tag:blogger.com,1999:blog-12423159.post7426045097505423022..comments2023-10-26T00:58:20.327-07:00Comments on Fraud, Phishing and Financial Misdeeds: Why the GAO report on Identity Theft might show that disclosure works!Ed Dicksonhttp://www.blogger.com/profile/17591588411216721185noreply@blogger.comBlogger1125tag:blogger.com,1999:blog-12423159.post-91592156695879325492007-07-08T07:12:00.000-07:002007-07-08T07:12:00.000-07:00Thanks for the kind words about my blog entry. In...Thanks for the kind words about my blog entry. In the interests of full disclosure: <BR/><BR/>1. I am more than "affiliated" with PogoWasRight.org. I own the site. :)<BR/><BR/>2. I am no longer affiliated with Attrition.org in any way. They continue to maintain their resources on larger-scale data losses, while PogoWasRight.org continues to report both large incidents and lots of smaller ones that you will not find on their site. <BR/><BR/>As to your comment that perhaps disclosure accounts for stolen or compromised PII not being used or misused: I wish it were so, but given the often long lag between incident and detection, or between incident and exposure or notification, I doubt that disclosure really explains most cases where compromised data have not been used. <BR/><BR/>If detection and disclosure were quick, it could serve a protective function, but that's unlikely to happen because even if a breach is detected immediately, law enforcement may want things kept quiet while they investigate. <BR/><BR/>That said, if we really want to understand what's going on, then we need more data and more transparency, not less, and any attempt to use a risk-based criteria seems premature and counterproductive to greater understanding.Anonymousnoreply@blogger.com