Hundreds Of Data Breaches Unreported

The non-profit Identity Theft Resource Center announced late last week that it had recorded 341 data breaches for the first six months of 2010 — at the same time noting that hundreds more breaches went unreported to the public.

According to the ITRC, some states now harbor a protected breach list that means significant data breaches are not made public at all, or are only accessible by exercising the Freedom of Information Act. One state, for example, had a list of 200 breaches. But for most of those breaches, little information was disseminated.

Meanwhile, the U.S. Department of Health and Human Services requires all medical breaches involving more than 500 people to be reported to the public, and to HHS. But HHS created a "risk of harm" threshold for notifications. Under HHS guidelines, if an organization determines that a data breach hasn't caused "a significant risk of financial, reputational, or other harm to individual," then it doesn't have to report the breach, either to the person whose information was breached or to law enforcement agencies or the public, according to an an Information Week report.

Leaders of the Identity Theft Resource Center said they believe such lack of complete transparency regarding data breaches hurts all consumers and taxpayers.

“It is important for the public, when becoming aware of the details of a data breach, to immediately have a broad understanding as to whether their personal information may be involved,” the ITRC said in a statement accompanying its mid-year data breach report. “Incomplete information feeds public fears and does not accomplish the intended transparency of most breach laws. This situation further encourages bad behavior on the part of companies who should be more concerned about the protection of the privacy of their customers.

“Consumers want to know if they are at risk from even a small breach.  The details of a breach help determine their risk factors as well as guide them in proactive measures.”

Among findings in the ITRC breach report for the first half of 2010:

• 46 percent of all disclosed breaches did not disclose how many records were potentially affected.
• 38 percent of all known breaches did not disclose how the breach occurred.
• The business community accounted for 36 percent of all breaches, the highest category listed.
• 82 percent of all breaches were electronic; 18 percent were paper.
• Insider Theft (17 percent) and hacking (17 percent) resulted in a combined total of 34 percent of breaches known to have occurred from malicious attacks.