The Identity Theft Resource Center (“ITRC”) recently announced that it counted 662 data breaches in 2010, a 33% increase from the 498 breaches reported in 2009.  It is calling for a mandatory national reporting requirement.

Among the noteworthy findings:

  • Sixty-two percent of the breaches (412 total) involved exposure of Social Security Numbers.
  • Over a quarter of breaches (26%, or 170 breaches) involved credit or debit cards.
  • Of the incidents where the cause of the breach was known, malicious attacks accounted for more breaches than human error.  Hacking led to 17.1% of the breaches and insider theft caused 15.4%, compared to 10.7% for accidental exposure and 16.6% for data lost while on the move.

Decrying the lack of transparency for reporting breaches, the ITRC called for a mandatory national reporting requirement.  The ITRC noted that some regulators already have breach reporting websites.  For example, under section 13402(e)(4) of the HITECH Act, the Secretary of Health and Human Services is required to maintain a list of HIPAA breaches affecting the unsecured protected health information of 500 or more individuals.  In addition, several states – including Maryland, New Hampshire, and Vermont – post breach notification letters that have been sent to the state attorney general.  Because these websites are limited in scope, the ITRC advocates the creation of a comprehensive, centralized data breach reporting website. 

The ITRC warns: “Mandatory reporting is on the horizon.  It will be demanded either by consumer lobbying or legislation.”