Massachusetts passed a data security law in 2007 (and went into effect in 2010). One of the strictest state data security laws, if not the strictest, it had a number of requirements, including advising the state Attorney General of any data breaches involving Massachusetts residents. Today, the AG’s office released statistics collected over the past twenty months: one in three were affected by a data breach. Stories covering the announcement fail to point it out, but the use of data encryption is a guaranteed way to not become part of that statistic.
According to the reports, over two million Mass residents were affected by at least one data breach. That’s nearly one in three residents. The type of information involved was far-ranging, from names to medical histories to financial information.
1,166 data breaches were reported
54% attributed to hacking, merchant breaches, and theft
Almost 500 breaches from financial institutions (42%)
82% of breaches fewer than 100 people
30% of breaches involved one person
16 breaches involved 10,000+ residents
23% of breaches involved human error (e.g., wrong recipients for emails and faxes)
25% involve deliberate hacking of computers with sensitive data
15% involves theft of credit cards from retailers
I haven’t seen any statistics on what percentage of the breaches involved the loss or theft of laptops and other portable data storage systems, but I’m very interested in them.
A Couple of Requirements
Remember, that’s a requirement, not a suggestion (such as, say, under HIPAA). I’ve wondered what percentage of companies would actually comply with that aspect of the law (although, to be relatively certain, audits based on random samples would have to be conducted).
Another requirement under the law is that strong encryption must be used, so something like AES-128 or higher is currently required under the MA data breach law. Conceivably, if a company encrypts customer data with something weaker and a device gets stolen, they’d have to report the incident to the AG’s office. (I’d like to take a gander at such stats as well).