The number of data breaches reported in 2008 has surpassed those reported in 2007, according to the Identity Theft Resource Center (ITRC), a non-profit organization tracking the statistics.
Data breach news:
The pros and cons of data breach insurance: The security incident at the Hannaford supermarket chain and elsewhere have some wondering if it's time to purchase data breach insurance. But experts say there are drawbacks.
PCI DSS 1.2 clarifies wireless, antivirus use Version 1.2 of PCI DSS, due out in October, requires 802.1x for wireless protection and antivirus for all operating systems, according to a summary of the changes issued Tuesday.
ITRC, an organization that tracks data breaches and educates consumers about identity protection, said its 2008 breach list surpassed the total of 446 reported in 2007. The number of data breaches the group has logged in 2008 stood at 449. The ITRC, established in 1999, has been tracking data breaches for three years and helps resolve identity theft cases.
The organization said the number of breaches in 2008 is likely much higher since breaches that affect multiple companies are listed as single events. In one case, a single breach event affected customers and employees of at least 20 companies.
"Those companies become victims of the breach as much as the individuals whose information has been affected," said Linda Foley, founder of the ITRC. "In many cases they entrusted a vendor to provide a service to safeguard information at the highest level, and when they transport it from one place to another unencrypted, they're not taking it to the highest level."
Companies need to have a better understanding of the contractual obligations of the firm they outsource payroll and other processes to, Foley said. Firms also need to cut back on the data they send to outsourcers, limiting the potential of a breach.
The number of compromised records is estimated at 22 million, according to the organization. Foley said the growth in the number of breaches from year to year can no longer only be attributed to required reporting laws and media investigative work. Currently 44 states have laws requiring notification of a data security breach. Since each state has its own law requiring notification, companies are not held to one consistent standard to report a breach. Some states are adding language to the law, making it a requirement to provide public notification of the breach notification letters issued to customers, Foley said.
"It's not to point fingers at companies," Foley said. "We want to look at this material so we can see whether there are ways companies and consumers can reduce exposure of information."
While breach laws are seen as a way to shine a light on corporate neglect of security, a team of researchers from Carnegie Mellon University found they have no effect on preventing identity theft. The researchers said current breach laws are problematic because they leave any action, such as canceling a credit card, up to the consumer.
The ITRC is also in the business of selling breach notification services to companies who experience a breach. Foley said the ITRC's breach response program provides a consultant to the company to advise them on an appropriate breach notification letter and first responder calls. In many cases, Foley said analysis of breaches has shown that most people who receive a notification letter will not become a victim as a result of that particular breach. Credit monitoring services are not always the answer for consumers, she said. In many cases, if a Social Security number was not breached the customer only needs to cancel their credit card.
"People overreact and I think companies are not always giving sufficient information to make good choices because this is a topic that is not necessarily taught in law school," Foley said.