Last week, the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) released its findings from an analysis of four years of data breach notifications reported to the state. A chief finding was that sensitive data often was not encrypted.
Any businesses or entities storing consumers' personal information has been required since Oct. 31, 2007 to report data breaches to the OCABR. Through September 30, 2011, the OCABR received 1,833 breach notices affecting about 3.2 mikllion people, or an average breach size of 1,727 stolen or lost records. 73% (1,336) of the breaches involved electronic files and affected 97% of breach victims.
The financial services industry reported the most breaches (955) during the last four years, affecting 901,156 people. Most of these breaches were the credit- and debit-card transactions at processing centers and retail stores. The health care industry has had fewer breaches (214), but affected far more people ( 983,746), including the South Shore Hospital breach in 2010.
In March 2010, new laws went into effect requiring entities that store, own, or license personal information about Massachusetts residents to develop, implement, and maintain a comprehensive written information security program (WISP) describing how it will protect sensitive information. the new law required entities to encrypt sensitive information if it is transmitted over public networks, the Internet, or carried on portable devices.
The of breaches each year have remained pretty steady, ranging from a low of about 415 to a high of about 470. Other findings:
"... stolen or lost portable electronic devices are most often not secure. Of the 365 devices reported lost or stolen, only 13 were encrypted. The lost devices led to exposure for 409,572 people. By contrast, the 27 encrypted machines kept information secure for 24,269 people... of the 75 lost or misplaced portable devices reported; only one was encrypted, compromising 1.2 million pieces of information. Of the 290 stolen portable devices stolen, 12 were encrypted, protecting 4,110 pieces of information. The 277 unencrypted devices exposed 220,000 pieces of information."
The types of devices lost/stolen included desktop computers and computer tapes. The types of portable devices lost or stolen included laptop computers, thumb drives, and storage discs (CDs). The report concluded:
"If all portable devices were encrypted from 2007 to 2011, the number of residents whose personal information was compromised would be remarkably lower by 47 % or 1,490,308 people. If all portable devices were encrypted from march 1, 2010 the number of compromised residents would have decreased by 29 percent or 909,992 people... compliance with the encryption requirement is a powerful to to safeguard the personal information of millions of residents"
Download the OCABR data breach report (Adobe PDF, 948K bytes).