The Privacy Rights Clearinghouse indicates that more than 613 million records have been breached since 2005.
The variety of ways information can be accessed has increased the number of ways information breaches can occur, according to panelists speaking at the Privacy XChange Forum held recently in Paradise Valley, Ariz.
Breaches can happen to small and large companies.
Laptop and thumb drives go missing on a regular basis. According to one panelist, there are 10 to 12 laptops lost each week at airports. Sometimes the equipment stolen has unencrypted information. Another problem, computers are often reissued with data that was not previously purged.
A loss or theft of a cell phone is another way data can be breached. Susan Blair, the chief privacy officer for the University of Florida, said that though employee cell phones are required to be encrypted, employees don’t always comply. Other issues educational facilities encounter that can increase data breaches include student turnover, phishing scams and academic freedom to use/access sites freely for educational purposes.
Mismailings are another way data breaches occur. Mismailings do not always occur as a result of snail mail, but rather can be sent via an erroneous fax number or email list serve. Blair said she has fax numbers stored in machines verified each year to avoid this type of mishap. One panelist said these breaches are discovered quite frequently in the month of February, after employee tax forms are sent out. Andrea Donovan Napp, a Conn.-based attorney with Robinson Cole LLP and chair of the firm’s Electronic Discovery and Information Management Team, said one case she handled was the result of two employees sharing the same name. Each got the other’s medical records.
Data breaches can also occur at the vendor level. Joseph Lazzarotti, a partner at the Morristown, N.J. office of Jackson Lewis LLP, said that companies often focus on return on investment when vetting a vendor, with privacy being a side issue. He emphasized that businesses should audit their vendors and question how a vendor handles private information.
“Deal with this in the front end,” Lazzarotti, who leads the firm’s Privacy, Social Media and Information Management Practice, said.
Another potential area of weakness is the transmission of information. While there might be encryption on each end, the transmission might have been overlooked, Blair said. She offered the 2007 TJ Maxx credit card breach as an example where information can be encrypted on each end but the transmission was overlooked.
Hackers are another way that data can be breached. According to the 2013 Verizon Data Breach Report, 76 percent of breaches occurred as a result of network intrusions exploiting weak or stolen credentials.
While data breaches are often committed by an outsider, some are the result of disgruntled employees, interns, even volunteers. A panelist pointed out that information technology employees often have virtual autonomy. Businesses should be cognizant that a backdoor can be created within a computer system by an employee, leaving personal data and company proprietary information exposed.