According to the Identity Theft Resource Center (ITRC), there were 662 data breaches in 2010. But those are only the ones we know about. Alas, not all breaches get reported, the group says.

"Other than breaches reported by the media and a few progressive state websites, there is little or no information available on many data breach events, ITRC said in a statement.  "It is clear that without a mandatory national reporting requirement, that many data breaches will continue to be unreported, or under-reported."

Mandatory reporting has had a positive impact on the reported number of medical data breaches.  First published this year, the Department of Health and Human Services (HHS) Breach List has identified 214 breaches to-date. 

Unfortunately, ITRC says the HHS database provides insufficient information for the public to know what types of records were placed at risk.  The HHS breach report does not detail whether names, x-rays or Social Security Numbers (SSN) were included in the exposed data. 

The public has no way of knowing just how minor or serious the data exposure was for any given incident. Media has helped by reporting more details for some breach events.

In addition, state mandated reporting of all breaches - by several state Attorneys Generals - increased public reporting, but only applies if an individual in that state might be affected.  In 2010, New Hampshire listed 96 breaches and Maryland reported 160.  Wisconsin and Vermont have small lists of reported breach events.

Approximately 200 breaches, 29 percent of the 662 total reported by ITRC, were credited to information provided by these "mandatory reporting" states.  The group says this is a clear argument for mandatory reporting to achieve transparency for the public.

Highlights of the ITRC Breach List analysis include:

  • Paper breaches account for nearly 20 percent of known breaches and typically go unnoticed until a consumer reports the problem to local media.  There is generally no mandatory reporting requirement for paper breaches.
  • Malicious attacks still account for more breaches than human error, with hacking at 17.1 percent and insider theft at 15.4 percent.
  • 38.5 percent (255) of listed breaches did not identify the manner in which the information was exposed.  This indicates a clear lack of transparency and full reporting to the public.
  • 51 percent of publicly reported breaches indicated the number of records exposed, totaling 16.1 million records.  Note: records can mean credit cards, bank accounts or other information.  It is not representative of the number of people involved. However, nearly half of all breaches did not list number of potentially exposed records. This ingrained inaccuracy in reporting is another argument for mandatory reporting.
  • 412 breaches reported exposure of Social Security Numbers, representing 76 percent of known records.
  • 170 breaches involved credit or debit cards, representing about 29% of known records.

 

"The nation needs a centralized, publicly available, data breach reporting site," ITRC said. "It should be comprehensive enough to allow readers to find out what happened, what information was compromised, and why the breach happened.  This would also allow law enforcement to better address this type of crime."