Identity Theft Resource Center (ITRC) has released its statistics on the number of data breaches in 2010. The center recorded 662 data breaches last year, noting that the figures are probably under-reported as in many cases there are no requirements for data breaches to be reported.
The ITRC defines a data breach as an event in which an individual's name plus Social Security Number, driver's license number, medical record, or a financial record (including credit card information) is potentially put at risk - either in electronic or paper format.
62% of those breaches reported exposed Social Security Numbers, and 26% involved credit or debt card information.
15.7% of the data breaches involved state and federal agencies and the military. Medical and health care facilities accounted for 24.2%, educational institutions accounted for 9.8% and the banking industry, 8.2%. That leaves businesses as the largest percentage of breaches - 42.1%.
Malicious attacks, according to the report, account for more breaches than human error - the former constitutes about 17% of breaches, while the latter, just 15%. However, almost 40% of those breaches reported did not identify the manner in which information was exposed.
Although the risks of hacked databases often make headlines, the report finds that paper breaches account for nearly 20% of known breaches.
Only 200 of the 662 breaches were credited to information provided by states and agencies with mandatory reporting.
"It is apparent, with few exceptions, that there is no transparency when it comes to reporting breaches," said the ITRC in a statement to the press. "Other than breaches reported by the media and a few progressive state websites, there is little or no information available on many data breach events. It is clear that without a mandatory national reporting requirement, that many data breaches will continue to be unreported, or under-reported."
As we've noted before, data security is likely to be an important trend for 2011. The ITRC report makes clear that this isn't simply a matter of developing policies to secure information. It's also about developing a better system - and a mandatory system - for notifying customers of data breaches.