As an organization specializing in monitoring and tracking data breaches, the ITRC has come across varying degrees of breaches and reasons for notification due to the varying types of compromised information. We would like to take this opportunity to address some of the differences and provide some insight into our approach for tracking data breach incidents.
According to most state laws, a data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property. Note that under these state breach laws, non-personal identifying information is not included.
Next, let's consider hacking. By definition, "hacking" is the deliberate and unauthorized access, use, disclosure, and/or taking of electronic data on a computer. Hacking efforts target all types of information - from high level intellectual property down to individual personal information, both sensitive and non-sensitive information. Taken together, these two situations result in nearly 26% of the "reported breaches" included on the 2011 Identity Theft Resource Center Breach List.
This brings us to the definition of "reported breaches". ITRC only publishes breach incident information which is available from credible, public resources. Breach incidents are tracked daily from sources such as state Attorneys General offices, a variety of media sources, and other well-recognized and respected entities that track and capture this information from publicly available sources. This approach means that the ITRC Breach Report only reflects the tip of the iceberg.
In 2011, 41% of the breaches on the ITRC report show the number of records exposed as "unknown." In addition, ITRC is aware of a significant number of breaches that are not made public. As a result, it is not possible to provide truly accurate numbers - either for the number of breaches or the number of records. The majority of "reported breaches" included in the list are those which have met "breach notification triggers" established by the various state laws regarding this issue. Usually these incidents are electronic in nature, and must also expose information identified as PII, such as first and last name combined with a social security number, driver's license or state identification number and/or financial account numbers (including debit and credit cards). Some states have expanded this "trigger" definition to include medical and healthcare information. This situation leaves large loopholes for breaches to remain unreported.
Currently we know that :
- An undeterminable number of breaches go unreported, even when notification should have been triggered according to the applicable state laws.
- Many breach notifications (at least what is disclosed by the entity) underreport the number of records
- Many breach notifications also do not clearly define the types of information exposed.
- Public information is often incomplete in detailing how the breach occurred
- Many breaches involving non-PII, such as email addresses, user names, and passwords, are not reported because they do not meet "breach notification triggers" as established by various state laws
To date state laws have not added notification "triggers" for paper breaches, or those incidents which involve non-personal types of information, i.e. passwords, usernames and email information. Paper breaches have been captured and categorized on the ITRC Breach Reports since 2005, even though these types of breaches did not trigger breach notifications. Paper breaches are typically "outed" by external sources (consumers, media, etc.), and are not usually reported since there is no mandatory reporting. The reality is paper breaches present a higher level of "risk of harm" because the information is often "ready to use" and may even include signatures.
Since there is no mandatory reporting for these types of breaches, individuals have no way of knowing they should be concerned about having their information exposed, and subsequently used for identity theft. Over the past five years, even without a requirement for notification, paper breaches have represented an average of 19.6% of the total breaches.
Another issue that is excluded from the current set of state breach notification laws is how to handle those data breach incidents which expose non-sensitive personal information. This non-sensitive personal information is a rich source for phishing scams. User names and passwords are a wonderful place to start hacking, since most people use variations of passwords on multiple accounts. Even an email takeover can be an easy way to request a friend's help to "get back from London," or to start a directed "spear phishing" attack on employees of your company. Due to these types of risk, the ITRC began to capture and track these non-PII breach incidents even though they did not often include the types of personal identifying information necessary for a breach notification.
One thing that remains clear is that when it comes to electronically stored information, the ability of the cyber-criminal to gain access to this information will always outpace legislative and law enforcement efforts to curb their malicious activity. All businesses should take note of these changes and react aggressively to protect themselves, their employees, and their customer base from harm. The current call for a Cybersecurity bill in the U.S. Senate should underscore the need for all businesses to strengthen their security efforts.