Search This Blog

Monday, June 19, 2006

Data security breaches: is the US unique?

Incidents concerning major data security breaches have been reported in the US media with such regularity over the last year or so that they seem commonplace.

Privacy Rights Clearinghouse has put together a chronology of data breaches reported since the ChoicePoint incident in February 2005 involving the access to credit card processing details by ID thieves (ChoicePoint was subsequently fined $15million over this incident).

The Clearinghouse list includes data security breaches by private companies, government organisations, hospitals and universities.

They claim details of 88 million Americans have been put at risk.

Incidents over the last week are listed on Pogowasright. Both lists just missed a report of data stolen last month from a government employees house about 2.2million US troops in the National Guard and Reserves.

Is this just a US phenomenon or is the rest of the world missing something?

This article in Computerworld Security "Why isn't Europe suffering a wave of security breaches" says that a recent survey found US privacy practices do not suffer in comparison to European counterparts but 50 privacy experts in North America and Europe cite 3 major factors to explain the difference: US practices are under the microscope,with obligations to report these incidents that don't apply elsewhere; European data practices are more robust; US data collections are more attractive and lucrative targets.

Could the same factors explain the difference between what's been happening in the US and the very limited public information about data breaches in Australia?

The prevailing view here seems to be that we are travelling pretty well - see the Federal Privacy Commissioner's comments to a NZ conference recently. At a symposium in Sydney recently the Commissioner in response to a question about this issue, said Australian organisations generally were a compliant lot(really?) and this might explain the difference .

I've got my doubts. I think the absence of an obligation to notify those affected by a data security breach (now the law in almost 30 US states) is a major difference.

Who knows what might emerge here if our regulators had the resources and drive to dig deeper?

Thanks to David Fraser's Canadian Privacy Law blog and Pogowasright for some of the leads.

1 comment:

  1. Just to clarify: the data breaches reported in the PogoWasRight "Data Dysprotection" weekend roundup are just some of the breaches that are first reported in news stories on the site during the past week.

    Both the Privacy Rights Clearinghouse chronology and my own recent blog entry about recent breaches do refer to the 2.2 million active duty statistic in the VA breach (e.g., PRC's figures show over 28 million, up from the initial report of 26.5 million), but those figures were not included in PWR's weekly roundup because they had been reported and included in prior weekend roundups.

    Because the Privacy Rights Clearinghouse and PogoWasRight are reporting overlapping, but not identical types of reports, our lists may not always precisely match. Looking at their chronology, it seems that they have some reports that we may not have picked up in news, and that we have some reports that either they missed or that haven't made it to their chronology yet.

    I do suspect that their 88+ million total is an underestimate and that we may never find out about other significant breaches or losses.

    Is American worse in terms of data breaches or is it just a matter of we find out more about American breaches? Personally, I suspect it's both.