An Analysis of the Privacy Rights Clearinghouse “Chronology of Data Breaches” and Implications for Information Security Professionals (pt. 2)

A few weeks ago, I presented the results of an analysis of data breaches occurring in 2007, the last full year for which information is available; the “Chronology of Data Breaches” database, available at the Privacy Rights Clearinghouse website ( provided source data for this analysis.  In summary, the analysis supported the following conclusions:

1.  Educational institutions reported the majority of data breaches, followed by (in order of breach frequency) offices and agencies of local, state, and federal governments; private businesses (such as retail establishments); health-related organizations; and financial services.

2.  Data breaches were caused by the following factors, arranged in order of frequency of causation:  Lost/stolen equipment (44%); Inappropriate access to data via the Internet (17%); Hackers (15%); Careless disposal of paper records (12%); Accidental disclosure of data (7%)

3.  Of the 330 data breaches reported in 2007, only 7 (2%) resulted in actual incidents of identity theft or other fraudulent activity.

4.  Four of the 7 (57%) actual incidents of identity theft or fraud were perpetrated by “malicious insiders.”

The purpose of this article is to examine the significance of these findings for risk assessment, security policy, priorities for security controls to reduce the likelihood of breaches, and the role of information security in the breach prevention process.

Validity of the Data
To what extent can we trust the data provided by the Clearinghouse-or, for that matter, any organization that collates and reports breach incidents?  The accuracy of our knowledge concerning the frequency and causes of breaches is dependent upon the thoroughness and validity of the reporting authority.  A recent and thoughtful article, “Can we make any sense out of breach reports?”, maintains that existing statistical data are insufficiently trustworthy to permit the drawing of inferences.  This lack of validity is based upon (1) the fact that different sectors (e.g., education, health, financial services) have different reporting requirements; (2) some states are still in the process of implementing mandatory reporting laws; and (3) inspection of state-sponsored listings of reported notifications reveals that not all breaches reported by states are reflected in national databases, such as the Privacy Rights Clearinghouse “Chronology of Data Breaches.”  In addition, we are not aware of the extent to which sectors underreport the frequency of data breaches.

Post a Comment

Your email is never published nor shared. Required fields are marked *