Security Breaches for 2008 Already Exceed 2007

03 September 2008 Publication
Authors: Chanley T. Howell

Legal News Alert: Privacy, Security & Information Management

The Identity Theft Resource Center (ITRC) announced on August 22, 2008 that the total number of data security breaches identified by the ITRC for 2008 has surpassed the final total of 446 security breaches reported in 2007. As of August 22, the number of confirmed data breaches for 2008 totaled 449. The ITRC notes, “[T]he actual number of breaches is most likely higher, due to under-reporting and the fact that some of the breaches reported, which affect multiple businesses, are listed as single events.” The report can be found on the ITRC’s Web site at

The breakdown of the most common known causes of the security breaches is as follows:

Lost or stolen laptops and other removable media

21.2 percent

Employee or insider theft

15.6 percent

Accidental disclosure

13.8 percent


12.9 percent

Loss or disclosure by subcontractors

10.9 percent

Many companies believe the vast majority of security breaches come from hackers. The figures above illustrate, however, that security breaches due to hacking are a relatively small percentage of the overall total of security breach instances. The report demonstrates the importance of establishing effective data retention and security policies as well as the need to enforce compliance with those policies. While records/data storage and retention policies establish processes for minimizing malicious causes of security breaches (e.g., hacking and employee theft), policies also are particularly effective for reducing and avoiding “innocent” breaches (e.g., lost or stolen laptops or removable media, accidental disclosure, or loss or disclosure by subcontractors).

Accordingly, companies should ensure that their records/data storage and retention policies address, among other things:

  1. Training and education of employees on how to avoid the accidental exposure of confidential and sensitive information
  2. Restrictions on use of laptops, home PCs, and removable media (e.g., CD-ROMs, DVDs) for confidential and sensitive data, and provide for strong encryption of such information
  3. Procedures that address sharing sensitive data with independent contractors, consultants, and other third parties, and require such third parties to comply with the company’s data retention and storage policies
  4. Policies for development and implementation of appropriate technological and administrative safeguards to minimize malicious causes of security breaches (e.g., hackers and employee theft)
  5. Audit procedures to maximize compliance with the company’s policies

Legal News is part of our ongoing commitment to providing legal insight to our clients and our colleagues. If you have any questions about this alert or would like to discuss this topic further, please contact your Foley attorney or the following individual:

Chanley T. Howell
Jacksonville, Florida