In a twist on Tolstoy’s famous observation that “all happy families are alike,” the Identity Theft Resource Center (ITRC) is warning that the public is being told that ‘all data breaches are alike,’ as corporations paint a worryingly bland portrait of breaches and other data loss incidents affecting their customers.
An ITRC report, released last week (.PDF), found that 63.4 percent of the 213 breaches reported so far in 2012 fail to include information on how, exactly, the breach happened. ITRC said that data breaches frequently go unreported. And, even when they are disclosed, the victims fail to adequately describe just how they suffered the breaches in question.
“It is clear that without a mandatory national reporting requirement, that many data breaches will continue to be unreported, or under-reported,” reads part of a press release published in conjunction with the ITRC report.
The ITRC has tracked breaches since 2005. The organization labels each incident according to its source: insider theft, hacking, data on the move, accidental exposure and subcontractor fault employee error or negligence. The organization says that the data from 2012 suggests a shift in is underway, with hackers concentrating less on banks.
Bank breaches make up four percent of the data breaches reported this year, down four percent from the same time last year, according to ITRC’s findings. The numbers have a chance to break an eight year low if they continue in the same fashion.
However, breaches in the health care sector have jumped 10 percent compared with the same period last year. They now account for 27 percent of the breach incidents so far in the first half of the year.
Incidents of data loss attributable to ‘hacking’ accounted for 30.5 percent of the breaches in the first six months of 2012, up from 27.7 percent at this time last year. During the same period, attacks attributable to ‘insider theft’ and lost media such as laptops and mobile devices were both down.
Privacy and data theft are a hot policy issue right now. A handful of national data breach bills introduced in the Senate over the last year would mandate more tangible data breach reporting. The moves would help clarify and refine a collection of laws already on record in some states. The latest such legislation, the Data Security and Breach Notification Act of 2012, was proposed late last month and would require the announcement of health information data breaches within 60 days, but neglects to acknowledge a deadline for notification.
