Some states require a showing of harm before notification is required.

State Breach Notification Laws

A number of states of now enacted breach notification laws that result in data breach cost over and above regulations such as HIPAA, SOX, and PCI DSS. According to the National Conference of State Legislatures (NCSL), 46 states, the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted breach notification laws [12]. Breach notification laws were enacted as a result of a number of high-profile data breaches such as the much-covered TJX breach.

The ideas behind the laws were to give consumers notification and credit protection in the event customers' data have been lost. Not providing notification and credit protection can result in large fines to the organization that lost the data via thief or negligence. In the case of a loss, an organization's first duty is to determine what has been lost: social security, credit card information, home address, date of birth, or other personally identifiable information (PII). Each state has different triggers for the laws. Common criteria include a number of records and the type of data lost [13].

Below is the breach notification law for the state of West Virginia, which is typical of other state breach notification laws:

Chapter 46A. West Virginia Consumer Credit and Protection act

Article 2A. Breach of Security of Consumer Information

Notification and mandatory credit protection cost money. Depending on the size of the breach, it could cost millions of dollars to notify all the persons affected. Not reporting the breach could result in criminal and civil penalties. The cost of defending such legal actions would result in even more costs [15].

U.S. breach notification laws

At present, the current U.S. breach notification laws are at the state level, with well over 30 separate laws in place. There have been attempts at passing a general federal breach notification law in the United States, but these efforts have been unsuccessful thus far. Although it would be impossible to make blanket statements that would apply to all of the various state laws, some themes are common to quite a few of the state laws that are quickly being adopted by organizations concerned with adhering to best practices.

The purpose of the breach notification laws is typically to notify the affected parties when their personal data has been compromised. One issue that frequently comes up in these laws is what constitutes a notification-worthy breach. Many laws have clauses that stipulate that the business only has to notify the affected parties if there is evidence to reasonably assume that their personal data will be used maliciously.

Another issue that is found in some of the state laws is a safe harbor for data that was encrypted at the time of compromise. This safe harbor could be a strong impetus for organizations to encrypt data that otherwise might not have a regulatory or other legal requirement for the data to be encrypted. Breach notification laws are certainly here to stay, and a federal law seems as if it is quite likely to come in the near future. Many organizations in both the United States and abroad consider encryption of confidential data to be a due diligence issue even if a specific breach notification law is not in force within the organization's particular jurisdiction.

United States Breach Notification Laws

At present, over 47 US states have enacted breach notification laws (see: http://www.ncsl.org/issues-research/telecom/security-breach-notification-laws.aspx). There have been attempts at passing a general federal breach notification law in the United States, but these efforts have been unsuccessful thus far. Although it would be impossible to make blanket statements that would apply to all of the various state laws, there are some themes common to quite a few of the state laws that are quickly being adopted by organizations concerned with adhering to best practices.

The purpose of the breach notification laws is typically to notify the affected parties when their personal data has been compromised. One issue that frequently comes up in these laws is what constitutes a notification-worthy breach. Many laws have clauses that stipulate that the business only has to notify the affected parties if there is evidence to reasonably assume that their personal data will be used maliciously.

Another issue that is found in some of the state laws is a safe harbor for data that was encrypted at the time of compromise. This safe harbor could be a strong impetus for organizations to encrypt data that otherwise might not have a regulatory or other legal requirement for the data to be encrypted. Breach notification laws are certainly here to stay, and a federal law seems as if it is quite likely to come on the horizon in the near future. Many organizations in both the US and abroad consider encryption of confidential data to be a due diligence issue even if a specific breach notification law is not in force within the organization’s particular jurisdiction.

