Who is responsible for securing confidential information?

Interesting article

The University of North Carolina at Chapel Hill found out last year that, in 2007, someone had hacked into a server holding personal information of 180,000 mammography patients from around the state. . . . . The university tried to fire — and is still trying to punish — the researcher who was in charge of the information.

Basically the school is trying to punish the researcher for failing to keep the data secure and the researcher is claiming that security isn’t her expertise. She did everything she knew to do but the university could have done a better job of providing her with support for keeping confidential information secure.

A resolution has been reached. The Professor in question is being reinstated as a full professor provided that she voluntarily retires.

Google employee fired for looking at private data

Another incident of an employee being fired for looking at customer’s private data, this time at Google.

ITRC data theft report

The Identity Theft Resource Center (ITRC) released their Data Breaches report for 2009. They analyzed 498 breaches which resulted in approximately 222 million compromised records.

The main highlights are:

  • paper breaches account for nearly 26% of known breaches (an increase of 46% over 2008)
  • business sector climbed from 21% to 41% between 2006 to 2009, the worst sector performance by far
  • malicious attacks have surpassed human error for the first time in three years
  • Out of 498 breaches, only six reported that they had either encryption or other strong security features protecting the exposed data

. . . .

The ITRC Breach Report also monitors how breaches occur. ITRC Breach Report – By Attribute. This task is made more difficult by the scarcity of information provided (publicly) for approximately 1/3 of the recorded breaches. For the remainder, those events that do state how the breach occurred, malicious attacks (Hacking + Insider Theft) have taken the lead (36.4%) over human error (Data on the Move + Accidental Exposure = 27.5%) in 2009. This was a change from all previous years, where human error was higher than malicious attacks. One theory for this change is that the organization and sophistication of crime rings has impacted the theft of information. For example, while the Heartland breach was only a single breach, it demonstrated how skilled technology-based thieves can access 130 million records from over 600 different entities.

Some additional interesting facts from the report:

  • In 2009 insider thefts account for 16.9% of breaches. In 2007 insider thefts accounted for 6.1% of breaches.
  • Insider thefts may have accounted for 16.9% of breaches but it only accounted for 0.1% of compromised records. The majority of those records came from Business and Government/Military sectors.
  • Paper (physical pieces of paper) breaches accounted for 26% of all breaches in 2009. However, paper breaches only accounted for just under 200,000 compromised records vs. 222 million electronic records compromised.