The Boston Globe had a sobering story over the weekend where it estimated that 1 in 6 Massachusetts residents were affected by some type of data breach over the past two years.
According to the Globe, its review of state recorded data breaches showed that at least 1 million state residents had their data compromised through credit card theft, unauthorized medical information disclosures, or other types of confidential data breaches. The Globe story also provides a list of some of the more prominent data breaches reported to the state from June to November 2009 - there were 13 of them affecting over 88,000 residents.
In 2007, Massachusetts passed a law requiring institutions such as banks, stores, universities, etc., must inform consumers and state regulators about security breaches that might result in identity theft. Since then, some 807 data breaches have been reported to state officials by the end of November 2009 the Globe says.
The Globe said that 60% of the disclosed data breaches were caused by criminal acts, while 40% were due to negligence.
However, the Massachusetts disclosure law has some loopholes that were exposed by the Hannaford episode in 2008 which may result in an under reporting of unauthorized data disclosures.
In addition, according to this paper by Sasha Romanosky et al. at the Heinz School of Public Policy and Management at Carnegie Mellon University, disclosure laws such as the one in Massachusetts don't do much in the way of reducing identify theft.
Given the number of data breaches, it is almost a certainty that someone in Massachusetts has had their personal data disclosed more than once. If anyone has had this happen to them, I would be very interested in hearing about it.
The Globe also writes that, "On March 1, new state regulations will require organizations to take stronger measures to ensure data security. Institutions that hold such personal data will have to write an official security program and train employees to follow it. In addition, organizations will have to encrypt all personal data stored on laptops, flash drives, or other portable devices, or that is transmitted over the public Internet or wireless networks."
It will be interesting to see how long after the 1st of March it will be before a data breach is disclosed to state officials that violates these new rules. I would be surprised if it takes more than 3 months.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.