January 7, 2009
It seems 2008 was a year of ups and downs, with home values and stock prices going down, but reports of data breaches increasing dramatically during the year.
The Identity Theft Resource Center's (ITRC) 2008 breach report reached 656 reported breaches at the end of 2008, reflecting an increase of 47 percent over last year's total of 446.
In terms of sub-divisions by type of entity, the rankings have not changed between 2007 and 2008 within the five groups that ITRC monitors. The financial, banking and credit industries have remained the most proactive groups in terms of data protection over all three years.
The Government/Military category has dropped nearly 50 percent since 2006, moving from the highest number of breaches to the third highest.
According to ITRC reports, only 2.4 percent of all breaches had encryption or other strong protection methods in use. Only 8.5 percent of reported breaches had password protection. It is obvious that the bulk of breached data was unprotected by either encryption or even passwords.
The ITRC tracks five categories of data loss methods: data on the move, accidental exposure, insider theft, subcontractors, and hacking. Subcontractor breaches, while counted as one breach each, in some cases affected dozens of companies. It is important to note that the number of breaches reported does not reflect the number of companies affected.
These trends continue to plague companies and government alike, despite education on safer information handling, new laws and regulations. Mal-attacks, hacking and insider theft, account for 29.6 percent of those breaches that reported the causal factor. Insider theft, now at 15.7 percent, has more than doubled between 2007 and 2008.
On the other hand, data on the move and accidental exposure, both human error categories, showed noteworthy improvement, but still account for 35.2 percent of those breaches that indicate cause.
Electronic breaches continue to outnumber paper breaches. While there were 35.7 million records potentially breaches according to the notification letters and information provided by breached entities, 41.9 percent went unreported or undisclosed making the total number of affected records an unreliable number to use for any accurate reporting.
Based on the breach reports from the past 3 years, the ITRC strongly advises all agencies and companies to:
Minimize personal with access to personal identifying information.
Require all mobile data storage devices that contain identifying information encrypt sensitive data.
Limit the number of people who may take information out of the workplace, and set into policy safe procedures for storage and transport.
When sending data or back-up records from one location to another, encrypt all data before it leaves the sender and create secure methods for storage of the information, whether electronic or paper.
Properly destroy all paper documents prior to disposal. If they are in a storage unit that is relinquished, ensure that all documents are removed.
Verify that your server and/or any PC with sensitive information is secure at all times. In addition to physical security, you must update anti-virus, spyware and malware software at least once a week and allow your software to update as necessary in between regular maintenance dates.
Train employees on safe information handling until it becomes second nature.