New laws and regulations regarding data security breaches and disclosure laws affect the way in which nearly all organizations do business in the United States. This study, by Perimeter CTO Kevin Prince, provides a review of the scope and impact of data security breaches in an effort to encourage proactive modification to risk mitigation technologies, policies, and procedures that reduce exposure to a data breach incident.
Here, Prince examines data breaches distributed across five verticals: finance, health care, retail, government and education. However, keep in mind that the data used to extrapolate the charts, graphs, and representations for this study is by its very nature misleading.
Click through for data breach results in five key industries.
The distribution of attacks was spread nearly equally in 2009 as it has been over the past decade, during which time data breaches have been recorded. There was speculation that incidents would increase as health care organizations move completely to electronic records. As of the end of 2009, this does not appear to be any different than the average of previous years.
The financial industry is one that is often targeted by cyber criminals due to the access to information that can be used for identity theft and fraud, as well as direct access to accounts where monies are stored. Arguably, this industry is quite small compared to others such as retail in terms of number of entities registered in the U.S. This industry has been under the greatest amount of proactively enforced regulation.
2009 had the highest number of compromised records ever recorded due to the Heartland Payment Systems breach. The Heartland data breach represents 56 percent of all the publicly disclosed records ever lost in this industry.
Without the Heartland breach, it was a remarkable year in terms of number of records lost, with just over 56,000 total.
/imagesvr_ce/itbe/ss/DataBreachStudy2-06.png|The medical/health care industry also reported a reduction in both the number of incidents and records compromised compared to 2008. In fact, there was a 42 percent reduction in the number of reported incidents between 2008 and 2009.
The health care industry is one of the few where incidents with reported record counts actually dropped over previous years. Only 23 percent of reported incidents did not include the total number of records compromised.
Hospitals continue to be the leading cause of data breach incidents for the health care industry, with 36 percent of all breaches in 2009. That happens to be exactly the same percentage of hospital-related data breach incidents when analyzing all reported data breaches for this industry. When looking at all reported data breach incidents for the health care industry, the #2 spot falls just below 14 percent. So hospitals really do carry the lion’s share of incidents over all.
Insurance companies, on the other hand, account for more records compromised than any other subcategory both in 2009 and when all reported breaches are analyzed. Insurance companies account for 40 percent of all records compromised within this industry. Hospitals account for 32 percent when all years and breaches are taken into account. For 2009, insurance companies account for over 85 percent of all records compromised in this industry, followed by hospitals at 6 percent.
2009 represented a reduction in overall data breach incidents based on publicly reported breaches.
2009 had but a fraction (less than 1 percent) of the records compromised compared to 2008. However, with the increase in the number of breaches that do not include the total number of records compromised, these are obviously skewed results.
It would seem (albeit without a full picture based on lack of complete disclosure) that the retail industry did remarkably well in 2009. More retail businesses were actively enforced by the payment card industry data security standards (PCI-DSS) in 2009 than ever before. Based on what is reported, one might conclude that those requirements are effective in reducing the overall number of breach incidents and records lost.
The number of incidents in the government sector only slightly varied between 2008 and 2009. There were 66 incidents in 2008 and 68 incidents in 2009. The wide variance in the number of records compromised between 2008 and 2009 was due to the 76 million records compromised at the National Archives and Records Administration. Even without the National Archives breach, there was over a 400 percent increase in records lost between 2008 and 2009. So while the number of incidents seems steady with 2008 levels, the number of records compromised significantly increased.
State agencies are the number-one cause of data security breaches for this sector in terms of total incidents. For the last two years, state agencies have been responsible for one half of all data breaches in government. If you remove the National Archives breach, state agencies are also responsible for the greatest number of records compromised both in 2008 and 2009. State agencies make up right around 70 percent of all records compromised in the government sector for the last couple of years.
The National Archives breach at 76 million records is one of the largest breaches in U.S. history.
The education industry had just about one half the number of incidents in 2009 that it had in 2008.
Sixty-eight percent of all breach incidents were from universities, down from 2008 when universities totaled 75 percent of incidents.
The number of records compromised in total was about 30 percent of what it was in 2008.
Universities also count for the greatest number of records lost at 78 percent for 2009, slightly down from 2008, which accounted for 82 percent. High schools come in second place, both in terms of records compromised and incidents in the last two years.