The data breach reporting landscape – part 1

Published: February 28, 2012 by kbarney

Our guest blogger this week is Karen Barney of the Identity Theft Resource Center (ITRC).

As an organization specializing in monitoring and tracking data breaches, the ITRC has come across varying degrees of breaches and reasons for notification due to the varying types of compromised information. We would like to take this opportunity to address some of the differences and provide some insight into our approach for tracking data breach incidents.

According to most state laws, a data breach is an incident in which sensitive, protected or confidential data has potentially been viewed, stolen or used by an individual unauthorized to do so. Data breaches may involve personal health information (PHI), personally identifiable information (PII), trade secrets or intellectual property.  Note that under these state breach laws, non-personal identifying information is not included.

Next, let’s consider hacking.  By definition, “hacking” is the deliberate and unauthorized access, use, disclosure, and/or taking of electronic data on a computer.  Hacking efforts target all types of information – from high level intellectual property down to individual personal information, both sensitive and non-sensitive information.  Taken together, these two situations result in nearly 26% of the “reported breaches” included on the 2011 Identity Theft Resource Center Breach List.

This brings us to the definition of “reported breaches”.  ITRC only publishes breach incident information which is available from credible, public resources.  Breach incidents are tracked daily from sources such as state Attorneys General offices, a variety of media sources, and other well-recognized and respected entities that track and capture this information from publicly available sources.  This approach means that the ITRC Breach Report only reflects the tip of the iceberg.

In 2011, 41% of the breaches on the ITRC report show the number of records exposed as “unknown.”  In addition, ITRC is aware of a significant number of breaches that are not made public.  As a result, it is not possible to provide truly accurate numbers – either for the number of breaches or the number of records.

The majority of “reported breaches” included in the list are those which have met “breach notification triggers” established by the various state laws regarding this issue.  Usually these incidents are electronic in nature, and must also expose information identified as PII, such as first and last name combined with a social security number, driver’s license or state identification number and/or financial account numbers (including debit and credit cards).   Some states have expanded this “trigger” definition to include medical and healthcare information.  This situation leaves large loopholes for breaches to remain unreported.

Currently we know that –

  • An indeterminable number of breaches go unreported, even when notification should have been triggered according to the applicable state laws.
  • Many breach notifications (at least what is disclosed by the entity) underreport the number of records
  • Many breach notifications also do not clearly define the types of information exposed.
  • Public information is often incomplete in detailing how the breach occurred
  • Many breaches involving non-PII, such as email addresses, user names, and passwords, are not reported because they do not meet “breach notification triggers” as established by various state laws