Lies, Damn Lies, & Data Breaches
A report out of the Identity Theft Resource Center claims that the number of data breaches in 2008 has already surpassed 2007's total of 446. While it's intuitively obvious that the number of data breaches is increasing, I have a hard time putting much credence in the actual numbers reported by the ITRC or the reasons they cite for the increase.
The first problem with counting data breaches is that we all need to admit that the only statistics we see at all are reported data breaches. Until 2003 when California passed the watershed legislation in this field, SB 1386, very few breaches had to be reported and predictably almost none were. Initially, many global enterprises ignored SB 1386 assuming that if they didn't have a presence in California they weren't subject to it's requirements. It took awhile before most enterprises, particularly those outside of California, internalized the meaning of section 1798.92(a) which reads: "
Any person or business that conducts business in California, and that owns or licenses computerized data that includes personal information, shall disclose any breach of the security of the system following discovery or notification of the breach in the security of the data to any resident of California whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure shall be made in the most expedient time possible and without unreasonable delay..."
What this means, of course, is that any enterprise that has any customers in California is subject to the disclosure requirements of SB 1386. So, when the ITRC asserts that the growth in the number of breaches reported is due primarily to the increase in the number of states with similar statutes, I have a hard time with the assertion. I may be parochial here, but it just defies logic that the addition of four new state disclosure laws in 2007 in relatively unpopulous states (Arizona, Utah, New Hamphshire and Vermont) can have a material effect on the number of reported breaches.
Then, of course, there's a whole question of whether the difference reported by ITRC is even statistically material. I don't have quite the time today to get into this, but to see an interesting contrarian point of view on this, check out the Chronicles of Dissent posting from December.
We can argue about the numbers all we want, but what seems clear at this point is that breaches likely are increasing in number and severity (number of records stolen). It also seems clear that the real drivers are the increasing skills and resources available to the bad guys. Buckle up, this is going to be an interesting ride.