The Good, the Bad, and the Ugly News about Data Breaches

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

We'll start with the good news: 2009 had the fewest reported data breach incidents over the past four years, according to a report by Perimeter E-Security.

The bad news: 2009 had the highest totals ever (more than 200 million) in the number of records compromised. However, Perimeter reported that:

96 percent of those came from the very large breaches of Heartland Payment Systems (130 million) and the National Archives and Records Administration (76 million). Had it not been for those two breaches, it would have been the lowest year since 2003 in terms of total records compromised.

The ugly news: nearly 40 percent of publicly disclosed data breaches in 2009 didn't include the number of records compromised. So that 200 million number is likely much higher.


The report also found that stolen laptops are the most common cause of data breaches, but those breaches result in only 1 percent of records compromised and the number of breaches caused by laptop theft is down 54 percent since 2008.


This study tells me that companies as a whole are becoming more knowledgeable when it comes to protecting data, although there is still a lot of room for improvement (improper disposal of documents, for example, increased 130 percent from 2008). But the picture is inaccurate because, while we may know how many breaches have occurred and how many companies have been affected, we don't really know how many people, -- those individuals whose records were not accounted for -- may have been affected. After all, these breaches result in both financial loss for the victims and major repercussions for the breached organizations, including an average cost of $204 per compromised record and a loss of the valued trust of their customers. According to the report, the average total cost of a data breach rose to $6.75 million.


Laws requiring disclosure of breaches have certainly gotten this information out to the public, which is good, but as I wrote just a few months ago, there is still a need for changes in the way disclosures are reported, especially the number of records hit.