The Identity Theft Resource Center is singing to this choir. Their most recent press release:
As of June 30th, The Identity Theft Resource Center® recorded 341 individual breaches for the first six months of 2010. Unfortunately, hundreds of breaches have been veiled from the public, delayed in publication, or not listed on any public lists. The question still remains: How many breaches and victims are there?
Despite a law stating all medical breaches involving more than 500 people must be listed on the Health and Human Services (HHS) breach list, ITRC recorded medical breaches which never made the list. Why? The HHS list allows a “risk of harm” loophole, without requiring federal law enforcement verification. One state’s recent breach list reported more than 200 breaches. Most are not included in the ITRC Breach Report because they did not include sufficient pertinent details regarding the event. Some states now harbor a protected breach list which is not made public at all, or is only accessible by exercising the Freedom of Information Act.
The ITRC has a clearly defined policy on what constitutes a breach: an event in which an individual name plus Social Security Number (SSN), driver’s license number, medical record or a financial record/credit/debit card is potentially put at risk – either in electronic or paper format. Most agencies, state and federal, have a similar understanding of what constitutes a breach. Why is there such a disparity between the number of breach occurrences and the information made available to the public? Why is there not a greater effort for openness and transparency with the public? If an agency as small as the ITRC can publish a weekly breach list, then doing so is certainly within the abilities of any state or federal agency. The list posted by the New Hampshire Attorney General’s Office is a shining example of transparency in the interest of the public good.
It is important for the public, when becoming aware of the details of a data breach, to immediately have a broad understanding as to whether their personal information may be involved. Incomplete information feeds public fears and does not accomplish the intended transparency of most breach laws. This situation further encourages bad behavior on the part of companies who should be more concerned about the protection of the privacy of their customers. Consumers want to know if they are at risk from even a small breach. The details of a breach help determine their risk factors as well as guide them in proactive measures.
Since 2005, the ITRC has maintained a detailed breach list which is updated weekly. This list, and supplemental reports, allows the ITRC to compare data of known breaches and help form a partial picture of breach patterns. For 2010 we know:
- 46% of all breaches do not disclose how many records were potentially affected
- 38% of all known breaches didn’t disclose how the breach occurred
- The business community accounted for 36% of all breaches, the highest category listed
- 82% of all breaches were electronic and 18% were paper oriented
- Data on the Move accounted for 17% of all breaches with the business community ranking highest. If added with Accidental Exposure (8%), 25% of data breaches were presumably non-malicious in nature
- Insider Theft (17%) and hacking (17%) resulted in a combined total of 34% of breaches known to have occurred from malicious attacks.
ITRC and the public will not know the whole story about breaches until a public federal database is created listing all data breaches in detail. Until then, we teeter around the edge of a black hole getting only glimpses of light upon hidden breach events.