03 Dec Report: Personal information at peril in public sector
Madison, Wis. – An analysis of information breach incidents by J. Campana & Associates reveals that U.S. public sector data breaches account for over half of all the reported information security breaches, a disproportionately high number of security breach incidents because the public sector makes up about one percent of the total number of U.S. entities.
The public sector, which includes governmental and educational organizations, together with the not-for-profit sector have put more than 60 million consumer profiles at risk through security breaches. Over 45 million consumer profiles were endangered through loss, theft and unintentional disclosure by the government sub-sector. The education sub-sector compromised more than 10 million student, parent, employee, and other consumer profiles. A compromised profile includes sensitive consumer information, such as a social security number or financial account number printed on paper or encoded on electronic media, that was lost or stolen, or inappropriately accessed, exposed or disposed.
Dr. Joseph Campana, an identity theft, privacy and information security consultant and author of the study, said, “Consumers whose profiles have been compromised may be at increased risk of having their right to privacy violated or of becoming a victim of identity theft.”
Last month, J. Campana & Associates released a focused analytical report on data breaches in the educational sector. That analysis indicated that schools logged a third of all information breach incidents accounting for as many as 25% of all the consumer profiles that were compromised. The current study includes all three sectors – public, private and volunteer.
The new study shows that federal and state governments reported three-quarters of all breaches compared to local governmental units, which consist of county, city, towns, municipal and special units of government. Breaches by federal and state governments are disproportionately high because federal and state governments compose a few percent of the total units of U.S. government.
Campana offers an alternative interpretation: breach incidents reported by local units of government are disproportionately low because local government makes up the majority of governmental units.
Towns, for example, did not report any breaches within the last three years. Campana suggests it is improbable that the more than 15,000 U.S. towns and townships did not have any breach incidents during this period. Dr. Campana says “it is more likely that smaller units of local government do not have the controls in place to detect security breaches or they are not reporting them when they occur, even though most states require breach notification under law.”
He says that federal and state governments have privacy and information security compliance programs and consequently are more attentive to monitoring and reporting breaches under breach notification laws.
Campana added that local government may feel a greater obligation to fill potholes than to protect the information that their constituents entrust with them. Information security is a public safety issue; however, most officials and their constituents are not aware of the perils of lax information management compared to other public safety issues.
“Identity theft appears to be growing, not declining,” he said. “Federal and state legislators and regulators ought to increase their focus on information security awareness and compliance in local government and educational institutions, just as they have done with the private sector.”
Campana’s empirical experience is that smaller organizations are significantly less aware, less concerned, and non-compliant when it comes to privacy and information security.
He says consumers and state and federal legislators should be concerned because it is likely that far more consumer information held by local governments is insidiously compromised and used for nefarious purposes compared to the occasional large data breaches that get much of the attention.
Campana believes there are thousands of data breaches that occur monthly in smaller organizations that go undetected or unreported and that “we all should be more concerned.”
Campana is the author of a new book on privacy and information security: Privacy MakeOver: The Essential Guide to Best Practices.” Campana says he wrote the book as a do-it-yourself-guide for small organizations such as local government, schools, non-profit organizations and businesses.
“My experience has shown that the reality is that small enterprises do not have the time or the money to figure out how to put a privacy compliance program in place or to pay attorneys and compliance experts to do it for them,” he said. “I wrote a basic book on the subject so small enterprises could put a reasonable and appropriate privacy and information security program in place quickly and inexpensively.”
Almost 35 percent of the breaches reported by the government sub-sector involved stolen computers and electronic storage media, and over 20 percent involved laptop computers. Ten percent of the incidents reported by state government involved traditional mail, for example, printing Social Security numbers on mailing labels.
The full report, which covers public, private and volunteer sector breach incidents reported for three calendar years ending December 2008, will available in January 2009.