CBE: The Data Breach CVE?
Adam Shostack has a very interesting post about the decision by Maryland to post the state’s Information Security Breach Notices online. New Hampshire also joins Maryland in placing Notices of Security Breach online for everyone to access.
What is interesting about the Maryland posts, as pointed out by Adam, is that Maryland also includes the case ID in the online list. The inclusion of a unique identifier for each breach listed is a possible way to cross-correlate breaches between various tacking sites such as Attrition.org, Pogo Was Right, SSNBreach.org, ID Theft Resource Center, PRC, Chris Walsh’s Data Breach Primacy Sources, ESI, etc. Adam brings up an excellent point in that a common identification system (much like CVE) which would allow everyone to see what breaches are being discussed where and which breaches are not.
Personally, I fully support this idea. Part of my “routine” when preparing the ESI YiR is to visit all of the sites listed above and search for breaches that I may have missed during the year. As much as I strive to stay on top of breaches within higher education, I will miss a few. This last sanity check on my list of breaches helps me to make a best effort to include as many publicized breaches as possible. A common identification system would definitly cut down on the time it takes to review the other sites.
So to start things off, let me pose this question: What do “we” need to start things moving towards a CBE of sorts?
A few quick thoughts would be:
- A common lexicon for classification of breach type as well as data lost/expose
- A way to allow state’s and/or organizations to submit their own submissions
- A central group responsible for reviewing/verifying CBE submissions
A call on anyone interested in this topic to start thinking about this. Let’s get the discussion rolling…
