It is an easy to follow web site: it consists of two horizontal menu bars, a top text-based bar with links to 11 sections, and below this, a graph bar with a timelime. Its front page is broken down into two columns. We need to register to use all the services they offer. Registration requires only an email address and a username. The relevant sections of this site are:
- First, they introduce the site: Who they are and how they work. They seek and receive news about security incidents with compromised personal information. They add those pieces of news to their public database. They also announce it on their twitter "datalossdb" account and send them via a distribution list.
- Second, they offer the ability to search for incidents in their database according to different search criteria such as type, size or source. Although most available data come from the USA, this site is nevertheless valuable to justify security measures with actual data on real incidents.
- Third, they provide a form for the visitor to report incidents. It is not necessary to be registered to report an incident.
- Fourth, they provide access to collections of incidents from 16 primary information sources. These sources are authorities linked to personal data protection in different U.S. States (such as "Consumer Protection Boards" or the "Attorney General"). Companies and institutions that suffer data loss must reported it to these institutions. The New York, Maryland and Massachusetts bodies are worth mentioning given the high number of cases that they spublish.
- Fifth, they list the personal data protection laws in each of the States. 12 of them have to keep track of related incidents, 35 require notification to those affected but do not have a centralized register and 4 States have no such legislation.
- Sixth, they show statistics and incidents analysis including the types of lost data, the sector concerned and their figures for different time windows. So far, the largest incident contained in this site occurred in March 2012 and affected 150 million customers.
- Seventh, you can subscribe to three mailing lists, the first is the most relevant one, the second is to discuss incidents and the third is a weekly summary of activity.
The last three sections present:
- Those incidents that do not have the minimum information to be entered into the database in the form a newspaper called "the blotter"
- A section with strange incidents or small entity ones that have a limited number of affected users or do not refer to elements of identity such as social security numbers, credit cards, bank accounts, medical or financial records.
- A final section with the names that keep this site, its contact details and sponsors.
In short, the site datalossdb.org is a valuable database of real personal data incidents. A useful tool to demonstrate that personal data are really threatened. I miss a similar database with incidents happening in Europe. The final question would be: does privacy still exist in our society?
A version in Spanish of this post will be located here in this publication. Stay tuned!