Shostack + Friends Blog Archive


Venn and the art of empirical breach research

As EC readers may recall, I have made various Freedom of Information requests to state governments in order to obtain data regarding breaches reported to them under their various notification laws.
This week, I received responses to the latest request I made to New York and North Carolina. New York has 822 pages to send me (for a quarter each), so the scanner and the checkbook will be busy in June. North Carolina sent a printout from their “Breach Notification Log”. Interested readers may obtain a PDF copy, which covers breaches from December 2005 until April 2007.
Since I already have info on breaches reported to New York from 12/05 through 12/06, I thought it would be interesting to see how much overlap there is between these sources. The thinking here is that as breaches go there are some that are purely local or perhaps regional, and there are some that sprinkle their effects nationally. Until now, I only had a deep view into one state, but now that has changed.
Herewith, the results for the period 12/05/2005 – 12/31/2006:

New York 281 41
North Carolina 41 77

I wouldn’t try to squeeze a journal article out of this table, but it is interesting that so many of North Carolina’s breaches hit New Yorkers, while a smaller portion of New York’s hit North Carolinians. I am eager to receive the actual North Carolina reporting forms and notification letters.
(If you would like to support the gathering of these documents, along with their scanning and publication, you can do so over here)

5 comments on "Venn and the art of empirical breach research"

  • chris says:

    NC covers physical media as well as computerized. In my date range, this was maybe 8 incidents. OTOH, NC only requires the AG to be notified if more than 1K residents are hit, which could tend to suppress reporting compared to NY (which lacks such a floor and has many small breaches reported).
    Needless to say, I am not a lawyer :^)
    State laws summarized at

  • Chris says:

    While nuking some comment spam, I clicked in the wrong place and deleted a comment made by ‘Dissent’, to which the comment before this was a response.
    I am reposting the text of that comment below:
    ### Original comment
    Chris, could you comment on the states’ respective notification laws as it might (or might not) explain the difference? Is it the case that NYS has a broader notification requirement than NC, or are they about the same?
    Interesting results.
    ### End
    I figure this is preferable to trying to forge a comment and risking compounding my mistake.

  • Dissent says:

    Thanks, Chris. Looking at the difference in notification standards, maybe the higher percentage of NC cases hitting NY is also because NC requires breaches involving unencrypted data be reported only if there has been misuse or there is a “reasonable” likelihood of same. So anything that gets reported there has already led to fraud or ID theft or is more likely to do so than many of the smaller breaches reported in NYS where they have to report even if no evidence of misuse or even reasonable likelihood of misuse?
    Or am I reading the provisions wrong and just need more coffee? 🙂

  • Chris says:

    Good point, Dis. I am tempted to agree, and this would certainly be worth looking at. My uninformed guess is that lawyers being a conservative lot, they’d tend to not make an aggressive interpretation of ‘illegal use’. They might be more willing when the cost of notification is very high.

  • Dissent says:

    “They might be more willing when the cost of notification is very high.”
    I’m confused. Wouldn’t lawyers be more willing (to make an aggressive interpretation) when the cost of NOT notifying was high (due to penalties, AG action, etc.) or when the cost of notifying was low and wouldn’t really hurt their client?
    Or are we talking about different lawyers?

Comments are closed.