandatory notifications are a means to reduce data loss/theft, and are thus needed with no regards to how the stolen data is used!

BTW, SANS called it deeply flawed (their analysis of it is here), but it is also stupid in light of the above.


rybolov said...

It's not about identity theft or theft of funds, it's a social contract between the Government and the people to protect the PII that they collect about us. That's the real issue. Inside the Government, the reason for breach notification is security through public shame.

Anton Chuvakin said...

Good point as well. However, some might argue that some types of "PII" are not pretty much PUBLIC so no extra protections can be assumed...

"reason for breach notification is security through public shame"

Absolutely! That is the point I was trying to make as well; but GAO report seems to argue with this ...

rybolov said...

It's the

Think about it, the government is governed by the Privacy Act of 1974. Watergate just happened, and it was revealed that the administration was keeping files on people that they never should have for purposes that they never should have. If I'm a government agency collecting PII, I have to do a privacy impact assessment to formally say what I am going to do with this data. For example, recording people's extramarital affairs and then using this information to blackmail them. Think it can't happen in America? It has.

Yes, most of this PII is public record or freely available (example, name, telephone number, and work address which is on their web site), but the problem with the government collecting it is that they're doing just that, aggregating information. That does constitute a social contract.

Anton Chuvakin said...

OK, point taken, but I still worry more about "impactful" info such as SSNs then about public info aggregation (even though one can do wonders even with public data...)

Dr Anton Chuvakin