An Analysis of the Privacy Rights Clearinghouse “Chronology of Data Breaches” and Implications for Information Security Professionls (pt. 1)

Within the next few weeks—if not earlier—you should visit the “Chronology of Data Breaches” database available at the Privacy Rights Clearinghouse website ( The database provides a listing of privacy-related security breaches that have been reported in the United States, generally in response to state-mandated breach notification laws. According to the website, more than 229 million records, each containing sensitive personal information that could promote identity theft or fraud, have been compromised since January, 2005. The database provides information concerning the organization affected by each breach incident, the causes of potential or actual unauthorized disclosure, the kinds of data involved, and the number of personal records breached. In some cases, information concerning incidents is updated and additional explanatory data provided.

Although the Privacy Rights Clearinghouse does not claim that its database is comprehensive (many breaches may not have been reported or made available to the sources from which the Clearinghouse populates its database), it is sufficiently thorough to warrant careful study by information security professionals. The information provides useful insight concerning many of the issues that continually vex security practitioners, including assessing the types of risks associated with data breaches, the kinds of policies that should be adopted to reduce the likelihood of breaches, and the role of the “malicious insider” vs. the “external hacker.” In addition, the Clearinghouse material offers several surprising perspectives concerning the ever-expanding role of information security prompted by new technologies in combination with regulatory mandates.

The first part of this article will present an analysis of information derived from the Clearinghouse database; a second article, to be published in a few weeks, will attempt to extract conclusions from this analysis. Because the full database contains more than one thousand separate incidents, my analysis will consider only those breaches occurring in 2007, the last year for which complete information is available.

One Comment

  1. john doe Jul 9, 2008 at 8:38 pm | Permalink

    Why use PRC for the data when they get their data from’s DataLoss project?

Post a Comment

Your email is never published nor shared. Required fields are marked *