Has "Data Loss" Jumped The Shark?
2009-10-13 by Lyger
But it never did.
About six weeks ago, I reposted a question sent to the Data Loss mail list from an earlier post made over two years prior asking the same question. To date, the replies we have received can be counted on one hand, but the evidence shown at the top of the main DataLossDB page is somewhat clear: for the last several months, we (meaning OSF) have received less reports and have seen less news about breaches involving personally identifying information. One or two people have questioned why, and the answer is simple: we don't know. We still look for news, we still post what we find, but the decrease in events since the beginning of the year... well, we just don't know.
Have there actually been fewer events? Has there been a change in the way that events have been reported in the media and through other sources that might disqualify them for inclusion into DataLossDB? Does anyone have any insight into why this apparent trend might be occuring? If so, we would like to hear / read your thoughts. Please mail our curators if you have anything to comment on about this subject.
COMMENTS
by Anonymous on 2009-10-29 (4 months ago)
On October 28, 2009 CNET reported on a recent study conducted by McAfee that found that more security breaches are hitting midsized companies (51-1000 employees) and that these companies are cutting their security budgets in response to the recession.
It may be that these companies do not know that they are supposed to report breaches or simply fail to do so.
by Anonymous on 2009-11-02 (4 months ago)
Your numbers seem to report the total incidents, not the volume of records. Could this be the intersection of two issues; targets with more records that require more effort are being pursued resulting in fewer incidents, and legal teams have gotten more mature in making arguments to prevent notification?
by Anonymous on 2009-11-05 (4 months ago)
Possible reasons:
1. Law enforcement requests to the judiciary asking for delay in notifications pending the conclusion of large-scale investigations they don't want illuminated for fear of losing valuable leads.
2. Absence of a federal statute and confusion regarding notification required by a multiplicity of state laws and regulatory bodies.
3. Lack of visibility that a breach has occurred; more sophisticated attacks that remain undetected.
4. Effective risk-based controls implemented across the board that preclude data theft.
by Anonymous on 2009-12-02 (3 months ago)
Perhaps the reason for the seemingly reduced number of data breach incidents has more to do with transparency and less to do with actual reporting. If companies view data breach as "negative" then it is reasonable to assume that perhaps less revealing methods of communicating that news to the outside world is happening. It would not be the first time that companies decided to conceal news and alert the public to problems. ~Alina
Back
Breach Types:
- Disposal Computer | Disposal Document | Disposal Tape | Disposal Drive
- Email | Fraud Se | Hack | Lost Computer
- Lost Document | Lost Drive | Lost Laptop | Lost Media
- Lost Tape | Missing Laptop | Snail Mail | Stolen Computer
- Stolen Document | Stolen Drive | Stolen Laptop | Stolen Media
- Stolen Tape | Unknown | Virus | Web
