Data breaches on the increase

For the London Free Press - November 9, 2009 Read this on Canoe

PRIVACY: Sixty-five incidents were reported in 2008, leaving personal information exposed for all to see

Federal Privacy Commissioner Jennifer Stoddart recently released her annual report to Parliament on PIPEDA, the private-sector privacy law.

While her comments on social networking were highlighted and widely reported by the media, the report contained some other interesting trends that have not been as widely discussed.

One of the most notable developments related to the increasing regularity with which personal information is being released without the knowledge or consent of individuals.

Last year's Personal Information Protection and Electronic Documents Act (PIPEDA) annual report called 2007 the year of the data breach. A data breach is an incident involving loss of, unauthorized access to, or disclosure of personal information as a result of a breach of an organization's security safeguards.

The number of reported data breaches has been on the rise in recent years, from 23 in 2006, to 48 in 2007, to 65 reported incidents in 2008. These breaches can leave personal information exposed for anyone to see.

For instance, in 2006, a large financial institution sent a portable computer disk drive containing electronic files of nearly half a million customers from one office branch to another. The parcel arrived as intended but the disk drive had been removed.

The disk drive has never been found and it's unclear what happened to the missing data. The incident prompted Stoddart to launch an investigation into data encryption and supervision in data transfer.

The unanswered question in the report is whether there are more data breaches today or if they are just being more frequently reported.

Stoddart notes that her office has been encouraging organizations to report breaches to develop a better understanding of why violations occur and how they can be prevented.

The report breaks data breaches into four types: Unauthorized access, accidental disclosure, theft and loss.

Unauthorized access is the most common. This is when someone accesses personal information without authority to do so. This is often a rogue employee motivated by fraud.

Accidental disclosure is usually the result of human error. In these cases, employees have unintentionally shared data through mailing foul-ups, improper destruction and disposal, online disclosure, e-mailing errors or errant faxing.

Theft and loss are involved in a little less than a quarter of all data breach incidents. This involves information being stolen from vehicles, offices and courier mailbags.

The report identifies these steps that organizations should consider the following issues to reduce the risk of data breaches:

- Ensure personal information is accessible only on a "need to know" basis.

- Administrative procedures, including destruction and disposal practices.

- Third-party service provider capacity to protect personal information.

- Security and procedures related to employees taking data out of the office.

Each of these should be carefully considered by businesses dealing with sensitive data. A data breach can result in both privacy complaints and significant damage to the reputation of the business.