Profile: Sharon Fisher
You know, it’s not even that March was all that unusual. But here, on World Backup Day, it’s worth looking at some of the incidents that happened this month:
- The personal information — including the names, Social Security numbers, addresses, phone numbers, and dates of birth – of 13,000 individuals who had filed compensation claims with BP after last year’s disastrous oil spill may have been potentially compromised after a laptop containing the data was lost by a BP employee.
- The world’s largest stem cell bank, Cord Blood Registry, mailed data-breach warning letters to some 300,000 people after storage tapes and a laptop were stolen from an employee’s car
- Insurer Health Net waited until March 14 to disclose a data breach discovered on Jan. 21 involving the loss of nine server drive and the data of 2 million customers, employees, and health care providers.
- A USB memory stick containing the details of around 4,000 people has been lost by Leicester City Council.
- Taxpayers’ Social Security numbers, confidential child abuse reports and personnel reviews of New Jersey workers nearly went to the highest bidder after the state sent surplus computers out for auction.
What the heck is going on?
Sadly, it’s not even all that unusual. And to make matters worse, such breaches are getting more expensive. According to the Ponemon Institute, which did a survey for Symantec Corp., data breaches continue to cost organizations more every year. The average organizational cost of a data breach this year increased to $7.2 million, up 7 percent from $6.8 million in 2009. Total breach costs have grown every year since 2006. Data breaches in 2010 cost their companies an average of $214 per compromised record, up $10 (5 percent) from last year, the Institute said.
Such incidents are so prevalent that the Online Trust Alliance recommends that organizations have a plan in place for dealing with them, indicating it’s an issue of not if, but when. The only winners in these situations appear to be the credit-monitoring bureaus.
Part of the problem is that the lost data wasn’t always encrypted (though in the Leicester case, it appears the data was encrypted and the stick was stolen deliberately). On the other hand, how often does it happen that people lose the password or the key, or through some other action lose legitimate access to their data?
One thing does seem clear: People aren’t learning. The Leicester, New Jersey, and Health Net incidents were followups to similar incidents in 2009.