According to the Massachusetts state attorney general’s office, approximately 2 million residents have had their personal information compromised just in the past 20 months. Electronic data breaches, about 25% of which were due to intentional hacking, amounted to almost 1,200 incidents.
Beyond hacking, breach of data can include: Unintended exposures by “insiders” through accidental dissemination; lack of solid authenticating protections, allowing the “stumble” to sensitive data by “outsiders”; and of course other things such as the exposure of data through loss of portable devices like outboard drives, thumbdrives, smartphones, laptops, etc. A new wrinkle regarding data’s security evidenced itself to me, however, when thinking about MA – but first –
Massachusetts’ Attorney General Martha Coakley released notices – notices that her office receives as required by a 2007 state law. Any company doing business in the state must inform customers and state regulators about any breach that may result in identity theft. The law followed a huge 2007 breach at retailer TJX Companies, when 45.6 million cardmembers’ data was stolen over an 18 month period.
Initially, TJX refused to reveal the size and scope of the breach, but finally came clean and divulged how massive it was, and notified credit and debit cardholders. That breach and delay led to MA’s present law requiring notification.
Today, the law’s yield is sobering: One in three people suffered compromise of data – in a mere 20 months.
In reading about the situation in Massachusetts, I began a mental exercise to explore other risks to data, and sound business standing: Things beyond the typical insecure posture due to ignorance, or lack of planning, and things that result in hack, loss, and resultant breach. Are there other general areas of unsurveyed risk?
ou bet there are.
There are bad outcomes for data that don’t involve breach, of course: There’s corruption. There’s accidental deletion (between backups, or in light of no backups). And… other things…
What of a hardware/software vendor who would deliberately lose your data, within a warranty window, by virtue of a stated, official, policy of selective (vs. comprehensive) backup and restoration?
More to follow…
NP: Led Zeppelin, eponymous, original vinyl LP