Anonymous

USA

Advertising/PR

Data/Computer Theft Is Nothing New. What's New Is the REPORTING of Theft.

News of these thefts are front cover stories in the US trade press and US news outlets.

Judging by the headlines, these data breaches appear to be an epidemic, and lurid media reports suggest that companies are battling a 'new' data security problem.

But there’s nothing 'new' about the thefts of the past several months.

The fact that breaches are now being reported is the news.

This fact can be attributed entirely to California’s Data Breach Notification law, commonly called SB 1386. Before SB 1386 was passed into law July 2003, neither companies nor government agencies were required to report security breaches or theft of sensitive financial records. Now they MUST -- or face financial and criminal penalties.

Data theft is not new. It’s been a serious problem that has been going unreported for years. For confirmation, see: http://www.consumeraffairs.com/news04/2005/choicepoint_congress.html

The recent spate of thefts has angered members of the US Congress and other politicians, including those in the State of Illinois, which passed a security breach-reporting law similar to California's on 20 June 2005.

But there remain two elements of these events that puzzle me:

First:

In every case, harm from these ugly incidents could have been prevented had the data on the stolen computers and storage devices been encrypted.

Encryption is THE technology for protecting electronic information. That's why the military and intelligence communities relied on it so heavily.

Why isn't encryption being used?

Second:

These incidents are not unique to the US. Wherever computers and data are located, thefts of this type occur. For instance, similar data breaches were recently reported in Canada and Japan (the companies in Japan, Motorola and Ricoh, each publicly apologized to their customers!).

There is no law outside the USA requiring companies or government agencies to report data security breaches. People in nations around the world are suffering ID thefts at equally record rates -- but local news agencies seem to be happy to keep their audiences ignorant.

Why aren't there similar laws around the world, and why aren't more news agencies around the world reporting this problem?