1 (888) 400-5530
Toll-Free, No-Cost
Victim Assistance

Identity Theft Consumer Guide

Identity Theft Resource Center BBB Business Review

 

Data Breaches Undeterred by Laws or Common Sense

Posted in: Press Releases, ITRC Surveys & Studies
By
Jun 15, 2009 - 1:29:43 PM


Printer friendly page

Contact:  Karen Barney, Media Coordinator - 858-693-7935 x104

Data Breaches Undeterred by Laws or Common Sense

San Diego, CA (June 16, 2009):    Malicious attacks on databases and incidence of paper breaches have reached an all time high percentage in the first half of 2009, as reported by the Identity Theft Resource Center.  This is based upon the 250 data breaches reported by the ITRC as of Monday, June 15.  Having maintained a data breach list since 2005, the ITRC knows that this is just the tip of the iceberg, as many breaches are not made public.
 
ITRC considers malicious attacks as the “insider theft” and “hacking” categories.  In the first half of 2009, 18.4% of all breaches were from “insider theft.”  This compares to 15% (2008), and 6% (2007).  In the same period of 2009, “hacking” totaled 18% of all data breaches, compared to 11.7% (2008) and 14.1% (2007).  These 2009 percentages represent a significant increase over 2008 (+10%).  Malicious attacks now represent 36% of the 250 breaches this year. 

In 44 states, and the District of Columbia, there are specific laws about security breaches.  The laws require any company or agency in possession of Social Security numbers (SSN), financial account information and other sensitive information to follow procedures to protect that information.  While all these law encompass the protection of electronic data, most have no mention of paper breaches.  As of yet, no federal security breach bill addresses this problem.  Unfortunately, more than 25% of the breaches year to date are paper breaches.  Paper breaches are often documents with personal information disposed in trash cans or dumpsters, left for the taking by those who didn’t take the time to shred them.  This raises the questions: “What were they thinking?” and “Why don’t we have laws regarding paper breaches?” 

Any entity that has requested your information should have the technology and policies in place to limit access of sensitive information.  If your SSN (or other sensitive information) is not needed, then it should not be requested or stored.  Professors should not have student SSN’s from past years ago on laptops.  Companies can set up verification systems so that a consumer should not be asked for their SSN to find out their current balance.  It is outrageous that in 2009 many companies still “don’t get it.”  Social Security numbers, financial account numbers and other personal identifiers need safe keeping and limited access, whether electronic data or paper documents.

Regarding data encryption, we often hear that a laptop or a portable storage device was stolen and the sensitive data was NOT encrypted.  As of June 15, only 0.4% of all breaches had encryption or other strong protection methods in use.  Another 7.2% of reported breaches had data password protection (password protection is a minimal level of protection at best).  That leaves 92.4% of sensitive data that had no protection at all.  Many of these breaches are repeated events affecting the same company or agency.  In the words of George Santayana, “Those who do not learn from history are doomed to repeat it.”

Breaches cost businesses and the government money, a direct hit to their reputation, and a possible loss of consumer trust.  For years, companies have said that it would cost more to make protective changes than to pay the price of a data breach.  That formula is dated, incorrect, and a risky business practice.  Breaches now have significant business cost attached to notification and mitigation.  The fact is that any company or agency implementing effective data protection will save money in the long-run.  More importantly, they will enhance trust with their customers and the public. 

Robert Kennedy said:  Few will have the greatness to bend history itself; but each of us can work to change a small portion of events, and in the total of all those acts will be written the history of this generation.

Reports used for this release are available on the ITRC website:
http://www.idtheftcenter.org/artman2/publish/lib_survey/Breaches_2009.shtml

About the ITRC
The Identity Theft Resource Center® (ITRC) is a non-profit organization established to assist victims of identity theft in resolving their cases, and to broaden public education and awareness in the understanding of identity theft.   It is the on-going mission of the ITRC to assist victims, educate consumers, research identity theft and increase public and corporate awareness about this problem.  Additionally, ITRC has a program to help businesses assess their risk factor, educate them about identity theft and if necessary, respond to a data exposure event.  Visit www.idtheftcenter.org .  No-cost Victim Assistance toll-free hotline: 888-400-5530.

-30-
Contact Us | Privacy Policy | Legal Notice | Site Map  
Copyright © Identity Theft Resource Center. All rights reserved.
Web design by Savvy Sites.