Data Breach Explosion Proves Costly

NY Attorney General: 'Nothing Short of Staggering'
Data Breach Explosion Proves Costly
New York Atty. Gen. Eric Schneiderman

If New York State is illustrative of a national trend, hacking poses a greater threat to businesses and other organizations than other types of data breaches. External cyberattacks represent 40 percent of the nearly 5,000 breaches recorded in the state from 2006 through 2013, according to a new report issued by the state attorney general.

See Also: True Business Costs & Risks in Underfunding Healthcare Cybersecurity

Data Breaches by Category in New York State

2006-2013


New York State Security Breach Reporting Forms

Breaches over the eight years tracked by the AG exposed more than 22.8 million personal records of New Yorkers, according to the report titled Information Exposed: Historical Examination of Data Breaches in New York State.

With 7.3 million records exposed in 2013, the cost of last year's 900-plus data breaches to the public and private sectors topped $1.37 billion, which Atty. Gen. Eric Schneiderman characterizes as "nothing short of staggering." Five of the 10 largest breaches reported to the New York AG have occurred since 2011.

"In just eight years, the number of victims in New York has exploded ... jeopardizing the financial health and well-being of countless New Yorkers and costing the public and private sectors in New York - and around the world - billions of dollars," Schneiderman says.

Healthcare Woes

Healthcare is the sector with the largest number of records exposed since 2006, at more than 1 million. "As the healthcare industry moves toward increasing digitization, it has become a repository for large troves of sensitive information, making the industry uniquely susceptible to data loss, particularly through lost or stolen electronic storage equipment," the analysis says.

Other sectors with a significant number of businesses experiencing three or more breaches include retail services, financial services and banking specifically.

Although hacking and equipment losses resulted in the most breaches, the number of breaches by insiders grew to 121 incidents in 2013, a record high. But with the exception of 2007, the volume of personal records exposed from insider actions generally decreased over the years. In 2007, a single event - the Certegy Check Services breach - accounted for about 80 percent, or 470,696, of New Yorkers' records exposed that year. (see Certegy Reaches Data Breach Settlement)

Hacking Dominates Data Security Breach


New York State Security Breach Reporting Forms

The AG says businesses and government agencies need to do a better job educating people about cyberthreats. "Our expansive look at data breaches found that millions of New Yorkers have been exposed without their knowledge or consent," Schneider says. "It's clear that a broad, concerted public education campaign must take place to ensure that all of us - from large corporations, to small businesses and families - are better protected."

Number of Personal Records Exposed

Note: Solid line depicts reported records exposed; dotted line represents 'conservative' estimate of records exposed


New York State Security Breach Reporting Forms

The report offers five steps enterprises should take to help protect sensitive personal information against unauthorized disclosure:

  1. Understand the types of information needed to operate the enterprise, what data has been collected and stored, how long the data is needed and steps to take to ensure information security.
  2. Identify and minimize data collection practices.
  3. Create an information security plan that includes encryption.
  4. Implement an information security plan that ensures employee awareness training, notify third parties of the security plan and conduct regular audits to assurance compliance with the plan.
  5. Offer mitigation services in event of a breach.

Under New York's breach notification law, notification is required only if personally identifying information such as a name, in addition to a protected number, such as a credit card or Social Security number, is disclosed. Such data reported to the state served as the basis for the AG report.


About the Author

Eric Chabrow

Eric Chabrow

Host & Producer, ISMG Security Report; Executive Editor, GovInfoSecurity & InfoRiskToday

Chabrow hosts and produces the semi-weekly podcast ISMG Security Report and oversees ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network