In its December 24 report, the ITRC said that there were publicly reported 443 breaches in the U.S. in 2007. In 2006, the ITRC identified 315 publicized breaches.
Some 127 million data records were exposed during 2007. In 2006, nearly 20 million records were exposed. In 2005, there were 158 breaches reported involving about 65 million records.
The ITRC will have to update its list to reflect breaches reported during the last seven days of the year, something organization founder Linda Foley said would happen next week.
On Friday, the Tennessean.com reported that someone broke into a Davidson County election office over the Christmas holiday and stole laptops believed to contain the Social Security numbers and other personal information for more than 337,000 registered voters in the Tennessee county.
That same day, the Pioneer Press in Minnesota reported that a laptop containing the personal information of 219 Minnesotans had been stolen from a Pennsylvania vendor doing business with the Minnesota State Commerce Department.
Also on Friday, television station WSFA in Montgomery, Alabama reported that the U.S. Air Force had sent letters to current and former service members whose Social Security numbers, birth dates, addresses, and telephone numbers were on a laptop that was stolen from the home of an Air Force band member based at Bolling Air Force Base in Washington D.C. The station subsequently reported that the missing laptop contained the personal information of 10,501 individuals.
The rise in reported breaches may not be exclusively a reflection of rising data thievery. The ITRC speculates that in addition to an increase in data theft, more data breaches are being reported to the public. And it remains to be seen whether 2007 proves to be a high water mark for data loss, given that the T.J. Maxx breach accounted for 94 million of the 127 million exposed customer records.
Foley reluctantly characterized 2007 as the worst on record from a statistical perspective, but cautioned that the T.J. Maxx breach skews the statistics. "I don't know whether we're seeing more breaches because there's mandatory reporting or because there are more," she said, adding that 39 states and the District of Columbia now require organizations to report data breaches.
But even if 2007 proves to be an aberration, the costs associated with data breaches appear to be rising. According to a study released in November by the Ponemon Institute, an information practices consultancy, data breaches cost businesses an average of $197 per customer record in 2007, up from $182 in 2006.
And that perhaps explains why Cisco, Google, Raytheon, Symantec, Trend Micro, and Websense have all made acquisitions in the past year or so to strengthen their data loss protection offerings. A Gartner report in May estimated that the $50 million data leak protection market measured in 2006 would as much as triple by the end of 2007.
Foley nonetheless expressed optimism, noting that in regulated industries like finance and healthcare, there are far fewer breaches than in other areas of business. "Both are highly regulated industries with a number of government agencies looking over their shoulders," she said. "[But] a lot of the businesses still have not learned how to handle information correctly."
As an example, she points to the fact that only 13 of the data breaches out of 443 reported to date this year involved encrypted data, which is far less vulnerable to unauthorized access or misuse.
While 2007 could fairly be called the year of the data breach, Foley prefers to think of it as the year of data breach awareness. "I think there is a greater awareness this year that is going to have a ripple effect over the next couple of years," she said. "And hopefully that is going to bring the number of breaches down."