Privacy Digest

Breaches of personal data: blaming the myth and punishing the victim: "A study that will appear in the Journal of Computer-Mediated Communication later this year analyzes failures to secure computerized personal records. One of its authors, Phil Howard, was kind enough to provide Ars with a draft copy of the paper. The analysis suggests that both the public understanding of these leaks and the legislative response to them are focusing on the wrong targets.

The study used press reports to identify incidents in part because there is no centralized reporting mechanism, and in part because many of the incidents have not resulted in prosecutions. The authors did require independent verification of incidents, and used the lowest figure for the number of records compromised when reports did not agree. Even by these conservative standards, the results were enormous: over 1.9 billion records exposed, or an average of 9 records for every American citizen.

That figure is almost certainly an extreme underestimation. State laws requiring a reporting of personal information loss only came into effect within the past three years. Almost certainly as a result, there were more reported incidents in 2005 and 2006 than all the previous years combined.

The researchers separated the incidents according to a number of criteria, including the cause (hacker, lost hardware, etc.) and the organization that did the losing. Their analysis suggests that we're both misidentifying the cause of the losses, and incorrectly targeting our legislative responses accordingly."

(Via .)