Publisher Summary

There are several ways that Payment Card Industry (PCI) and State Data Breach Notification Laws compliment each other. PCI DSS covers all types of media (paper and electronic), as do some states and the US Federal Government. From a notification perspective, one may not be required to notify individual cardholders under PCI DSS, but it is required to have an incident response plan (Requirement 12.9) and notify acquirers, card brands, and potentially law enforcement, depending on the situation. PCI DSS evolves to cover modern attack methods and modern security technologies such as if a breach happens through a method not even remotely covered by PCI DSS, it is highly likely that the next edition of the standard would include a new safeguard or control addressing that vulnerability. The Sarbanes–Oxley Act of 2002 (SOX) was enacted as a result of the numerous public company accounting scandals of the late 1990s and early 2000s in the United States such as Enron, and Tyco International. Although the SOX and PCI DSS teams attack different problems, there are things that each can learn from each other such as if one has password and authentication controls defined then one should be able to map those back into PCI DSS during an assessment of PCI DSS.

State Law

On May 10, 2008, Iowa joined 42 other states in passing a data breach notification law requiring owners of computerized data that includes consumer personal information to notify any affected consumer following a data breach that compromises the security, confidentiality, or integrity of that personal information.24 The statutes generally share the same key elements, but vary in how those elements are defined, including the definitions of “personal information,” the entities covered by the statute, the kind of breach triggering notification obligations, and the notification procedures required.25

“Personal information” has been defined across these statutes to include some or all of the following:

Social Security, Alien Registration, Tribal, and other federal and state government issued identification numbers

Drivers’ License and Non-Operating License identification numbers

Date of birth

Individuals’ mothers’ maiden names

Passport number

Credit card and debit card numbers

Financial account numbers (checking, savings, other demand deposit accounts)

Account passwords or personal identification numbers (PINs)

Routing codes, unique identifiers, and any other number or information that can be used to access financial resources

Medical information or health insurance information

Insurance policy numbers

Individual taxpayer identification numbers (TINs), Employer taxpayer identification number (EINs), or other tax information

Biometric data (fingerprints, voice print, retina or iris image)

Individual DNA profile data

Digital signature or other electronic signature

Employee identification number

Voter identification numbers

Work-related evaluations

Most statutes exempt reporting if the compromised information is “encrypted,” although the statutes do not set forth the standards for such encryption. Some states exempt reporting if, under all circumstances, there is no reasonable likelihood of harm, injury, or fraud to customers. At least one state requires a “reasonable investigation” before concluding no reasonable likelihood of harm.i

Notification to the affected customers may ordinarily be made in writing, electronically, telephonically, or in the case of large scale breaches, through publication. Under most state statutes, Illinois being an exception, notification can be delayed if it is determined that the disclosure will impede or compromise a criminal investigation.ii

Understanding the breach notification requirements of the state jurisdiction in which the investigation is conducted is important to the integrity of the digital examiner's work, as the scope and extent of permissible authority to handle relevant personal information may be different than expected. Consult counsel for clear guidance on how to navigate determinations of encryption exemption and assess whether applicable notice requirements will alter the course of what otherwise would have been a more covert operation designed to avoid tipping the subject or target

Privacy Threats

Threats to individual privacy have become publicly appalling since July 2003, when the California Security Breach Notification Law8 went into effect. This law was the first one to force state government agencies, companies, and nonprofit organizations that conduct business in California to notify California customers if personally identifiable information (PII) stored unencrypted in digital archives was, or is reasonably believed to have been, acquired by an unauthorized person.

The premise for this law was the rise of identity theft, which is the conventional expression that has been used to refer to the illicit impersonification carried out by fraudsters who use PII of other people to complete electronic transactions and purchases. The California Security Breach Notification Law lists, as PII: Social Security number, driver’s license number, California Identification Card number, bank account number, credit- or debit-card number, security codes, access codes, or passwords that would permit access to an individual’s financial account.8 By requiring by law the immediate notification to the PII owners, the aim is to avoid direct consequences such as financial losses and derivate consequences such as the burden to restore an individual’s own credit history. Starting on January 1, 2008, California’s innovative data security breach notification law also applies to medical information and health insurance data.

