Over at his blog, Alex Hutton responds to my claim that data breaches are not meaningful because of identity theft, saying that "Compliance to External Risk Tolerances (PCI) and Government Breach Reporting Laws *DO* make it significantly about Identity Theft." ("The 'Insider Statistic', Good Data, & Risk.") Alex's main point is that it's not insiders, but:
At RMI, we’re no longer surprised when, in incidents we study using FAIR, the sum of probable loss due to Fines & Judgments far exceeds the sum of all other 5 forms of loss an organization can incur (productivity, response, replacement, competitive advantage, and reputation).
Meanwhile, in "Astroglide data loss could result in $18 Million Fine," Chris Soghoian discusses some clever targeted attacks that could be carried out with the astroglide data. These aren't obvious (to me), but one of the unfortunate things about criminal innovation is that it spreads.
Now, what interests me about these two posts is that I think they're both correct. Astroglide's risk is really from fines. But the risk to Astroglide's prospective customers isn't the same. There's a potentially large externality imposed here, and because they haven't been notified, Astroglide's prospective customers are at greater risk.
So, once again, data breaches are not meaningful because of identity theft. They may be relevant to the executive suite today for that reason, but there's more there there.
The image is a Yahoo Maps map of San Francisco residents who took advantage of the Astroglide offer.