Data breaches represented the most important category of IT failure during 2007.
The year 2007 saw spectacular failures, ranging from improperly-paid teachers at Arizona State University (ASU) and the Los Angeles Unified School District (LAUSD), to a massive implementation problem at the UK National Health Service (NHS), which one observer called the "greatest IT disaster in history." Despite the impact of these high-profile failures on victims, the number of people affected is minuscule compared to the cumulative effect of data breaches.
The Privacy Rights Clearinghouse conservatively estimates over 216 million privacy records were breached in the period 2005-2007, in the United States alone. According to attrition.org, which maintains a database that researchers can download to conduct their own analysis, approximately 165 million records were compromised during 2007. While most breaches occurred in the US, incidents were also reported in Australia, Canada, Germany, UK, Japan, Netherlands, Norway, and Sweden.
The downloadable attrition.org database lists the following causes for data breaches during 2007:
- Improper document disposal
- Lost computers and disk drives
- Lost and stolen media and tapes
- Lost postal mail
- Web breaches
Unlike ordinary IT failures, which generally affect a relatively bounded group, such as employees of a particular company, even a single breach can put millions of people at risk and cut across every segment of society.
The recent loss of two data discs belonging to UK Revenue and Customs (HMRC) is a case in point. The loss of these discs, which contained personal information belonging to 25 million people, affected every family in the UK with a child under the age of 16. The scope of this breach was such that the British prime minister was forced to apologize.
Stopping data breaches will likely be far more difficult than preventing IT failures, which can be controlled by applying improved implementation methodologies and processes. Many breaches, such as the HMRC case, ultimately arise because organizations do not recognize the true value of the data under their protection. As we all know, changing such deeply held attitudes in any organization is usually a long-term project.
Given these attitudes, improving the worldwide data breach situation will require a combination of top down change and government regulation:
- Senior leaders from both private companies and government agencies must treat data protection policies as strategic and devote resources at a level commensurate with this status. Bringing forth such a cultural change in attitudes toward custodial data will take years.
- Governments should demand stiff penalties from organizations that lose personal data, regardless of how that data is lost. In addition, regulators should enforce more timely public disclosure, and increased transparency, whenever breaches occur.
Although these steps will reduce the prevalence of data breaches, we are likely to see many more in 2008.