Does it feel like you’re hearing about a new data breach almost every day?

Well guess what — you likely are.  The Identity Theft Resource Center recorded 662 data breaches on its 2010 ITRC Breach List.  That averages to over a dozen reported breaches per week…. And a whopping total of over 16,000,000 reported exposed records in 2010.  The fact that social security numbers and/or credit card information is included in the majority of breaches just makes things even more alarming!

Denise Richardson
lays out a solid argument for mandatory data breach reporting, as well as some key takeaways from the ITRC Breach List, including:

  • Malicious attacks still account for more breaches than human error, with hacking at 17% and insider theft at 15%
  • 39% of listed breaches did not identify the cause — Indicating a clear lack of transparency and full reporting to the public
  • 49% of breaches did not list number of potentially exposed records — A clear sign of inaccuracy and incompleteness of reporting
  • 62% of breaches reported exposure of Social Security Numbers
  • 26% of breaches involved credit or debit cards

As I’ve blogged about before, I firmly believe that breached individuals have the right to timely notification.  Delays are unacceptable, and hiding it is unthinkable.  Afflicted people deserve quick notification so they can ensure their credit report isn’t showing strange activity and that their social security number isn’t being used to open new credit cards or being used to fraudulently report wages.

Mandatory disclosure would provide the structure, discipline and enforcement required for consistent and transparent breach information.  Compliance would require a very high level of visibility and control of all files that enter, bounce around and exit an organization.  This would benefit not only breached individuals, but also the organizations and their business partners.