On Breach Trends and Marketing Your Own Security
It's the last week of June - half the year is over. Perfect time to take a look at data breach trends.
On the banking side of the house, the latest stats show that financial institutions already have been tied to 39 breaches so far in 2010. That's well beyond half of the total 62 breaches we saw in all of 2009.
And while there hasn't been a single breach approaching the scale of last year's Heartland Payment Systems hack, one does see three distinct threats that account for more than half this year's reported breaches:
- Missing or Stolen Hardware -- How exactly do so many laptops get lost, anyway?;
- Insider Theft -- The crime of choice in troubled times;
- Outside Network Intrusions -- Ye olde hack attack.
Even more unsettling, Linda Foley, head of the Identity Theft Resource Center (ITRC), which tracks breaches across industries, refers to this list as the proverbial "tip of the iceberg." I suspect you needn't dive deep below the surface to find any unsettling number of unreported ATM skimming and ACH fraud incidents.
The message is clear: There's no one breach that has caught the public's attention this year, but dozens of low-profile incidents are keeping the fraudsters in business. It will be interesting now to watch the second half of the year. Many experts predicted we'd see a new Heartland-level breach sometime in 2010. My question is: Has it happened already, and we don't know about it ... or is it still to come?
And, of course, the one thing that neither the ITRC nor the breach timeline tracks is: How are we smarter this year than last in terms of detecting or deterring breaches? Then again, perhaps the rising numbers tell us everything we need to know about lessons learned, or lack thereof.
Meanwhile, over on the healthcare side of the house, I'm fascinated by the growth of the federal list of healthcare data breaches. The list is only four months old, a result of the HITECH Act breach notification rule, which mandates that breaches affecting more than 500 individuals must be reported to the HHS Office for Civil Rights, the news media and the individuals affected.
In less than half a year, this list is already at about 100 incidents. Granted, some of these are 2009 incidents that just came to light in 2010, but still ... we're talking about scores of missing laptops and breached records. According to Howard Anderson, managing editor of HealthcareInfoSecurity.com, 61 percent of the reported incidents involve the theft or loss of unencrypted computer devices (laptops, USB flash drives, CDs or hard drives), while roughly 9 percent involve the theft or loss of paper records.
Which is the more significant trend - the number of incidents or the federal mandate that healthcare organizations account for these breaches publicly?
My eyes are on the breach rule. You've seen a number of states (California, Massachusetts, Nevada, etc.) enact data privacy laws that deal with breach notification. But healthcare is the first industry where the feds are making a list and checking it twice. Can you imagine the stir if a federal breach notification standard were applied to financial services - or to government agencies?
You can see the potential public backlash against reported incidents. It's not exactly a calling card when WellPoint Inc., which owns Blue Cross and Blue Shield plans in 14 states, notifies 470,000 people that their information may have been breached on a web site.
But then, as more of these breaches are revealed publicly, maybe we really do see the scenario that author Joseph Menn recently outlined for me. He believes there's a great opportunity for non-breached entities to market their businesses on the strength of their information security. Whereas marketers historically have shied away from even talking about security (that would suggest vulnerabilities), Menn says: "[Organizations] should put serious security in place - and then advertise it. Get this competition going on the basis of security. That will gain them customers, in my opinion."
What about in your opinion? How do you feel about the latest breach trends, notification laws and the prospect of using information security as your newest marketing tool?
Write me with your thoughts. I'll share some of your ideas here in a future blog entry.