Dr. Joseph Campana, author of a new data breach study, said, "We pay for information losses in higher prices, higher taxes, requests for more donations as well as through the personal inconveniences and costs of dealing with identity theft and privacy violations when our information is misused."
The three major sectors -- private, public and volunteer -- were considered in the comprehensive data breach study released today by J. Campana & Associates (http://www.JCampana.com). Breaches were analyzed by sector and subsector with respect to sector populations, breach incidents, profiles compromised, breach types, sources of breaches, and other key characteristics.
The Private Sector makes up 94% of all enterprises in the U.S., and the study reports it accounts for 37% of the reported incidents. In contrast, the Public Sector composes less than 1% of all U.S. enterprises yet it accounts for 55% of all breaches.
According to the study, the disparity can be explained by examining who is reporting the data breaches. Generally, large and medium size organizations are doing almost all of the reporting. Few reports are made by small organizations.
For example, the smallest units of local government comprise more than 90% of government yet this subsector only reported one breach in four years. Either most small organizations do not handle sensitive information, they have exemplary information security or they are not detecting or reporting data breaches. Campana shared an anecdote, "A town manager told me if it comes down to information security or potholes, I'm filling potholes because that's what taxpayers call me about, fixing potholes will get me re-elected." Mega Breaches accounted for less than 2.5% of the 1,100+ breaches considered over study period. They accounted for 85% (230 million) of all the profiles compromised. Campana says, "These are alarming but scarce events, which should not be viewed as average data breaches by the public. We need to be as or more concerned about what an average breach looks like and how to prevent them. There are more of them, and they can and will go undetected unless they are addressed."
The major breach type in most sectors and subsectors involved laptop computers. Hacking, which ranked third among all sectors, was the leading breach type in the Retail Industry and in the University/College Group. Web access to sensitive information ranked fourth and was prevalent in the Public Sector, especially in the County Government Subsector that continues to allow public Web access to land records containing unredacted personal information such as Social Security Numbers (http://www.prweb.com/releases/2009/02/prweb2105264.htm).
Over 60% of all breaches involve the loss, theft and improper disposal of computers and related devices and media. Over 20% involve Web access to sensitive information and improper handling of paper documents. "These breach types together compose 85% of the reported incidents and could be sharply reduced or eliminated by using data encryption and redaction technologies," according to Campana. He also goes on to say, "Breaches by mishandling documents are grossly under-reported. Many wrongly omit paper records from information security considerations." Data breaches that are reported may be more of a tribute to compliance than to negligence. Organizations that report data breaches are frequently demonized. Yet, negligent organizations are not safeguarding, detecting or reporting breaches. This dichotomy discourages reporting and compliance by responsible enterprises.
Campana said, "Everyone must realize that even with a model privacy and information security best practices program and the most current security technology, data breaches will continue to occur by accidental or malicious actions of insiders or outsiders."
Privacy, security and risk management professionals can use the results of the new study to assess and prioritize risks in their organizations based on those determined to be the most probable historical risks in the study for sectors, subsectors and industry groups. The report, "Data Breach Risk Factors 2005-2008: An Information Security Risk Management Resource Guide for Security and Risk Professionals" is available from J. Campana & Associates LLC (http://www.JCampana.com). The color report contains 55 pages (15,000 words) and 40 figures and tables.
About the Author: Joseph E. Campana, Ph.D. is a Privacy and Information Security Professional and the principal of J. Campana & Associates LLC. Dr. Campana is the author of the book, "Privacy MakeOver: The Essential Guide to Best Practices" (http://www.PrivacyMakeOver.com) and several reports and white papers including Identity Theft: The Business Time Bomb. Campana has over 30 years of research and research management experience. He has been awarded research fellowships at the Johns Hopkins University School of Medicine, the National Research Council, NATO and the University of Wisconsin. Campana has published over 50 research papers in refereed journals and has served as a guest editor for several professional journals. Joe Campana also authors a daily blog on identity theft, privacy and information security (http://www.PrivacyDiary.com).