Why we can’t count (data loss)

Numbers lie


Recently California made headlines after more than 800 data breach disclosures were filed in the first five months of 2009. Upon closer inspection, the large number of incidents does not represent a rise in actual incidents, but just a change in mandated reporting practices due to California’s new medical data breach law which went into effect on January 1, 2009 .


Unfortunately in practice we have no idea how much private information is lost to data breaches every year, because disclosure laws do not entice businesses to accurately report data breach incidents. While the number of reported incidents appears to be growing, it is a poor reflection of reality, owed in large part to changes in compliance laws. Although we are getting a better estimate on the number of “reported incidents”, the number of “actual” incidents is still unknown.


Data breaches will not decrease


While it seems fairly compelling to believe that increased legislation and financial penalty would motivate all sectors of industry to beef up data security, pragmatism dictates otherwise.


Digital data is like uranium: dense with a high yield. Almost all data breaches are of digital records. In contrast, old-fashioned paper records are fairly secure.  Stealing several thousand paper records is physically risky and combing through them for valuable information is prohibitively time consuming.


Computers make breaches easier and more attractive. Roughly 50% of all incidents are of the non-accidental malicious variety, such as malware, hacking, and laptop theft. These incidents yield 83% of the total number of stolen records reported. A large amount of valuable personal information available for minimal risk is a very attractive value proposition… so attractive that it presents new and increased incentive where none existed before. Of reported financial data breach incidents, 24% are caused by insiders, such as executives, IT administrators and employees, and 55% percent are attributed to outside hacking .


Lack of Incentive


Although data breaches are expensive (on average costing $6.6 million per incident), companies are very slow to take preventative action. Despite compliance laws, many companies still lack sufficient pragmatic (read ‘monetary) incentive to change their security practices . The guidelines currently in place suffer from a number of issues:


Laws are vague: Compliance laws vary from state to state, and often include exemption from disclosure requirements if the stolen private data is “encrypted” – even if the encryption keys are stolen, too. Any data that is publically available from federal, state, or local government sources is also exempt.


Companies can plead ignorance: Of those reported data breaches, 24% do not know or do not specify how much information was compromised. To avoid negative media attention, many victims of large data breaches simply claim “zero” in the “number of records stolen” column .


Notification timelines are usually vague: Loose wording such as “the most expedient time possible” and “without unreasonable delay” serves to allow companies to choose when they disclose their data incidents (except companies in Florida and Ohio).


Most incidents are unreported: According to a survey conducted at the RSA conference in 2007, a full 89% of companies that experienced a data breach did not publically disclose the incident . Assuming that incident disclosure is still largely a voluntary exercise without oversight, we have no reason to suspect that is has changed much for 2008 or 2009.


Summary: 


The interest in personal data is not a fad, and related data breaches will not magically disappear. While private data is lost from many sources, web applications figure prominently in the security equation.


Changes in policy will highlight the enormous number of incidents, and attitudes will have to change from a reactionary “defense” to a proactive security “offense”.


Preventative security medicine is the best and most cost effective policy. For the IT manager, the decision to spend several thousand dollars on current security tools should be an easy one to make. The cost of preventative security pales in comparison to the cost of cleaning of the mess after getting breached.

Comments
(anon) | ‎07-20-2009 07:17 PM

Awesome post.

Until all of the incentives described in your "Lack of Incentives" are increased,  it almost seems as though there will never be in increase in preventative security.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author
Featured


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.