Data Breach Disclosure Law Urged For US

Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.,

A report has identified over 600 major data breaches in 2010 but there are fears many more went unreported

A new report from the Identity Theft Resource Center has found that there were 662 reported data breaches in 2010 in the United States, of which most involved thefts of social security data.

The actual number is considerably higher because current regulations in the United States don’t require all data breaches to be disclosed, the group said.

“Other than breaches reported by the media and a few progressive state websites, there is little or no information available on many data breach events,” said the ITRC.

Reluctant Disclosure

While many organisations disclosed exactly how many customers or actual records were compromised, many didn’t say anything at all. The report found that only half of the reported data breaches included information about the number of records compromised, totalling 16.1 million records.

While that is a staggering amount of data, the fact that it reflects only half of the breaches and that the records do not equal the number of people affected underscores “ingrained inaccuracy” in reporting breaches, the ITRC said.

Honda reported a data breach on 28 December affecting 2.2 million customers but didn’t disclose the total number of records compromised. Thieves stole customer names, email addresses and vehicle identification numbers from an email marketing provider Honda partnered with, but the full magnitude of the breach is still unknown at this point.

Mandatory Reporting

Without a “mandatory national reporting requirement,” many data breaches will continue to be “unreported, or under-reported,” the group said.

The numbers have fluctuated over the years, as there were 498 breaches reported in the United States in 2009, compared with 657 reported in 2008 and 446 incidents in 2007. The group estimated that more than 222 million records were compromised in 2009.

In a majority of the data breaches, about 62 percent of reported incidents, social security numbers were stolen, according to the report. In contrast, credit card and debit card details were stolen in 26 percent of the reported incidents.

While mandatory reporting has been helpful in learning about medical data breaches, the Department of Health and Human Services neglected to provide information about the types of records that were compromised, the report said. Of the 214 medical data breaches, “the public has no way” of knowing whether names or Social Security numbers were included in the exposed data, the ITRC said.

Malicious theft still accounts for more data breaches than mere human error, the report found. About 17 percent of the data breaches were the result of someone hacking the systems, with insider thefts close behind at 15 percent. A fraud report by London-based consultancy Kroll recently said information theft is most likely to be an “inside job” with junior employees as well as senior management the most common perpetrators.

Paper breaches accounted for nearly a fifth of known breaches, but for about 38 percent of incidents, it was not clear how the thieves accessed the data, according to the report.

US Law Change?

“Breaches happen,” the ITRC wrote, but the government and the business community “need to stop acting like ostriches with their heads in the sand,” with their refusal to publicise the breaches. It’s also “not acceptable” to decide whether or not to notify the public based on the company’s concept of “risk of harm,” as thieves can continue using the stolen data months after the original exposure, the authors said.

Several states have mandated reporting all breaches, but the law applies only if the state’s residents are affected. In 2010, New Hampshire listed 96 breaches and Maryland had 160, the report found.

A sightseeing firm CitySights NY reported a database breach that compromised credit card numbers belonging to 110,000 customers on 9 December. However, it was required to only notify the attorney generals in Massachusetts and New Hampshire because 2,150 of the affected customers were residents of those two states, which mandate reporting. While TwinAmerica, the parent company, is investigating the breach, there is no other information available about the other affected customers.

About 29 percent of the total breaches were publicised because of the “mandatory reporting” rules in some states, the report said. “Mandatory reporting is on the horizon. It will be demanded either by consumer lobbying or legislation,” the group said.