ITRC: Breaches Blast ’07 Record

By , August 25, 2008 6:57 am

With slightly more than four months left to go for 2008, the Identity Theft Resource Center (ITRC) has sent out a press release saying that it has already compiled 449 breaches– more than its total for all of 2007.

As they note, the 449 is an underestimate of the actual number of reported breaches, due in part to ITRC’s system of reporting breaches that affect multiple businesses as one incident. This year we have seen a number of such incidents, including Administrative Systems, Inc., two BNY Mellon incidents, SunGard Higher Education, Colt Express Outsourcing, Willis, and the missing GE Money backup tape that  reportedly affected 230 companies. Linda Foley, ITRC Founder, informs this site that contractor breaches represent 11% of the 449 breaches reported on their site this year.

Reiterating its emphasis in earlier press releases on the number of breaches rather than the number of records or individuals, ITRC notes, “in more than 40% of breach events, the number of records exposed is not reported or fully disclosed. This means the number of affected records is grossly incomplete and unusable for any statistic or research purpose. The use of potentially affected records generally causes more concern and is ‘news-sexy’.”

While this site concurs that the “total number of records or people” has been plagued by a number of problems and I have blogged about these issues before,  the usability of any statistic is ultimately the decision of individual researchers.  And the numbers do matter, of course. As a consumer, I want to know if an employee thought so little of privacy and security that he left unencrypted data on 100,000 people in his car. I want to know why a visiting nurse is carrying around sensitive information on tens of thousands of patients when her case load is less than 100. The numbers tell me something about how proactive the entity was.  And if big numbers are “news-sexy” and that’s what it takes to keep these issues in the public eye, then I suppose there is some value in them.

More important than the individual numbers, perhaps, are the details of a breach, something that is often lacking or glossed over in reports. As one example, when third party benefits administrator Administrative Systems, Inc., disclosed that its office had been burgled in December 2007, it did not reveal the total number of clients affected, nor the total number of individuals whose unencrypted data were on the stolen computer. Given that just one of the dozens of clients informed this site that it had to notify 250,000 of its customers, the numbers for that breach might be staggering. But more importantly, perhaps, ASI’s notification letter did not tell those affected that ASI suspected that the computer had been stolen by an employee, nor that in the course of the burglary, the thieves walked past newer computers and only took the one computer that had all the client data on it. That information was never publicly revealed and only came to light when this site obtained the police reports in response to a Freedom of Information request. Although we can be somewhat understanding of the need for discretion during an ongoing investigation (in this case, the police were not able to determine the identity of the thieves and the case is on inactive status), if you were one of those affected, would knowing that the firm suspected one of its own employees and that the thieves had ignored closer and newer computers and only taken the one with personal information influenced your level of concern or any steps you might take to protect yourself?  ASI did nothing wrong as far as the laws on disclosure and notification go.  But are we requiring too little?

PogoWasRight.org has repeatedly called for a national full disclosure law. Even with such a law, there are still many breaches we will not know about in a timely fashion. But without any law, we will continue to remain in the dark and at risk. And as part of any dialogue, we need to take a hard look at why the federal government is not notifying businesses or individuals that their data has been exposed or accessed.  When 11 people were recently indicted for hacking TJX and other businesses, some of those businesses stated that they had no evidence that there had been a breach and had therefore not notified customers.  If the federal prosecutors had such evidence, what, if anything, did they tell these businesses?  And if federal investigators find that 230 people had their identities stolen by illegal immigrants, who is responsible for ensuring that those individuals are notified?  What are the government’s responsibilities in these situations?

As crime grows and any one crime can potentially impact millions of people — as this week’s Best Western Hotels (Europe) incident demonstrates yet again — the need for better protection, better monitoring, and better and faster notification and disclosure increases exponentially.  Investigating cybercrimes is important, of course, but Washington needs to do a lot more, and we still do not have a national disclosure and notification law.

Correction: it seems reports concerning Best Western may not have been accurate. Best Western disputes the original reports and claims that 10 customers were affected from one hotel.

Comments are closed

Panorama Theme by Themocracy