Update: Massachusetts 2011 Breach Notification Report
Tuesday, July 31, 2012
Back in April, this blog discussed the release of the 2011 Data Breach Notification Report (Adobe PDF) by the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR). Since then, I further analyzed some of the results from the report. New charts are below.
You may remember that the report covered data breach activity since October 31, 2007, when the state's breach law went into effect. The 2007 law requires businesses that store consumers sensitive personal information to notify the OCABR if they experience or suspect a data breach. In 2009, the state enacted tougher data security rules. In March 2010, the law was amended to require applicable businesses to develop a comprehensive, written information security program and to encrypt certain data.
Some highlights from the report:
- 1,833 data breaches and 3,166,031 Massachusetts residents affected since November 1, 2007
- Notable data breaches during 2011: Sony Playstation, Michael's craft stores, Departments of Unemployment Assistance and Career Services
- Industries with the most data breaches include financial service, health care, education, and state government
- While the number of breaches are evenly split between malicious and non-malicious categories, on average malicious data breaches affect a larger number of residents with each breach compared to non-malicious breaches
- On average, breaches where information is stored in electronic formats are substantially larger than breaches where information is stored in paper format
Breach history (number of data breaches):
Year | Malicious Breaches | Non-Malicious Breaches | Total Breaches | ||
---|---|---|---|---|---|
# | % of Total | % Of Total |
|||
2007 | 11 | 44% | 14 | 56% | 25 |
2008 | 257 | 55% | 214 | 45% | 471 |
2008 | 261 | 61% | 170 | 39% | 431 |
2010 | 161 | 36% | 291 | 64% | 452 |
2011 | 241 | 53% | 213 | 47% | 454 |
Total | 931 | 51% |
902 | 49% | 1,833 |
The non-malicious category includes breaches where, "... either negligence or mistakes by employees or third-party contracgtors resulted in exposing personal information..." |
The malicious category includes breaches:
"... made by disgruntled former employees of businesses which held personal information who either retained access to data, or used the access codes of a former coworker to gain access."
The average number of residents affected per data breach:
Year | Malicious Breaches | Non-Malicious Breaches | Total Average Residents/Breach |
---|---|---|---|
2007 | 372 | 356 | 363 |
2008 | 1,009 | 2,139 | 1,522 |
2008 | 1,337 | 209 | 892 |
2010 | 5,757 | 374 | 2,291 |
2011 | 3,811 | 421 | 2,221 |
Total | 2,640 | 773 | 1,721 |
Breach activity based on the storage format of the information:
Year | Electronic | Paper | ||
---|---|---|---|---|
# Breaches |
Residents / Breach | # Breaches |
Residents / Breach | |
2007 | 20 | 432 | 7 | 16 |
2008 | 331 | 2,112 | 81 | 21 |
2008 | 324 | 1,074 | 106 | 54 |
2010 | 326 | 2,912 | 143 | 437 |
2011 | 364 | 2,954 | 106 | 140 |
Total | 1,365 | 2,256 |
443 | 192 |
The number of breaches by industry:
Industry | Breaches: 2011 | Breaches: 2007 - 2011 |
---|---|---|
Commercial | 19 | 43 |
Education | 24 | 101 |
Entertainment | 10 | 30 |
Federal Government | -- | 1 |
Financial Services | 257 | 955 |
Food & Beverage | 5 | 35 |
Health Care | 63 | 214 |
Local Government | 2 | 7 |
Manufacturing | 4 | 29 |
Not-For-Profit | 4 | 30 |
Other | 36 | 164 |
Pharmaceutical | 1 | 16 |
Retail | 2 | 21 |
State Government | 18 | 87 |
Technology | 12 | 79 |
Telecommunications | 2 | 17 |
Trade Union | -- | 4 |
Total | 459 | 1,833 |