Security Curve Weblog

Strange Things are Afoot with Breach Disclosure

(Today's topic has been brought to you by Dave N.) So, strange things are afoot at the Circle K - provided that by "Circle K" you mean "Breach Disclosure" and by "strange things" you mean "corporate irresponsibility". Specifically, have you seen the recent statistics for how often laptops are lost? Now, while I haven't seen an "authoritative" source for this statistic, I see 1600 per day cited fairly often as is 2000 per day. Now, whether it's 1600 or 2000 is irrelevant... the point is that it's a lot.

File that number (1600 per day) away for a minute. Now consider the number of breach disclosures reported this year. According to the ID Theft Center, the number was 138 as of the end of August. Using our figure from before (1600 laptops stolen per day), let's solve for how many laptops have been stolen in the same timeframe (we can assume 30 days per month here - no need to be a stickler). We get: 1600*(30*8) or 384,000 laptops stolen as of the end of August. See any kind of disparity there? Even if we assume that every breach disclosure stemmed from a stolen laptop (not the case, by the way), the percentage of stolen laptops leading to a beach disclosure is: (138/384000)*100... or .036 percent.

Now, how could it be that this number is so low? Could it be that firms aren't disclosing when they should? Is it possible that the corporate custodians of our data are running afoul of the law - either intentionally or unintentionally? Maybe so, maybe not. First of all, not every state has a breach disclosure law - so, we wouldn't expect that every case of disclosed data would lead to notification, right? Last count I saw, it was only 23 states that had a law - just about half. So, adjusting for half of states not having breach disclosure laws - we would expect that if everybody's reporting when they should that .07 percent of laptops contain unencrypted personally identifiable data, right? Now, I don't have any numbers on how what the actual number of laptops containing personally identifiable data is, but 7 in 10000 seems small to me - it just doesn't jive with personal experience.

So, without having an estimate of how many laptops contain PII, we can't really point an accusatory finger - other than to just say that the numbers seem "fishy". Going by personal experience, I would think that maybe on in five or one in 10 would be more realistic... If that's the case - if one in 10 laptops contain PII, we would expect to see 38,000 breach-disclosure incidents. Too high for you? How about 1 in 100? If only one laptop in a hundred has PII on it, we would expect 3,800 reports - meaning that over 95 percent of breaches still are unreported. But maybe I'm just being cynical...