Data breaches are so common that even a theft of a billion records of seriously confidential information barely makes the news. It\u2019s business as usual. Part of the problem is that all the data breaches involving our data become melded together. It seems as if all our personal data is already out there \u2014 many times over. So, who cares if it happens once (or ten times) more? We\u2019re numb to yet another attack that includes our personal data. In the beginning we feared every announced data breach. Now we don\u2019t fear any.I've previously written about the lack of useful risk management data surrounding most data breaches. Specifically, I didn\u2019t like the lack of pertinent facts around each individual data breach, which doesn\u2019t allow stakeholders to determine how bad the breach really was. For example, if a hospital accidentally leaves behind personal medical information in an old office during a move to new office space, it\u2019s called a data breach and treated by reporting entities and databases as being as serious as a malicious data breach where criminals stole data.The same is true when a website coding error leaves records exposed and a whitehat hacker publicizes it. It\u2019s treated as if malicious hackers have used the vulnerability to pull every record the website has. \u201cA billion records exposed!\u201d scream the headlines, but there is no proof that anyone maliciously pulled a single record. Exposure is a far different risk from actual theft. Unfortunately, the news media often treats them the same.Every data breach is usually treated like a bad data breach even if the true risk is something less. In my earlier article, I suggested a data breach rating system like what is already in place for reported software vulnerabilities. I got a good response, including dozens of security experts who agreed with me. A few respondents even said they were working on exactly what I was asking for.Breach Clarity offers insight to breach riskLast week, one, Jim Van Dyke, CEO of Futurion, showed me his new beta website called Breach Clarity. Van Dyke is a long-time computer technologist and analyst with over 35 years of experience, specializing in fraud and identity management. He has founded several companies, including multiple digital technology-related research firms. He sold his last, Javelin Strategy & Research, and now works full time as an expert witness in in major data breach cases. He was on the Consumer Advisory Board of the U.S. federal Consumer Financial Protection Bureau (CFPB) for three years and has testified to the U.S. House of Representatives. Suffice to say that Van Dyke has some relevant experience in and around data breaches.Breach Clarity allows any visitor to enter the name of a breached company and find out what information was taken and the relative risk of that particular breach, rated on a scale of 1 to 10, with 10 being the highest. The figures below shows two examples, one high risk and the other relatively low risk. Roger Grimes Roger GrimesIt shows you not only the relative ranking score, but what types of information were stolen (e.g., name, credit card or Social Security numbers) and tells you what type of fraud risk that particular type of data leads to. It also gives consumers actions they can take to protect their identity and to prevent fraud. In my testing of the site I found a few small bugs, and I didn\u2019t always agree with the rankings. I\u2019m not even sure what goes into the algorithm that determines the scores. However, I\u2019ve never come across a site that makes it so easy to see what information was taken, field by field, and what the potential risk exposure is. It\u2019s a really good start to a very complex problem.[Breach Clarity is] a really good start to a very complex problem.I talked with Van Dyke, and he\u2019s passionate about the subject and has extra personal motivation to help improve the world. That\u2019s a good thing and I\u2019m glad he is working on the problem.Breach Clarity complements HaveIBeenPwndI would love to see a feature where any person could put in their own name and see all the information that has been stolen about them, from what companies and when. That would be a very tough one for anyone to pull off because there is no centralized public (or even private) database that tracks breaches by individual name. That would be the Holy Grail.If I know that my information was breached from such-and-such a company, I can go to Jim\u2019s site and see what information was taken and get a relative risk score. Many times we aren\u2019t aware of data breaches that involve our information. when I went to Troy Hunt\u2019s HaveIBeenPwnd site, I was shocked at how many times my email address was listed as having been compromised. (Note: Hunt is putting his fantastic site up for sale. Kudos to the lucky buyer and thanks, Troy, for giving us a place to find out how many times our individual records were compromised.)What we need is a combination of the Breach Clarity and HaveIBeenPwnd services melded together, along with a publicly known algorithm that shows how the different breach severities were determined. I want to clarify that a truly low risk \u201cbreach\u201d such as leaving records behind in an old office is not nearly as risky as when a bad guy takes off with my personal information. The intent of the attacker, if known, needs to be part of the equation.I\u2019m delighted to see progress being made on better risk-ranking of data breaches. These new and evolving services aren\u2019t widespread yet, but they are steps in the right direction. I wish the Van Dykes and Hunts of the world greater success. We need these types of people out there being our advocates.