Besides the benefits to consumers, this law has been the trigger for similar laws in the United States—today, the majority of U.S. states have one—and has permitted the flourishing of regular statistics about privacy breaches, once almost absent. Privacy threats and analyses are now widely debated, and research focused on privacy problems has become one of the most important. Figure 28.1 shows a chart produced by plotting data collected by Attrition.org Data Loss Archive and Database,9 one of the most complete references for privacy breaches and data losses.

Looking at the data series, we see that some breaches are strikingly large. Etiolated.org maintains some statistics based on Attrition.org’s database: In 2007, about 94 million records were hacked at TJX stores in the United States; confidential details of 25 million children have been lost by HM Revenue & Customs, U.K.; the Dai Nippon Printing Company in Tokyo lost more than 8 million records; data about 8.5 million people stored by a subsidiary of Fidelity National Information Services were stolen and sold for illegal usage by a former employee. Similar paths were reported in previous years as well. In 2006, personal data of about 26.5 million U.S. military veterans was stolen from the residence of a Department of Veterans Affairs data analyst who improperly took the material home. In 2005, CardSystems Solutions—a credit card processing company managing accounts for Visa, MasterCard, and American Express—exposed 40 million debit- and credit-card accounts in a cyber break-in. In 2004, an employee of America Online Inc. stole 92 million email addresses and sold them to spammers. Still recently, in March 2008, Hannaford Bros. supermarket chain announced that, due to a security breach, about 4.2 million customer credit and debit card numbers were stolen.10

Whereas these incidents are the most notable, the phenomenon is distributed over the whole spectrum of breach sizes (see Figure 28.1). Hundreds of privacy breaches are reported in the order of a few thousand records lost and all categories of organizations are affected, from public agencies, universities, banks and financial institutions, manufacturing and retail companies, and so on.

The survey [email protected]: 2007 Privacy & Data Protection, conducted by Deloitte & Touche and Ponemon Institute,11 provides another piece of data about the incidence of privacy breaches. Among the survey’s respondents, over 85% reported at least one breach and about 63% reported multiple breaches requiring notification during the same time period. Breaches involving over 1000 records were reported by 33.9% of respondents; of those, almost 10% suffered data losses of more than 25,000 records. Astonishingly, about 21% of respondents were not able to estimate the record loss. The picture that results is that of a pervasive management problem with regard to PII and its protection, which causes a continuous leakage of chunks of data and a few dramatic breakdowns when huge archives are lost or stolen.

It is interesting to analyze the root causes for such breaches and the type of information involved. One source of information is the Educational Security Incidents (ESI) Year in Review–2007,12 by Adam Dodge. This survey lists all breaches that occurred worldwide during 2007 at colleges and universities around the world.

Concerning the causes of breaches, the results over a total of 139 incidents are:

38% are due to unauthorized disclosure

28% to theft (disks, laptops)

22% to penetration/hacking

9% to loss of data

Therefore, incidents to be accounted for by mismanagement by employees (unauthorized disclosure and loss) account for 47%, whereas criminal activity (penetration/hacking and theft) account for 40%.

With respect to the type of information exposed during these breaches, the result is that:

PII have been exposed in 42% of incidents

Social Security numbers in 34%

Educational information in 11%

Financial information in 7%

Medical information in 5%

Login accounts in 2%

Again, rather than direct economic consequences or illicit usage of computer facilities, such breaches represents threats to individual privacy.

Privacy Rights Clearinghouse is another organization that provides excellent data and statistics about privacy breaches. Among other things, it is particularly remarkable for its analysis of root causes for different sectors, namely the private sector, the public sector (military included), higher education, and medical centers.13 Table 28.1 reports its findings for 2006.

Table 28.1. Root causes of data breaches, 2006

Source: Privacy Rights Clearinghouse.

Comparing these results with the previous statistics, the Educational Security Incidents (ESI) Year in Review–2007, breaches caused by hackers in universities look remarkably different. Privacy Rights ClearingHouse estimates as largely prevalent the external criminal activity (hackers and theft), which accounts for 77%, and internal problems, which account for 19%, whereas in the previous study the two classes were closer with a prevalence of internal problems.

