The Identity Theft Resource Center (ITRC) has reported that the number of data security breaches to date in 2008 has already surpassed the total number in 2007. As of August 22, 2008, the centre counted 449 confirmed data breaches, while it documented 446 data breaches in all of 2007. The ITRC speculates that the true number is likely much higher due to under-reporting. In addition, some of the breaches reported affect multiple businesses, but are listed as single events.
The ITRC, a non-profit association established to raise awareness of identity theft and to help identity theft victims, records breaches that have been published in various media sources or have appeared on notification lists of state governmental agencies. To qualify for the ITRC’s breach list, a breach must involve personal identifying information that could lead to identity theft (e.g., social security number or date of birth).
The breaches on the ITRC list were categorized as follows:
- hacking — 12.9 per cent;
- accidental exposure — 13.8 per cent;
- employee theft — 15.6 per cent;
- subcontractors — 10.9 per cent; and
- data on the move (e.g., stolen or lost laptops and portable storage devices) — 21.2 per cent.
McCarthy Tétrault Notes:
The ITRC data categorizing the causes of data security breaches clearly illustrates the fact that the majority of these incidents are the result of the acts or omissions of an organization's personnel rather than an external malicious intrusion, and are in many cases preventable. Effective internal controls and processes, along with regular training programs and incentives that build privacy and data security into an organization's corporate culture and ethic, will help to mitigate an organization's risk by reducing the frequency of privacy incidents.
If your organization experiences a security breach, you should assess the situation and implement an appropriate action plan in a timely manner. The key objectives should be to (i) contain the breach; (ii) assess and mitigate the risk to your organization’s employees, clients and customers; (iii) develop and implement a notification strategy that is timely and comprehensive (where appropriate); and (iv) review existing policies and procedures to ensure the breach does not recur.
To deal with a security breach, your organization should:
- Assemble an appropriate team to investigate the breach (e.g., individuals from privacy, security, IT, communications and legal), and develop and implement your organization’s action plan (including an internal communications plan to communicate to employees and management).
- Investigate the facts surrounding the breach, including the chain of custody for the data, the date the breach occurred, how the breach occurred, when the breach was discovered, the number of individuals affected by the breach, the nature of the information that was the subject of the breach (e.g., health, financial or contact information, social insurance numbers, etc.). Also investigate whether there are any physical or technological impediments to unauthorized access to the information (e.g., password protection, encryption, etc.), whether the information has already been inappropriately used or disclosed, and the likelihood that it will be in the future.
- Determine the jurisdiction(s) that are affected by the breach and the law(s) that may apply.
- Assess the risk of harm if the information is in fact inappropriately used or disclosed (e.g., physical harm, fraud, identity theft, embarrassment or inconvenience to the individuals, loss of business or employment opportunities, etc.).
- Identify the steps that your organization should take to mitigate the effect of the breach, both internal (e.g., retrieve copies, change passwords or access rights, back-up databases) and external (e.g., notify affected individuals, law enforcement, privacy commissioners or regulatory authorities, review contractual reporting obligations if the data was being processed on behalf of another organization, etc.).
- If your organization decides to notify individuals of the breach, develop a notification plan to provide such notification (e.g., direct notification of affected individuals or indirect notification through public announcements).
- Identify and implement steps to be taken by your organization to help prevent a reoccurrence (e.g., changes to company procedures, policies and contractual templates; changes to physical or technological safeguards and employee training).
- Develop and implement a communications plan to manage follow-up questions and requests from affected individuals, employees, regulators, law enforcement and the media.