A few weeks ago, I presented the results of an analysis of data breaches occurring in 2007, the last full year for which information is available; the “Chronology of Data Breaches” database, available at the Privacy Rights Clearinghouse website (privacyrights.org ) provided source data for this analysis. In summary, the analysis supported the following conclusions:
1. Educational institutions reported the majority of data breaches, followed by (in order of breach frequency) offices and agencies of local, state, and federal governments; private businesses (such as retail establishments); health-related organizations; and financial services.
2. Data breaches were caused by the following factors, arranged in order of frequency of causation: Lost/stolen equipment (44%); Inappropriate access to data via the Internet (17%); Hackers (15%); Careless disposal of paper records (12%); Accidental disclosure of data (7%)
3. Of the 330 data breaches reported in 2007, only 7 (2%) resulted in actual incidents of identity theft or other fraudulent activity.
4. Four of the 7 (57%) actual incidents of identity theft or fraud were perpetrated by “malicious insiders.”
The purpose of this article is to examine the significance of these findings for risk assessment, security policy, priorities for security controls to reduce the likelihood of breaches, and the role of information security in the breach prevention process.
Validity of the Data
To what extent can we trust the data provided by the Clearinghouse-or, for that matter, any organization that collates and reports breach incidents? The accuracy of our knowledge concerning the frequency and causes of breaches is dependent upon the thoroughness and validity of the reporting authority. A recent and thoughtful article, “Can we make any sense out of breach reports?”,  maintains that existing statistical data are insufficiently trustworthy to permit the drawing of inferences. This lack of validity is based upon (1) the fact that different sectors (e.g., education, health, financial services) have different reporting requirements; (2) some states are still in the process of implementing mandatory reporting laws; and (3) inspection of state-sponsored listings of reported notifications reveals that not all breaches reported by states are reflected in national databases, such as the Privacy Rights Clearinghouse “Chronology of Data Breaches.” In addition, we are not aware of the extent to which sectors underreport the frequency of data breaches.
Issues concerning validity cannot be dismissed as mere pedantry. However, it seems that sufficient data are available, from innumerable sources, to warrant the formulation of hypotheses, if not iron-clad inferences. In addition, the extant information, culled from divergent sources, demonstrate a degree of internal consistency that lend credibility to the validity of the Clearinghouse data-at least for purposes of analysis. For example, the above-cited article mentions that the following sectors were responsible, in order of frequency, for data breaches in 2007: Educational Institutions, Government/Military Agencies and General Businesses, Health Care Facilities, and Financial Services. This is virtually the same ordering of sectors as reported in my analysis of the Clearinghouse database. Jaikumar Vijayan, reporting in a 2006 article in Computerworld , cites a former director of the Federal Trade Commission that “only about 2% of breach victims actually become victims of fraud and ID theft.” Analysis of the Clearinghouse database for 2007 incidents concurs with this conclusion.
Thus, although the thoroughness and validity of the Clearinghouse data are open to dispute, the material seems sufficiently complete and valid to warrant the proposing of several hypotheses.
1. The majority of data breaches are preventable by physical security measures; traditional information security controls may prevent only 1/3 of all reported breaches.
Fifty-four percent of breach incidents reported in 2007 involved (1) lost/stolen equipment or (2) careless disposal of paper records. Organizations seeking to reduce the frequency of these occurrences are advised to develop and implement policies and procedures concerning the secure transport, storage, and disposal of physical media. These policies would include provisions pertaining, for example, to controls for which employees and third-party service providers are responsible (e.g., use of tamper-proof containers for shipped items, at least two employees accompanying items in transit, cross-cut shredding of all documents containing personally identifiable information). The use of encryption for magnetic tapes and laptops would also reduce the frequency of reported breach incidents, although some states require reporting of breaches even if personally identifiable information reside on encrypted media.
However, the implementation of programs to secure the transport, storage, and destruction of media is not traditionally a focus of the information security function. Although information security professionals may be involved with the establishment of these programs, significant participation is also required by the Compliance, Privacy Office, Legal, Corporate (or Physical) Security, Records Management, and other functions. The resources provided by information security alone will not prevent the majority of breach incidents.
