Breached Organizations Are Tight-Lipped Study Shows Most Don't Reveal Cause of Incident

U.S. information breaches involving third parties, or business associates, doubled in the first half of the year, says Karen Barney of the Identity Theft Resource Center, a consumer advocacy group that tracks security incidents.

"The ITRC believes greater efforts need to be made in identifying weaknesses in the chain of information," Barney stresses in an interview with Information Security Media Group's Howard Anderson [transcript below].

Based on its tracking of news media reports, attorneys general announcements and other releases of information, the resource center estimates breaches declined 9 percent in all U.S. sectors during the first half of this year, compared to the same period a year ago. "Whether this represents an actual decrease in the number of breach incidents or just a decrease in reporting is impossible to determine," Barney says.

The consumer advocacy group tracks breaches in the business, education, government/military, healthcare/medical and banking/financial sectors.

To prevent information breaches, organizations in all business sectors must go far beyond installing the right technologies and build a corporate culture that emphasizes privacy protection, Barney says.

"Recognize that IT and network security alone will not protect your data," she says. "Create an organizational ethic where the employees do realize the importance of protecting personal information."

In the interview, Barney also notes:

  • Incidents in the healthcare sector rose in the first six months of the year, while breaches in the financial sector declined.
  • Breaches triggered by insider threats dropped in the first half. "One possible reason for this decline may be the increased awareness that employees do pose a potential threat, and as a result, [organizations] are increasing efforts to improve security protocols for protecting information..." she says.
  • Organizations experiencing a data breach often fail to explain the cause of the incident.

Barney, a victim of identity theft, has served in a variety of positions for the Identity Theft Resource center since joining in 2002. In her current role as the center's program director and research analyst, she provides and disseminates information about the center and its data.

Identity Theft Resource Center

HOWARD ANDERSON: For starters, why don't you describe the Identity Theft Resource Center for us?

KAREN BARNEY: The Identity Theft Resource Center was established in 1999 initially to support victims of identity theft in resolving their cases. It grew to include broadening public education and awareness efforts through the website to help consumers understand identity theft and related issues. In addition to those services, the ITRC also works with other groups and agencies on a wide variety of other initiatives to educate the public and reduce individual risks. Since 2005, the Identity Theft Resource Center has also tracked security breaches in order to look for patterns, new trends and any information that may better help us to protect data and assist companies in developing best practices.

Gathering Breach Information

ANDERSON: How does the center gather its statistics on data breaches? Do you track breaches of a certain size or scope, and in what sector do you track breaches in the U.S.?

BARNEY: We track information that's available at attorneys general offices. That usually enables us to see a breach notification letter that may have been sent out in regards to a breach. We look at a [large] number of media outlets to see what, when and where any of these breaches may be occurring, and we also share information with other entities that post this kind of information as well. As to the size or scope of breaches, we don't necessarily have a hard number as far as [how] small in size we begin including on our list. And of course it goes up to the millions on those larger breaches.

We just stick to the facts as they're reported. We don't editorialize on any of that information. Many times the breaches on our list will have multiple attributions from media sources and media outlets. We try to capture as many of those as we can to support the breach incident. We try to identify the number of exposed records when that's available. Sometimes the information [breached] may be encrypted, but we also state that we do not consider that adequate protection for information.

We also include breaches on our list that do not include personal identifying information. A lot of breaches nowadays, which include passwords, user names and e-mail addresses, [are included] in our overall breach count, but we do not include the number of records even if it's known since they do not trigger breach notification laws throughout the country. We focus primarily on those that include Social Security numbers, credit/debit card numbers, financial account numbers, driver's licenses, those pieces of information that trigger breach notification in our total count. We update [our tally] every day and post once a week, and we cover five industry sectors - business, education, government/military, health and medical, and the banking/credit/financial sector.

Breach Report

ANDERSON: You've issued a new report that shows there were 213 breaches in the first six months of this year in the U.S. in all of the sectors that you track. How does that number compare with the first half of last year?

BARNEY: The number of breaches is down this year. We had 213 for the first half, which is a 9 percent decrease from the 231 that were reported in the first half of 2011. Whether or not this represents an actual decrease in the number of breach incidents or just a decrease in reporting isn't possible to determine.

Lack of Information Sharing

ANDERSON: Your report states that a majority of organizations experiencing breaches are sharing very little information about the incidents. Please explain that finding. What's the reason for that lack of transparency?

