August 20, 2008

Stolen Laptops, Redux

I got a question for you. What percentage of corporate laptops do you think have some sort of personally identifiable data on them? Take a second to mull that over while we go over something else.

Now, you may not remember this, but I've suspected for a long time that things are not what they seem in the disclosure space. I.e., do we really think that everybody who actually has a breach is disclosing the way they should?

Now, back in the day, I speculated that at least 10 percent of breaches were going unreported. Where are we now? Let's use the same method as last time and see if the situation has gotten any better in the year or so since I last posted that.

Now, we know that the "stolen laptop" number was up to about 624000 for 2007 (for just airports alone, but let's use that since we don't have any better data.) Now, while we don't know if any of those laptops had PII on them or not, but we *do* know that the total universe of publicized breaches (446) for 2007. If we assume that every stolen laptop with PII lead to a breach disclosure (which it should), then we can accept that - at the very least - the total (446) represents some superset of all the lost laptops.

So, let's churn some logic to see what we can conclude about how many of these laptops have "disclosure-requiring" data on them:

We'll start with the (spurious, but useful for making the point) that every breach was a result of a stolen laptop. Realistically, the number of breaches will include other things as well, but assuming that they're all a result of laptops gives us a "best case" upper bound for how many are responsible for breaches.

To get to where we need to be, we figure out what percentage of the total laptops stolen were reported via breach disclosure. That number is .07% - 7 in 10,000. Which means, 7 in 10,000 laptops have PII on them.

If that's true, it's more likely for Joe Average to pull a full house in his next game of 6 card stud than it is for him to have PII on his laptop. Bullshiz. 7 in 10k? Not likely. In reality, it's gotta be higher. Maybe, if you really want to get all optimistic, you might say that 1 in 100 have PII on them. Which is still an order of magnitude lower than what's being reported.

So, really... where are we now? The only conclusion I can possibly draw is that breaches are under-reported by at least an order of magnitude - for airport laptop thefts alone. And unless I'm totally off base, it's a common enough occurrence that it's only a matter of time before someone gets caught failing to report. As to whether anyone will care or not - well, that's a different question.

Posted by Ed at August 20, 2008 11:27 AM | TrackBack
Comments
Post a comment









Remember personal info?