ITRC Calls for Universal Data Breach Reporting
Non-profit identity theft prevention organization says shoddy reporting keeps consumers in the dark and at greater risk.
A total of 662 significant data breaches were reported in the U.S. in 2010, up 33 percent from 2009, but that's probably only the tip of the iceberg, according to a new report from theIdentity Theft Resource Center (ITRC).
While this sharp increase is both disturbing and costly, ITRC officials said the bigger concern is the fact that there's currently no centralized, publicly available data breach reporting site or repository available to consumers or businesses that want to ascertain exactly how much and what type of data has been compromised in these ever-increasing breaches.
The ITRC, a non-profit identity theft watchdog organization, said it reported almost 200 breaches, or 29 percent of the total recorded. These security breaches were culled from data collected by the comparatively few mandatory reporting sites operated by a handful of states and industry-specific regulators.
ITRC's report, released this week, found that only 51 percent of publicly reported data breaches disclosed the total number of records or files compromised, a total of just over 16 million files, meaning that almost half of the reported breaches failed to provide details on whether social security numbers, credit card numbers, addresses or other personal information were exposed.
"The nation needs a centralized, publicly available, data breach reporting site," ITRC officials said in the report. "It should be comprehensive enough to allow readers to find out what happened, what information was compromised, and why the breach happened."
"This would also allow law enforcement to better address this type of crime," it added.
Attorneys generals in some states this year initiated new laws requiring companies to publicly disclose any and all data breaches in a timely manner to give consumers greater transparency into both the nature and specifics of each incident. Maryland and New Hampshire were among this small group, reporting 160 and 96 breaches, respectively.
Another small group of states -- Nevada, Washington and Minnesota -- have recently passed legislation holding companies responsible for failing to comply with Payment Card Industry (PCI) standards designed to thwart identity theft.
The report discovered that 62 percent of all reported incidents involved the exposure of consumers' social security numbers while another 26 percent compromised payment card information.
More troubling is the fact that about 20 percent of all data breaches reported were defined as paper breaches which fall outside of most state and regulatory agencies' electronic reporting requirements. Most of the time, according to ITRC, these paper breaches are never reported or only come to light in local media reports.
Of the 662 incidents reported last year, about 17 percent were committed by hackers with malicious intent and just over 15 percent were classified as either insider theft or accidental exposures.
"Breaches happen," ITRC official said. "Consumers, government and the business community need to stop acting like ostriches with their heads in the sand."
Follow eSecurityPlanet on Twitter: @eSecurityP.
April 28, 2010
Legal fees are the main reason the average cost of a data breach costs American companies more than their counterparts in Australia and Europe, says Ponemon Institute.