Pointer: The Breach Reporting Dillema

By , September 24, 2008 10:50 am

Over on Securosis, Rick Mogull responds to a question Adam Shostack of Emergent Chaos posted in response to a blog entry of mine here.  Adam asked whether there are more incidents of breaches or just more reporting of breaches because organizations are deciding that it’s the right thing to do.

Rich thinks that it’s a bit of both, and he may be right.  But because I am a somewhat cynical New Yorker, I have my doubts that an increase in reporting has anything to do with companies deciding that it’s the right thing to do. So I looked at New Hampshire, whose reports are available online and whose reporting laws did not change from 2007 to 2008.  For all of 2007, there appear to have been 112 incidents reported, whereas at the 2/3 mark this year, there were 84, a rate that if sustained, will result in about 12% more breach reports for 2008 for that one state alone.  If New Hampshire was representative of the other states, that 12% increase would not account for the significant increase we’re seeing this year in terms of number of reported breaches.  But when we take into account states that may have newly implemented reporting laws,  the percentage of any increase due to mandated reporting increases, although there still may be some subset of reported breaches that are truly voluntary disclosure because a company think it’s the right thing to do.  Frankly, though, I’m not sure what it means to be “the right thing to do.”  That could mean that the company has had an epiphany and now respects consumers more, or it could mean that the company recognizes the risk that someone will find out and the story will get out before they could spin it so they’d better get the story out first.

But even if it were the case that the increased numbers do not represent an increase in voluntary disclosure, it would still leave us with the question as to whether any increase in mandated reporting reflects more incidents than in previous years, more states requiring disclosure, better detection of incidents that might not have been previously detected, and/or delayed detection or reporting of breaches that actually occurred in earlier years (such as Forever21).  Each year, it’s been basically apples and pears trying to draw any meaningful conclusions, and 2008 will be no different. While I continue to believe that breach reports are important and necessary, interpreting breach statistics has been nothing but an exercise in identifying confounds.

As Rich notes, the correspondence between breach notices and actual fraud is also problematic, although as Adam and I have both maintained, fraud is not the sole or even the most important reason to require disclosure. Rich writes:

In short, there isn’t necessary any correlation between a “breach” notification and any actual fraud. Thus the value of breach notification statistics is limited. A lost backup tape may contain 10 million records, yet we don’t have a singe case that I can find where a lost tape correlated with fraud. My gut is that hacking attacks result in more fraud, but even that is essentially impossible to prove with today’s accounting.

Since there have been no media-reported cases of fraud associated with lost backup tapes while there have been cases of fraud associated with hacking, I think it’s pretty safe to conclude that hacking does pose a greater risk of actual fraud.  And that would make intuitive sense anyway, because a tape can be innocently lost but hacking is an intentional act, presumably towards some other end.

But does hacking result in more fraud than insider theft or misuse of data?

The recent Verizon study suggested that intentional insider misconduct was not as big a problem as originally thought, but that was in terms of percent of breaches and not in terms of breaches resulting in fraud.   While the big hacking cases that result in fraud make news when they are discovered (or four years later when our government finally gets around to revealing them), we’ve seen cases of insider theft that have also resulted in fraud. And on a day to day basis, there are probably dozens of cases of small-n fraud due to insider theft that we never learn about — or if we do learn about them from local news sources, they generally do not get included in databases that only include “big” incidents.  Hence, our impression of the rate of insider malicious acts resulting in fraud is likely to be significantly underestimated relative to hacking or other types of data loss or compromise.

An analysis I conducted of reported breaches involving patient or health care data or settings between 2003 and 2007 found that 75% of cases resulting in financial fraud or ID theft were due to employee misconduct such as theft or misuse of information.  Although that analysis used a relatively small sample (291 breaches) and included small-n cases, it suggests that in at least one sector, hacking may not be the biggest threat if your main concern is financial fraud. Of course, it is always possible that hacking actually results in more cases of fraud in those settings too, but either the organizations do not realize that they have been hacked or they have not been required to disclose the breach.  Many states specifically exclude HIPAA-covered entities from their state disclosure and notification laws.   So states do not require disclosure to individuals or the state attorney general and HIPAA does not require disclosure of a breach — it only requires that an entity who has suffered a breach take steps to mitigate harm to individuals affected. There is no requirement that individuals be notified if there has been no known harm.

Bottom line:  numbers continue to rise, we continue to speculate on why they are going up and what they mean in terms of impact on individuals as well as organizations, and those who could help us answer the problem by requiring disclosure have failed to enact the laws that would provide greater transparency and data.

Comments are closed

Panorama Theme by Themocracy