Hasan and Yurcik14 analyzed data about privacy breaches that occurred in 2005 and 2006 by fusing datasets maintained by Attrition.org and Privacy Rights ClearingHouse. The overall result partially clarifies the discrepancy that results from the previous two analyses. In particular, it emerges that considering the number of privacy breaches, education institutions are the most exposed, accounting for 35% of the total, followed by companies (25%) and state-level public agencies, medical centers, and banks (all close to 10%). However, by considering personal records lost by sector, companies lead the score with 35.5%, followed by federal agencies with 29.5%, medical centers with 16%, and banks with 11.6%. Educational institutions record a lost total of just 2.7% of the whole. Therefore, though universities are victimized by huge numbers of external attacks that cause a continuous leakage of PII, companies and federal agencies are those that have suffered or provoked ruinous losses of enormous archives of PII. For these sectors, the impact of external Internet attacks has been matched or even exceeded by internal fraud or misconduct.

The case of consumer data broker ChoicePoint, Inc., is perhaps the one that got the most publicity as an example of bad management practices that led to a huge privacy incident.15 In 2006, the Federal Trade Commission charged that ChoicePoint violated the Fair Credit Reporting Act (FCRA) by furnishing consumer reports—credit histories—to subscribers who did not have a permissible purpose to obtain them and by failing to maintain reasonable procedures to verify both their identities and how they intended to use the information.16

The opinion that threats due to hacking have been overhyped with respect to others is one shared by many in the security community. In fact, it appears that root causes of privacy breaches, physical thefts (of laptops, disks, and portable memories) and bad management practices (sloppiness, incompetence, and scarce allocation of resources) need to be considered at least as serious as hacking. This is confirmed by the survey [email protected]: 2007 Privacy & Data Protection,11 which concludes that most enterprise privacy programs are just in the early or middle stage of the maturity cycle. Requirements imposed by laws and regulations have the highest rates of implementation; operational processes, risk assessment, and training programs are less adopted. In addition, a minority of organizations seem able to implement measurable controls, a deficiency that makes privacy management intrinsically feeble. Training programs dedicated to privacy, security, and risk management look at the weakest spot. Respondents report that training on privacy and security is offered just annually (about 28%), just once (about 36.5%), or never (about 11%). Risk management is never the subject of training for almost 28% of respondents. With such figures, it is no surprise if internal negligence due to unfamiliarity with privacy problems or insufficient resources is such a relevant root cause for privacy breaches.

The ChoicePoint incident is paradigmatic of another important aspect that has been considered for analyzing privacy issues. The breach involved 163,000 records and it was carried out with the explicit intention of unauthorized parties to capture those records. However, actually, in just 800 cases (about 0.5%), that breach leads to identity theft, a severe offense suffered by ChoicePoint customers. Some analysts have questioned the actual value of privacy, which leads us to discuss an important strand of research about economic aspects of privacy.

Law and Compliance

Information security laws are designed to protect personally identifiable information from compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or other situations where unauthorized persons have access or potential access to such information for unauthorized purposes. Data breach notification laws typically require covered entities to implement a breach notification policy, and include requirements for incident reporting, handling, and external breach notification.1

There is no one particular law that governs data breaches. Essentially, every state has different regulations and requirements pertaining to data breaches, and companies must adhere to the laws of the states in which they reside as well as those of states in which they are doing business.

Depending upon for whom the information is collected, the federal government will also have regulations that must be followed subsequent to a breach. For example, medical data would involve HIPPA. These requirements have resulted from federal privacy legislation that covers such areas as health care, securities, and in some cases the Internet. Whether state or federal, the regulations surrounding breaches seek to have information governance policies in place in order to mitigate the risks as much as possible and—when the inevitable breach occurs—to ensure anyone who might have been a victim is properly notified so that they can take steps to protect themselves.

