In 2009, for the first time in three years, more publicly reported data security breaches were caused by hackers than by other sources, such as insider theft. The nonprofit Identity Theft Resource Center (“ITRC”) tracks breaches involving five categories of data loss: (i) “data on the move,” such as lost laptops; (ii) accidental exposure; (iii) insider theft; (iv) losses involving subcontractors; and (v) hacking. The ITRC’s 2009 Breach Report analyzed 498 publicly reported breaches affecting over 222 million total records, concluding that hacking may be on the rise.
Notwithstanding the study’s findings, it remains impossible for an independent party to provide definitive numbers on breaches, or to assess accurately the causes behind all data security incidents. Although the vast majority of states require some form of notification of security breaches, formal notification requirements are rare outside the United States. Even in the U.S., many breach notification laws require notification only of certain types of breaches, such as breaches of data stored in electronic format. Moreover, as the ITRC report points out, not all of the laws require reporting of the cause of the breach, and the percent of breaches for which no cause was reported exceeds the percent attributed to hackers. Perhaps most importantly, many breaches—especially those caused by hackers—go undetected. And under many laws, even those that are detected need not be reported if the breached entity determines that the breach poses no risk of harm to the affected individuals. As of this writing, the ITRC’s tally for 2010 counts 146 breaches exposing over 2.8 million records.