Simon Says – Musings of a Technology CTO

I was doing some data mining this week on the excellent DataLossDB.com site and it occurred to me to dig a little deeper into where the risky places to give your PII/PHI to are. I was hoping to find that some segments are cleaning up their act, but it seems not. The fact we’re seeing multiple entries by people could have two possible meanings:

a) The cost of protecting us is more than the penalties imposed for data loss
b) The threats and risks are increasing faster than technology and user education can cater for them.

I’ll let you decide based on your experience which of the two is going on, but either way, this highlights that constant vigilance is key, and as I say every time I present, Data Protection is not a static experience – It needs to be a mindset shared top to bottom in an organisation. Only by having an evolving process can you hope to stay above water. Remember, at best guess 80% of the fortune 5000 have minimal, or no data protection solutions in place, even though there are around 250 regulations requiring such.

So who are the top repeat offenders? Below is the list of organizations who have reported 6 or more data loss incidents so far. Of course, this may be skewed by people doing business, or reporting under several different names, but it gives you an idea of the size of the problem.

1. LPL Financial (11)
2. Experian (10)
3. Bank of America (9)
4. University of Iowa (8)
5. Pfizer (8)
6. UK Ministry of Justice (8)
7. Hunter College of the City University of New York (8)
8. LexisNexis (8)
9. Merrill Lynch (6)
10. Nationwide Mutual Insurance (6)
11. New York Life Insurance Co (6)
12. The Foreign and Commonwealth Office (6)
13. University of Florida (6)
14. Wells Fargo (6)

Here’s a breakdown and my comments for the four main markets – Education, Health, Government and Business.

Medical – 12% of all reported breaches.

Some recent people notifying us of breaches include Penrose Hospital,Kern Medical Center, Akron Children’s Hospital, Trulife, Prompt Med, Alberta Health Services Edmonton, Sutter Health, Salford Royal NHS Foundation Trust.

Lots of people reporting more than once, the big offenders are :

• Blue Cross Blue Shield NC (3) Blue Cross Generally (7)
• Kaiser Permanente(5)
• Aetna Inc.(4)

Government – 19% of all reported breaches.

Some recent names: Socorro County Housing Authority, Cincinnati Metropolitan Housing Authority, Cuyahoga County, Ohio ,Worthing Borough Council, Iowa Secretary of State, Colorado Department of Corrections, New Hampshire Department of Corrections,United States Army National Guard, The Highland Council, United Kingdom Ministry of Defence

Lots of names appear more than once surprisingly, for example:

• New York State government (12)
• The Foreign and Commonwealth Office (5)
• California Department of Consumer Affairs (a supposed supporter of data privacy) (2)

Education – 21% of all reported breaches.

Some recent names include Memorial University of Newfoundland, University of North Carolina, Eastern Kentucky University, University of Florida, Bluegrass Community and Technical College, University of Massachusetts at Amherst (UMASS), Boston University Army Reserve Officers Training Corps

Interestingly some names keep appearing:

• University of Iowa (9)
• Hunter College of the City University of New York (6)
• University of California San Francisco (5)

Many of the listed Edu’s have more than one breach reported – indicating they are perhaps not learning anything (or don’t care).

Business – 48% of all reported breaches.

Some recent names include AlixPartners LLP, Rocky Mountain Bank, Jones General Store, Mitsubishi Corporation, Fasco Machine Company, Guardsmark, Radisson Hotels & Resorts, Sun Valley Mortgage, Calhoun Area Career Center

While the lions share of reported records, there are also a lot of people repeat-offending, for example:

• AT&T(4)
• ADP (5)
• Bank Of America (9)
• CitiBank/Group (6)
• Countrywide Home Loans (5)
• Equifax Inc.(8)
• Experian (10)
• LPL Financial (12)
• Wells Fargo (6)