Currently, forty-seven states, the District of Columbia, and several US territories have enacted legislation that requires notification of security breaches involving personal information. Because the companies were victims themselves, these laws do not directly hold companies accountable for the losses sustained due to the breaches. However, there remains the potential for civil litigation in the form of class action lawsuits so that the affected individuals can be compensated for their losses. While the costs of notifying thousands of victims at a time can be expensive, the prospect of having to reimburse these thousands of individuals—as we have seen in the Target breach—is frightening. Of course, lawsuits of this type generally succeed only when negligence is present. Hence, a proper information governance policy can show a good faith effort on the part of the company, which can overcome a presumption of negligence.

The nation’s largest data brokers, retailers, educational institutions, government agencies, health care entities, financial institutions, and Internet businesses have disclosed numerous data breaches and computer intrusions.2

The Privacy Rights Clearinghouse chronicles and reports that over 345 million records containing sensitive personal information were involved in security breaches in the United States since January 2005. From February 2005 to December 2006, 100 million personal records were reportedly lost or exposed. As an example, in 2006 the personal data of 26.5 million veterans was breached when a VA employee’s hard drive was stolen from his home.3 The common denominator in these data breaches is that the attackers were seeking to obtain sensitive personal information, which they put to criminal use by means of identity theft to commit various frauds, such as taking out a mortgage in someone else’s name or having credit cards issued on the victim’s bank account.

If any positive has come out of the multitude of data breaches, it is that the public has become much more aware of the dangers. Just a few short years ago, most would not have given a second thought to the release of his or her own personal identifying information to a doctor’s office or a business. Now, however, when asked for such information, many people will immediately wonder who will have access to this information and whether they have anything to fear regarding its security. In today’s changing corporate landscape, businesses have to consider these concerns and put their clients’ minds at ease, reassuring the public that they are competent at managing personally identifiable information. Failure to do so will inevitably result in the loss of the public’s trust—as well as the public’s business. With the variety of remedies that are available to consumers through the legal system, a breach means corporations can expect greater financial problems than just the loss of future business.

The medical profession in particular has undergone dramatic changes in the way it collects patient information and the regulations under which it must operate. By 2017, all medical records within the United States are expected to have been transformed from handwritten patient charts to online medical records. The benefits of this are obvious. Doctors with multiple offices can pull up patient records wherever they are working. Medical reports prepared by one doctor can be sent immediately to a treating specialist. If you are the victim of a serious accident or injury while away from home, your primary care physician can send all of you medical information immediately to the emergency room that is treating you. But when it comes to data breaches, this new advance in the way the medical profession retains its patient records brings with it additional dangers that had not previously existed.

Say, for example, that your medical records have been compromised, but you are unaware of it. Someone decides they are then going to use your medical records and medical insurance to receive treatment in your name. There is obviously the potential financial loss of paying another’s co-pays, along with the possibility that your insurance rates might be raised or your policy cancelled. In the case of electronic medical records, the consequences can be far greater than just financial loss. What if the person using your medical records suffers from a particular illness or ailment? They might be treated with medications that will help them, but could have an adverse effect on you should you be treated by another doctor who uses these same medications. We have now entered an environment where a data breach could cost more than money; it could costs lives.

Cost Savings

Data breaches cost money. If you are an organization covered by regulations such as HIPAA/HITECH or PCI DSS, the penalties for data breaches could be millions of dollars depending on the size of the breach. Additionally, many states now have breach notification laws that require organizations that lose data to inform those affected as to what was lost and in some cases provide credit protection to those affected. Ponemon Institute and Symantec released a report in June of 2013 that found that breaches in 2012 cost an average of $136 per record globally [8].

In May 2012, the US Department of Health and Human Services Office of Civil Rights fined the Idaho State University $400 K for health data breaches [9]. In June 2012, the Alaska Department of Health and Human Services (DHHS) agreed to pay $1.7 million to settle potential violations of HIPAA/HITECH [10].

The payment card industry has established fines of up to $500,000 per incident for data breaches [11]. In 2010, Genesco, a Nashville, TN-based sportswear company, was fined more than $13 million dollars for noncompliance with PCI DSS regulations after the firm discovered they had been hacked and regulators discovered noncompliance [12].

