Reporting on breaches
It started with Mark Jewell of the AP, “Groups: Record data breaches in 2007.” Dissent responded to that in “Looking at 2007’s data breaches in perspective:”
The following table depicts the number of U.S. incidents reported and the corresponding number of records reported expose by the three main sites that track such data: Attrition.org, the Privacy Rights Clearinghouse (PRC), and the Identity Theft Resource Center (ITRC).
Then Thomas Claburn writes “Data Breaches: Getting Worse Or Better?” in Information Week:
The year 2007 may or may not have been a record-setting year in terms of data breaches. Whether it was or wasn’t depends on how one counts.
Then Dissent followed up again, in “Second look: What kind of year was 2007 in terms of data breaches?”
Perhaps it would be more conservative to conclude that we simply don’t know whether the total number of incidents rose, fell, or remained the same (because of the lack of a national disclosure law), but with media sources claiming that it was “record year” in terms of number of incidents, I thought it important to point out where the data do not support that assertion.
…lots of analysis elided
The bottom line is that if we want to make any sense out of data, we need more transparency and mandatory disclosure so that we can get ALL of the numbers on ALL of the incidents.
I’m so eager to jump into this conversation, but have other writing that I need to finish. So go read what Dissent wrote, and I’ll just comment on how excited I am to see the emergence of all of this analysis around breach notices.