2008 Breaches: More or More Reporting?
Dissent has some good coverage of an announcement from the ID Theft Resource Center, “ITRC: Breaches Blast ’07 Record:” [link to http://www.pogowasright.org/blogs/dissent/?p=1059 no longer works]
With slightly more than four months left to go for 2008, the Identity Theft Resource Center (ITRC) has sent out a press release saying that it has already compiled 449 breaches– more than its total for all of 2007.
As they note, the 449 is an underestimate of the actual number of reported breaches, due in part to ITRC’s system of reporting breaches that affect multiple businesses as one incident. This year we have seen a number of such incidents, including Administrative Systems, Inc., two BNY Mellon incidents, SunGard Higher Education, Colt Express Outsourcing, Willis, and the missing GE Money backup tape that reportedly affected 230 companies. Linda Foley, ITRC Founder, informs this site that contractor breaches represent 11% of the 449 breaches reported on their site this year.
I don’t have much to add, but I do have a question: are incidents up, or are more organizations deciding that a report is the right thing to do?
[Update: I wanted to point out interesting responses by Rich Mogull [link to http://securosis.com/2008/09/23/the-breach-reporting-dillema/ no longer works] and Dissent [link to http://www.pogowasright.org/blogs/dissent/?p=1069 no longer works] .]