Privacy Threats

Threats to individual privacy have become publicly appalling since July 2003, when the California Security Breach Notification Law[8] went into effect. This law was the first one to force state government agencies, companies, and nonprofit organizations that conduct business in California to notify California customers if personally identifiable information (PII) stored unencrypted in digital archives was, or is reasonably believed to have been, acquired by an unauthorized person.

The premise for this law was the rise of identity theft, which is the conventional expression that has been used to refer to the illicit impersonification carried out by fraudsters who use PII of other people to complete electronic transactions and purchases. The California Security Breach Notification Law lists as PII: Social Security number, driver’s license number, California Identification Card number, bank account number, credit- or debit-card number, security codes, access codes, or passwords that would permit access to an individual’s financial account (see checklist, “An Agenda For Action For Protecting One’s Identity”). By requiring by law the immediate notification to the PII owners, the aim is to avoid direct consequences such as financial losses and derivate consequences such as the burden to restore an individual’s own credit history. Starting on January 1, 2008, the data security breach notification law in California also applies to medical information and health insurance data.

An Agenda for Action for Protecting One’s Identity

You’ll want to protect the privacy of your personal information while you’re online. Here’s a checklist of some of the most important things you can do to protect your identity and prevent others from easily getting your personal information: (Check All Tasks Completed):

Check a site’s privacy policy before you enter any personal information and know how it will be used.

Make sure you have a secure internet connection, by checking for the unbroken key or closed lock icon in your browser, before you enter any personal information onto a webpage.

Only give a credit card number when buying something.

Register your credit cards with your card provider’s online security services, such as Verified by Visa and MasterCard SecureCode.

Use just one credit card for online purchases; if possible, use an account with a low spending limit or small available balance.

Don’t use a debit card for your online purchases. Credit cards are better because bank-provided security guarantees apply to credit cards, so an unauthorized charge is limited to $50.

Don’t select the “remember my password” option when registering online.

Change your passwords every 60 to 90 days and don’t use personal information as your password, instead use a string of at least five letters, numbers and punctuation marks.

Don’t store your passwords near your computer or in your purse or wallet.

Don’t give more information than a site requires.

Keep your anti-virus software up-to-date to reduce the risk of malicious code running on your PC.

Don’t go online unless you have a personal firewall enabled to add a layer of protection to your PC by stopping unknown connections to your PC.

Don’t reply directly to e-mail messages asking for personal information.

Type web addresses directly into your web browser instead of clicking on e-mail links.

Get anti-virus and anti-spam filtering software and keep it up to date by using its automatic update feature, if your service provider or employer doesn’t provide it for you.

Check out online retailers’ ratings at BizRate and the Better Business Bureau and the before buying.

Besides the benefits to consumers, this law has been the trigger for similar laws in the United States—today, the majority of U.S. states have one—and has permitted the flourishing of regular statistics about privacy breaches, once almost absent. Privacy threats and analyses are now widely debated, and research focused on privacy problems has become one of the most important. The DataLossDB, maintained by the Open Security Foundation, [9] publishes one of the most complete references for privacy breaches and data losses, recording incidents involving data losses back from 2003 to date.

Looking at the largest incidents, the magnitude of some breaches is astonishing: In 2009, about 130 million records were lost by Heartland Payment Systems, USA; in 2007, about 94 million records were hacked at TJX stores in the United States; in 2011, the target was Sony Corp. and its 77 million customer’s records. Many other incidents in the dozen of million size are recorded and have gained the headlines on the press, involving all sort of confidential information managed by very different kind of organizations. Most of the incidents have been consequence of hacking from outside the corporate network, but with notable exceptions. In 2004, an employee of America Online Inc. stole 92 million email addresses and sold them to spammers; in 2006 a computer containing about 26 million personal records of the U.S. Department of Veterans Affairs was stolen, in 2007 two CDs were lost containing the entire HM Revenue and Customs (GB) child benefit database (about 25 million records) and 7 million banking details. Similarly, lost tape backups or other storage media containing million of personal records were the reason for severe data loss incidents in 2008 at T-Mobile, at Deutsch Telekom company, at LaSalle Bank, USA, and at GS Caltex in South Korea.

