Stats Suggest Breach Reporting Should Be Mandatory

The U.S. would benefit from a mandatory reporting system for data breaches, Identity Theft Resource Center founder says.

by / January 19, 2011

More occurrences of data breaches and identity theft were reported nationwide in 2010 compared to 2009. But these breach incidents remain underreported and lack transparency, according to researchers for a nonprofit that aggregates this data, and a mandatory nationwide reporting system is necessary.

The Identity Theft Resource Center released the 2010 ITRC Breach List in January, reporting that 2010 saw 662 recorded breaches combined in the public and private sectors, an increase over 2009’s 498 breaches. In 2008 there were 657, and 446 in 2007. The year-to-year data indicates that the number of breaches is rising in spite of peaks and dips along the way.

Breaches are underreported each year. Linda Foley, the center’s founder, said that mandatory reporting by all breached entities would help clear up confusion.

“I think it would help us as a nation to identify what weaknesses the criminals are using to their benefit so that a best-practice model can be developed, which would be adopted by businesses as part of their security protocol,” she said.

A single public list of nationwide breaches could shed light on how pervasive breaches are and also assist researchers in creating ways to overcome them. Foley feels this would be a better alternative to current reporting practices, which are piecemeal and not uniform. Currently companies that suffer a data breach that involves people in more than one state must notify each state with a resident involved.

“It’s an arduous task for large companies,” Foley said.

She added that in some situations, breached organizations are allowed to determine whether or not there’s any risk to victims before they notify anyone. “It’s sort of like the fox guarding the henhouse,” Foley said.

Even though no master federal list of breaches exists, some states have protocols in place for mandatory reporting. The ITRC reports that 200 breaches, or about 30 percent of those disclosed, were credited to information provided by the states with mandatory reporting. Two hundred fifty-five breaches didn’t include the manner by which records were exposed. The ITRC segments breaches into various categories, including human error, insider theft and hacking.

The center’s breach list compiles reported breaches in the education, business, government, health-care and financial sectors. The business sector was the leader by far in reported breaches with 279. Health care followed with 160 and the government at 104.

The number of people affected in a breach can be staggering. The 662 breaches from 2010 involved more than 16 million records total. The 498 in 2009 involved more than 222 million people, and more than 132 million of those came from 208 breaches in the business sector.


Hilton Collins

Hilton Collins is a former staff writer for Government Technology and Emergency Management magazines.

Platforms & Programs