Study Suggests that Data Breaches Among Businesses May Be on the Rise

A recent study released by the Identity Theft Resource Center (“ITRC”), a non-profit organization dedicated exclusively to the prevention of identity theft, suggests that in 2009, while the government appeared to be improving data security, the protection of customers’ private information by some businesses may have worsened. The annual ITRC study is funded by the U.S. Department of Justice’s Office of Victims of Crime and tracks how a data breach occurs and identifies the breach by sector – including general business, medical and health, financial institutions, government/military, and educational.

The highlights of the 2009 ITRC study include the following:

  • Breaches within the general business sector (not including companies in the more heavily-regulated financial and medical sectors) climbed from 21% to 41% between 2006 to 2009, the worst sector performance by far.
  • Paper breaches increased 46% from 2008 and now account for nearly 26% of known breaches.
  • The number of breaches caused by a malicious attack surpassed the number resulting from human error for the first time in three years.
  • In only six of the total 498 breaches reported was encryption or other strong security feature protecting the exposed data utilized.

These statistics highlight the importance of consistently evaluating the measures your company takes to secure private data. Otherwise, your company runs the risk of being sued for breach of privacy, including in the individual and class action context, or becoming the subject of investigation by state and/or federal regulators, who are becoming increasingly aggressive about investigating privacy breaches. Your company may also find itself liable to third-parties with whom it does business, including credit card issuers and merchant banks, especially if your company’s privacy protections fail to meet the industry standard. [Click here for a post from the Kelley Drye Advertising Group’s Ad Law Access Blog” regarding a recent law passed in the state of Washington that establishes such liability.]

Click here for more information about ITRC’s 2009 Data Breach study.