It is interesting to note that the existence of criminals looking after huge archives of personal data is not a phenomenon that appeared with the advent of the Internet and modern interconnected digital networks. In 1984, hackers accessed a credit-reporting database, likely managed on mainframe systems, at TRW Inc. containing 90 million records, and in 1986, document about 16 million vital records of Canadian taxpayers was stolen from Toronto’s District Taxation Center.

Whereas these incidents are the most notable, the phenomenon is distributed over the whole spectrum of breach sizes. Hundreds of privacy breaches are reported in the order of a few thousand records lost and all categories of organizations are affected, from public agencies, universities, banks and financial institutions, manufacturing and retail companies, and so on. To this end, it is interesting to quote the authors of the 2011 Data Breach Investigations Report by the Verizon RISK team [10]: “2010 exhibited a much more even distribution. The main factor in this shift is the lack of “mega-breaches” in our combined caseload. Many incidents involving the compromise of multi-millions of records (or more) in the last few years occurred in financial institutions. Without one or two of these skewing the results, things naturally balance out a bit more. Another factor to consider is that criminals seemed to gain interest in stealing data other than payment cards. Account takeovers, theft of IP and other sensitive data, stolen authentication credentials, botnet activity, etc. (which are typically less mega-breach-able) affected firms at increased rates in 2010”. This is a precious warning not to focus excessively on that “mega-breaches” that get the headlines as the sole indicator of the status of privacy on the Internet. Even in 2010, when huge breaches did not happened (2011 is different, as we illustrated), privacy threats and incidents soared in numbers, while not in the amount of records stolen. Therefore, the threats are real and still well alive even for small-to-medium firms and organizations.

Again from the DataLossDB, we have an overview about the incidence of data breaches by breach type, business type and vector. With respect to breach type, the main ones are: 19% due to hacking; 15% due to stolen laptops; 11% due to malicious Web services; and 11% due to frauds.

A plethora of other reasons for breach, from disposal documents, media and computers to lost or missing storage media, malwares and emails are responsible for almost 40% of all breaches.

With respect to business type, incidents are distributed as follows: 49% affect business; 19% governments; 16% medical institutions; and 16% education.

Finally, the vectors mainly exploited to conduct privacy and data breaches are: 55% of incidents originate from outside an organization; 39% from inside; and 6% unknown.

It is interesting to note how, for incidents originated from inside an organization, the majority is accidental, rather than intentional. This fact points out the relevant role of mistakes, disorganization, mismanagement and all other accidental reasons that may pose severe threats to data privacy.

Making the Argument

Speaking in terms of theoretical doomsday scenarios will not sway most executives. If you are responsible for presenting the risk to management, a quantitative analysis of the real cost of a breach backed by statistics and mandatory regulations will make the best argument. Most states in the United States have breach notification laws that require organizations to disclose when personally identifiable information has been disclosed. Thus, finding statistics and real-world examples to present to management will not be difficult. As an example, the Privacy Rights Clearinghouse maintains a list of the publicly disclosed breaches involving personally identifiable information (PII) since 2005, which they call the Chronology of Data Breaches. The list can be viewed at www.privacyrights.org/ar/chrondatabreaches.htm. In addition, the Open Security Foundation maintains a database and has a mailing list for breaches involving PII. More information on the Open Security Foundation DatalossDB database and mailing list can be found at http://datalossdb.org/.

In addition to the costs associated with investigations, lawsuits, and remediating a vulnerability after a breach has occurred, compliance with mandatory regulations is a powerful argument to use when discussing risk with management. In Chapter 6, “Public and Private Companies,” compliance with NERC CIP reliability standards is discussed along with the repercussions of noncompliance. Under Section 215 of the Federal Power Act, NERC has the authority to fine United States entities up to $1 million per day.24 While NERC CIP compliance will not help in every situation, it should help security professionals achieve a minimum baseline of security within their organization.