Search This Blog

Monday, June 19, 2006

Data security breaches: is the US unique?

Incidents concerning major data security breaches have been reported in the US media with such regularity over the last year or so that they seem commonplace.

Privacy Rights Clearinghouse has put together a chronology of data breaches reported since the ChoicePoint incident in February 2005 involving the access to credit card processing details by ID thieves (ChoicePoint was subsequently fined $15million over this incident).

The Clearinghouse list includes data security breaches by private companies, government organisations, hospitals and universities.

They claim details of 88 million Americans have been put at risk.

Incidents over the last week are listed on Pogowasright. Both lists just missed a report of data stolen last month from a government employees house about 2.2million US troops in the National Guard and Reserves.

Is this just a US phenomenon or is the rest of the world missing something?

This article in Computerworld Security "Why isn't Europe suffering a wave of security breaches" says that a recent survey found US privacy practices do not suffer in comparison to European counterparts but 50 privacy experts in North America and Europe cite 3 major factors to explain the difference: US practices are under the microscope,with obligations to report these incidents that don't apply elsewhere; European data practices are more robust; US data collections are more attractive and lucrative targets.

Could the same factors explain the difference between what's been happening in the US and the very limited public information about data breaches in Australia?

The prevailing view here seems to be that we are travelling pretty well - see the Federal Privacy Commissioner's comments to a NZ conference recently. At a symposium in Sydney recently the Commissioner in response to a question about this issue, said Australian organisations generally were a compliant lot(really?) and this might explain the difference .

I've got my doubts. I think the absence of an obligation to notify those affected by a data security breach (now the law in almost 30 US states) is a major difference.

Who knows what might emerge here if our regulators had the resources and drive to dig deeper?

Thanks to David Fraser's Canadian Privacy Law blog and Pogowasright for some of the leads.

No comments:

Post a Comment