State & National Data Breach Reports

2012 National Data-Breach Count -- Breaches: 284 Exposed Records: 9,143,028

To date this year, according to the Identity Theft Resource Center there have been 284 reported data breaches by US based firms.  Health-care and private-sector business each represent 1/3 of all breaches, with the remaining third mainly consumed between educational institutions, government, and the military sectors.  Financial institutions are running 3 percent of all breaches (but showing a much higher percent of total exposed records).  Full report.

US States with available online data-breach reports include:

California Office of The Attorney General (site updates day-to-day)

Massachusetts Office of the Attorney General (PDF annual report)

State Data Breach Requirements & Statutes:

Handy State-by-State Charts of Data-Breach Requirements (Baker & Hostetler, LLP)

Handy State-by-State Links to Data-Breach Statutes (National Council of State Legislatures)

Thomson Reuters Survey Shows Most Corporate Board Correspondence Easily Hacked

A global survey of corporate boards published yesterday by Thomson Reuters concludes that most boards are transparent to the lowest level of hacking efforts. According to the survey, published through Thomson Reuters' London office:

Most major corporations surveyed have significant security gaps that leave sensitive board-level information open to information theft and hacking. Those are among the findings of a new survey of board members of UK and global corporations conducted by Thomson Reuters Governance, Risk & Compliance. The findings are particularly noteworthy in light of recent news stories about the handling of board communications involving executive succession decisions at companies including Yahoo and Apple.

The survey found that information provided to members of corporate boards of directors is often in unencrypted email accounts and computers, or otherwise provided in forms that are easily lost, misplaced or stolen. The Thomson Reuters Governance, Risk & Compliance survey polled general counsel and board members at leading global corporations across a wide variety of industries.

Unencrypted board communications	85%
Board documents stored on personal computers at home or work	79%
Board documents stored on personal mobile devices (e.g., iPad, laptop, smartphone, etc.)	75%
Documents sent to board members via personal, non-commercial email addresses	73%
Board documents accessible via wi-fi or unsecured networks	71%
Have reported computer, mobile devices, or sensitive company documents lost, stolen or left in public places	10%

Citigroup Data Breach: NoTemplate for Disaster Recovery

The data breach tracking site Privacy Rights Clearing House, chronicles data breaches logged within their 535,363,707 database records. Consider the template press releases in the recent back-to-back Citibank breaches:

On June 13th Citigroup issues its official statement announcing the account exposure of 1% of its 21 Million credit-card customers sometime in May. Within two days, the numbers grow from 210,000 to 360,000 during an initial inquiry by the Connecticut Attorney General George.

As of June 24^th at least 3,400 of the compromised cards show a combined loss of $2,700,000. Interestingly, according to Citigroup’s initial public statement, “data that is critical to commit fraud was not compromised: the customers' social security number, date of birth, card expiration date and card security code (CVV)."

Following the breach, on August 8^th, Eweek Europe reports:

“Eight weeks after a hacker cracked Citigroup’s credit card database, the company’s credit card unit in Japan, Citi Card, reported in a message to its user base on 5 August that 'certain personal information of about 92,400 customers has allegedly been obtained and sold to a third party illegally”.

Not to worry says Citigroup in its initial statement dated August 5th, just as reported in their prior breach, the personal identification numbers and security codes (CVV, or Card Verification Value, data) necessary to commit fraud were not revealed in the breach.

Law Firms Face Prospect for Public Admission of Wholesale Violations of Client Privilege

With SB 24 likely to pass in California, companies incurring a data breach with clients in the state will now be required to place the breach on record with the State’s Attorney General’s Office. For the law firm, it turns out to be more than a public embarrassment.

Consider that according to privacy advocate and attorney Mari Frank, Esq., law firms are often primary data sources for identity theft. The result is that, that while haughty law firms may have actually been data sieves in the past, a formal admission of a data breach opens a firm to threat of civil litigation for violating client privilege. The threshold for AGO breach reporting is loss of 500 client records. What appears unsure is whether exceeding that threshold creates a requirement to public admission by law firms of wholesale violation of client privilege.

On the high side, encryption of a firm’s files exempt it from the AGO reporting requirement.

Even as the change brings the California law more in line with other states, data breach fines have already begun to mount in places like Massachusetts, while the Federal legislative effort this past month has been likened to herding cats.

Already through legislative committee in California, SB 24 is widely expected to be approved by the full legislature and signed into law by Governor Gerry Brown before October 9^th of this year.

Looks like perfect timing: Chief of the California Office of Privacy Protection Joanne McNabb will present on the impact of SB 24 in a webinar sponsored by the California Webinar Law Journal on Oct. 20th. McNabb will discuss drivers to the changing status of the California Data Privacy Law and best practices for law firm client privacy. The event is open for members of the California State Bar for continuing legal education credit and free to law school staff and students. See here for registration details.