Reported data breaches for 2007 tallied 446.
The 2008 report reflects 656 "reported" data breaches.
In terms of sub-divisions by type of entity, the rankings have not changed between 2007 and 2008 within the five groups that ITRC monitors.
The financial, banking and credit industries have remained the most proactive groups in terms of data protection over all three years.
The Government/Military category has dropped nearly 50% since 2006, moving from the highest number of breaches to the third highest.
As the chart indicates, the business community still needs to enhance and enforce data security measures.
2008 # of
Breaches 2008 2007 2006
Business 240 36.6% 28.9% 21%
Educational 131 20% 24.8% 28%
Government/Military 110 16.8% 24.6% 30%
Health/Medical 97 14.8% 14.6% 13%
Financial/Credit 78 11.9% 7% 8%
According to ITRC reports, only 2.4% of all breaches had encryption or other strong protection methods in use.
Only 8.5% of reported breaches had password protection. It is obvious that the bulk of breached data was unprotected by either encryption or even passwords.
The ITRC tracks five categories of data loss methods;
For 2008 Financial Business Education Gvt/Military Medical
Insider Theft 2.4% 5.6% 1.8% 3.4% 2.4%
Hacking 3.5% 6.1% 2.7% 0.8% 0.8%
Data on the Move 1.7% 7.3% .3% 4.3% 4.4%
Accidental Exposure 0.8% 3.0% 6.1% 3.0% 1.5%
Subcontractor 0.8% 3.5% 1.5% 2.3% 2.3%
Subcontractor breaches, while counted as one breach each, in some cases affected dozens of companies.
It is important to note that the number of breaches reported does not reflect the number of companies affected.
Sadly, these trends continue to plague companies and government alike, despite education on safer information handling, new laws and regulations.
Mal-attacks, hacking and insider theft, account for 29.6% of those breaches.
Insider theft, now at 15.7%, has more than doubled between 2007 and 2008.
On the other hand, data on the move and accidental exposure, both human error categories, showed noteworthy improvement, but still account for 35.2% of those breaches that indicate cause.
Electronic breaches (82.3%) continue to outnumber paper breaches (17.7%). While there were 35.7 million records potentially breached according to the notification letters and information provided by breached entities, 41.9% went unreported or undisclosed making the total number of affected records an unreliable number to use for any accurate reporting.
Based on the breach reports from the past 3 years, the ITRC strongly advises all agencies and companies to:
1. Minimize personal with access to personal identifying information.
2. Require all mobile data storage devices that contain identifying information encrypt sensitive data.
3. Limit the number of people who may take information out of the workplace, and set into policy safe procedures for storage and transport.
4. When sending data or back-up records from one location to another, encrypt all data before it leaves the sender and create secure methods for storage of the information, whether electronic or paper.
5 .Properly destroy all paper documents prior to disposal. If they are in a storage unit that is relinquished, ensure that all documents are removed.
6 .Verify that your server and/or any PC with sensitive information is secure at all times. In addition to physical security, you must update anti-virus, spyware and malware software at least once a week and allow your software to update as necessary in between regular maintenance dates.
7. Train employees on safe information handling until it becomes second nature
The Identity Theft Resource Center (ITRC) is a non-profit organization established to support victims of identity theft in resolving their cases, and to broaden public education and awareness in the understanding of identity theft.
***************************************************
Effective business data security starts with assessing what information you have and identifying who has access to it. See requirements of the upcoming Red Flag Rules requiring full compliance of creditors, and financial institutions this year, click here. And to incorporate a written identity theft prevention plan see more tips here.
See earlier blogs on the Red Flag Rules here.
I like to pass along things that work, in hopes that good ideas make their way back to me. Data breaches and thefts are due to a lagging business culture – and people aren’t getting the training they need. As CIO, I look for ways to help my business and IT teams further their education. Check your local library: A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium." It also helps outside agencies understand your values and practices.
The author, David Scott, has an interview that is a great exposure: http://businessforum.com/DScott_02.html -
The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
In the realm of risk, unmanaged possibilities become probabilities – read the book BEFORE you suffer a breach.