Since 2010 that is, following a law enacted in 2007 that requires all companies doing business in Massachusetts to inform consumers and state regulators about security breaches that might result in identity theft. Attorney General Martha Coakley’s office released the information, including a breakdown of the data.
It seems her office received 1,166 data breach notices since January 2010, including 480 between January and August of 2011. About 25 percent were as a result of a deliberate hacking attempt, followed by 23 percent for accidental unauthorized sharing of information, i.e. faxes or e-mails with personal information sent to the wrong recipient. 15 percent of cases were reports of customer credit card numbers. Data was also lost through thefts or accidental losses of laptop computers and paper documents, or in cases in which workers deliberately gained unauthorized access to client files.
The biggest single data breach in the report occurred last July, when South Shore Hospital said it lost 14 years’ worth of records on 800,000 patients, employees, volunteers, and vendors. The hospital blamed an outside data management company for losing a batch of records they had been ordered to destroy.
Coakley predicted the problem will get worse as more Americans store vital personal data on various computer networks. “There is going to be more room for employee error, for intentional hacking,’’ continuing along this vein she stated, “this is going to be an increasing target.’
If it seems the number of Massachusetts breaches reported are high, consider that many other states lack similar reporting laws. While states haven’t been any too anxious to be seen as leaders in the breach numbers tally, they do seem to be responding to requests from their constituency for more openness when personal data may have been compromised. We recently noted California is enacting breach notification legislation requiring notification to be sent to the Attorney General for incidents affecting greater than 500 users. We expect to see other similar reporting efforts in other states in the near future.
In the meantime, companies are scrambling to shore up their organizations’ defenses to avoid being trotted out in the series of “also hacked” headlines. We hope the new defenses will be successful at reducing the number of data breaches, especially as many of them can be solved with user education, which is much less expensive and embarrassing than a data breach.