The Washington Post had two stories on data security and privacy today. The first concerns a report by the Identity Theft Resource Center that more than 79 million records were reportedly compromised in the United States through December 18th, compared with nearly 20 million records reported in all of 2006.
The story also reported that Attrition.org estimates that more than 162 million records were compromised worldwide through December 21, compared with 49 million last year.
The number of data breaches has grown because there are more legal requirements on companies and governments to report them, but the number reported is also low since not everyone is required to or reports data breaches even when they should. As I have written about earlier, the UK government is just now owning up to a large number of data breaches that occurred months ago.
The other Post story concerns how easy it is to find a person's social security number on the web because local and state governments routinely post public records containing them. The Federal government has banned the publication of sensitive personal information like social security numbers since 2001. More recently states like Virginia and Maryland have also banned their publication as well. However, the law does not cover the hundreds of thousands of documents already published that contain social security numbers and that are accessible on-line. In Virginia, the law also doesn't seem to cover current arrest warrants or court summons.
So, as we begin this new year, anyone care to speculate on the date of the first major (let's say 1 million or more records) of the year in the US? Elsewhere in the world? And how long it takes from breach to disclosure of the breach?
