Everyone must have noticed that reports of identity loss and theft seem to be getting worse every day. In this piece, Bruce Schneier argues that, “we're seeing… the effects of a California law that requires companies to disclose losses of thefts of personal data. It's always been happening, only now companies have to go public with… breaches.”
Citigroup announced that it lost personal data on 3.9 million people. The data was on a set of backup tapes that were sent by UPS (a package delivery service) from point A and never arrived at point B.
This is a huge data loss, and even though it is unlikely that any bad guys got their hands on the data, it will have profound effects on the security of all our personal data.
It might seem that there has been an epidemic of personal-data losses recently, but that's an illusion. What we're seeing are the effects of a California law that requires companies to disclose losses of thefts of personal data. It's always been happening, only now companies have to go public with it.
As a security expert, I like the California law for three reasons. One, data on actual intrusions is useful for research. Two, alerting individuals whose data is lost or stolen is a good idea. And three, increased public scrutiny leads companies to spend more effort protecting personal data.
Think of it as public shaming. Companies will spend money to avoid the PR cost of public shaming. Hence, security improves.
This works, but there's an attenuation effect going on. As more of these events occur, the press is less likely to report them. When there's less noise in the press, there's less public shaming. And when there's less public shaming, the amount of money companies are willing to spend to avoid it goes down.
This data loss has set a new bar for reporters. Data thefts affecting 50,000 individuals will no longer be news. They won't be reported.
The notification of individuals also has an attenuation effect. I know people in California who have a dozen notices about the loss of their personal data. When no identity theft follows, people start believing that it isn't really a problem. (In the large, they're right. Most data losses don't result in identity theft. But that doesn't mean that it's not a problem.)
Public disclosure is good. But it's not enough.
Bruce's concept of an attenuation effect is pretty interesting. But I'm not sure it's true. I really get the feeling that the public is gaining a consciousness of these issues. That is a really big deal. The increased consiousness – and thus interest – may counteract attenuation. It would be interesting to see our friend Jon Udell do one of his meme studies to see if the attenuation is really happening. I'll ask him if it's possible.
This said, I agree with Bruce's conclusion.