BARNEY: Good question - and one I wish I had a better answer for. The ITRC does attempt to identify the cause of a breach based on the information that's made public. The ITRC has tracked five possible causes since 2005 - data on the move, accidental exposure, insider theft, subcontractors and hacking. In 2012, we added employee error and negligence, since this is recognized industry-wide as a potential area of threat for businesses. And so far this year, for 63.4 percent of the breaches, the breach notification material has not identified attributes that the Identity Theft Resource Center could capture as to the cause of the data breach incidents. I don't doubt that the potential loss of customers, reputation and brand image come into play when deciding whether or not a business is going to be transparent in the case of a data breach incident. Several studies have shown interesting findings regarding consumer reactions to companies that have experienced a data breach incident, and unfortunately not the least of which is leaving that company [as a client]. One recent Ponemon survey did indicate that more customers are remaining loyal after a breach, which should encourage businesses to overcome a trepidation that they might have in reporting a breach.

It's of interest to the ITRC that many data breach incidents which expose the non-sensitive personal information, such as passwords and PIN numbers, are reported in the media even though current breach notification laws do not mandate that they do so. So businesses should recognize the potential for harm posed by this type of information especially in light of the current survey that reflected 92 percent of the respondents indicated that lost or stolen passwords or PIN numbers was the number one cause for worry. So the ITRC definitely calls for greater transparency in order to enable consumers to take whatever proactive steps are necessary to protect them.

Business Associates

ANDERSON: Let's go over some of the other key findings from the report for the first half of this year. Breaches involving third parties, such as business associates, doubled in the first half of this year vs. last year. What do you think is the reason for that growth, and what can be done to address that problem?

BARNEY: One primary reason is most likely the vetting of the third-party security protocols and practices, which is combined with the fact that there's more than likely an increased amount of work being outsourced and there needs to be adequate verification of that [contractor's ability] to protect the information. The ITRC believes that greater efforts need to be made in identifying weaknesses in the chain of information.

Healthcare Breaches

ANDERSON: Breaches in the healthcare sector represented about 27 percent of the incidents you identified in the first half of this year, and that's up from 17 percent in the first half of last year. Why do you think that is the case? Is it because more organizations are complying with the requirements of the HIPAA breach notification rule perhaps?

BARNEY: It's very likely that the mandatory reporting has played a role in the increased number of data breach incidents in the healthcare industry. They're also much better at reporting the number of records that have been compromised. It may also be due to the fact that medical identification numbers are significantly more valuable than Social Security numbers and, as such, they're much more desirable targets to hackers and those who would profit from that information, and we can go ahead and say insiders, hackers and organized crime fit that bill. So while insider theft incidents in the medical industry are down slightly in the first half, these insider thefts are still most prevalent in the healthcare industry as compared to the other sectors.

Banking Industry Improving

ANDERSON: In contrast, breaches in the banking industry are on the decline. Please share those statistics and explain why you think incidents are down in this sector?

BARNEY: It's a good sign for the financial industry that the number of reported incidents has dropped significantly so far this year. To date this year, only nine breaches have been reported on the ITRC breach list, which is down from the 19 reported for the first half of 2011. The ITRC has always recognized that the financial industry has consistently demonstrated better data protection efforts because they must comply with requirements and regulations to ensure that they protect consumer financial information, security and confidentiality of customer information is also mandated, and they also face multiple ongoing audits for security and confidentiality.

Insider Threats

ANDERSON: Insider threats are on the decline, the report shows. Please define insider threat, share the statistics and offer your insights on why these incidents are declining.

BARNEY: The ITRC identifies insider employee theft as when someone inside the company participates - or assists someone - in stealing records and information. We typically categorize it as malicious for the purposes of the ITRC breach report, as it's often combined with hacking. It should not be considered the same as negligent or accidental breaches. So far in 2012, only 7.5 percent of the reported data breach incidents have been identified as involving insider threats, down from the 17.3 percent reported for the same time period last year. This decrease was also reflected in the recent Verizon security report.

One possible reason for this decline may be the increased awareness that employees and insiders do pose a potential threat, and as such, businesses are increasing their efforts to improve their security protocols for protecting information. [There's] better tracking and auditing practices to more clearly identify these internal risks. [Organizations] are developing an implementation of protocols and policies addressing these perceived risk factors, the enforcement of these protocols and practices, addressing the need for stricter password and account management practices, implementing a more secure physical environment for how that information is maintained, corporate-wide advanced training for all to understand the possible complications of breached information, and, not least of all, anticipation and preparation for that next threat.

Tips for Organizations

ANDERSON:

To wrap up, based on your analysis for the first half of this year, what would you say are the most important steps organizations in all sectors can take to help prevent breaches?

BARNEY: I truly believe that preventing breaches is going to be difficult, but some steps that businesses can take to minimize their risks is to know what your current status is - conduct a risk assessment and determine those areas which need the greatest level of security and heightened measures of protection. Recognize that IT and network security alone will not protect your data. ... Create an organizational ethic where the employees do realize the importance of protecting personal information. Have them own that. And implement best practices in the way information is handled through authentication and verification, high levels of protecting it and limiting the access to personal information by employees on a need-to-know basis. ... [Also, address] proper disposal of sensitive documents, physical security measures, how information is stored and the disposal of that information once the business is done using it.