However, breaches caused by inappropriate access to data via the Internet and by hackers may be significantly reduced by the implementation of controls traditionally associated with information security. A secure network architecture, with installation of firewalls at appropriate points and also procedures that assure the writing of security-conscious firewall access rules, will greatly contribute to the prevention of inappropriate access via the Internet and by hackers. The implementation of intrusion protection devices will also deter hackers. However, weak network architecture and hacker activity account for only 32% of all reported breaches. It seems that information security is only one of many-and not necessarily the most critical-participants in the breach prevention effort.
2. An organizational culture that promotes the privacy of personally identifiable information, encouraged by federal regulation, is more likely to prevent data breaches than the passage of state breach notification laws.
Health-related organizations have, for many years, been aware that the Health Insurance Portability and Accountability Act  mandates the establishment of controls (including electronic controls) for patients’ personally identifiable health information. Similarly, the Gramm-Leach-Bliley Act and its subsequent regulatory guidance has required that financial services institutions regulated by the Federal Reserve, the Office of the Comptroller of the Currency, the Office of Thrift Supervision, and other controlling agencies, are required to develop programs to protect the privacy of nonpublic personal information. Interestingly, financial services and health-related organizations have the lowest reported incidents of data breaches.
Although the Privacy Act of 1974 mandates that agencies of the federal government develop controls to protect the privacy of individuals, local and state governments are not similarly protected. Analysis of the Clearinghouse database indicates that 85% of governmental offices reporting breaches in 2007 were state and local.
Federal regulations do not mandate that educational institutions adopt the types of privacy controls that have been adopted for financial services and health-related organizations. Private businesses, such as retail establishments, are similarly unregulated by federal authority. However, educational institutions and private businesses account for the highest frequencies of data breach incidents.
All sectors are required, by the plethora of state and local data breach notification laws, to report incidents involving actual or potential unauthorized disclosure of personally identifiable information. Yet, three of these sectors (education, government, and private business) report significantly higher numbers of data breaches than financial services or health-related organizations. It is possible that these latter two sectors, having been regulated by federal privacy mandates for many years, have developed policies, procedures, and processes that encourage an awareness of the importance of protecting privacy. The state-initiated breach notification laws appear not to have influenced the frequency of incidents to the same extent as have the federal mandates. Perhaps, however, future Congressional implementation of a nationwide breach notification mandate will alter this situation.
3. The debate between “malicious insider” vs. “external hacker” (or “malicious outsider”) has perhaps obscured the real perpetrators of many information security incidents.
Information Security professionals are infatuated with the debate concerning whether the “malicious insider” or the “malicious outsider” (usually a hacker) is responsible for most security incidents, especially those involving unauthorized disclosure of information. This debate has continued within the pages of this blog  and has, perhaps predictably, excited controversy.
Analysis of the Clearinghouse database of breach incidents provides insight concerning this debate. In 2007, the majority of breaches that actually involved identity theft or other fraud were caused by “malicious insiders” (4 of 7 incidents). However, a majority of the 330 total incidents were attributed to “malicious outsiders” (hackers) or to insiders who accidentally disclosed sensitive information (for example, employees who carelessly disposed of sensitive records into a dumpster). More specifically, 17% of incidents were caused by hackers, and between 36% and 80% of breaches were the fault of careless employees-including network architects, information security staff, and consultants.
It seems that InfoSec professionals must cease the dualistic thinking that posits two types of “bad guys”-the malicious insiders and outsiders. There seems to be a third group that, while unrepresented in the debate, is actually responsible for a great many (and perhaps the majority) of security incidents: The Careless. These are the individuals who fail to notice that hundreds of bank statements are sent to incorrect addresses, who do not take the time required to shred documents containing personally identifiable information, and who neglect to detect vulnerabilities within a network architecture. Unfortunately, the Careless wreak considerable havoc upon the organizations they serve-perhaps more havoc than Information Security has, to date, recognized.