Adam has posted a note on Emergent Chaos called 2008 Breaches: More or More Reporting?

I’ll take the bait.

First, I find it interesting that the number he quotes from the ITRC is so far ahead of other accounts. I did a breakdown of all breach data from 2000 to August and the numbers were quite a bit lower at datalossdb.org than the ITRC estimates. I will go back and include the September numbers and then cross-reference to ITRC data to see where there might be gaps.

Back to the question at hand, all the evidence I have seen points to the fact that more organizations are gaining the capability/awareness to report breaches.

A couple of years ago many people operated under the idea that the absence of evidence meant they had evidence of absence (to paraphrase Carl Sagan). I have worked with people in important positions in large global organizations, as well as small business, who literally believe that it is better to keep a positive attitude about things until there is absolutely no way to avoid the facts. This rather lazy attitude towards security and investigations means quite a number of breaches relied on sufficient mass of angry consumers complaining to regulators before companies could be bothered to look around. The case against Senator Stevens of Alaska, as well as the evidence of Governor Palin’s management style, are prime examples of the pervasiveness and widely accepted nature of this attitude.

Prior to the California breach law, executives commonly used ignorance of breach evidence, or even harm of breaches, as an excuse for inaction as well as accountability. Destroying evidence and gagging negative data was considered a natural reaction when trying to keep things “on track”. This should no longer be as much a problem wherever executives are responsible for reporting breaches and maintaining awareness of the safety and security of data.

Therefore, I would argue that the breach numbers are increasing because of two things:

1. The ability of organizations to detect breaches has improved. Due to regulation, an increasing number of companies are starting to actually monitor well enough to detect unauthorized activity and breaches. This includes appointing people who are responsible for determining whether official notification is required — thinking about risk on behalf of those affected.
2. The underground economy is expanding, meaning more skilled workers are actively trying to breach companies. I believe the actual number of breaches is increasing because the value of assets has been widely demonstrated, while the security of companies holding the assets remains questionable. This is a simple economic model where threats are expected to increase until countermeasures can either reduce the value of the assets (make them harder to use) or control them better (make them harder to steal).

It may also be worth noting here that I found 99% of all reported breaches are in the US, Canada, and UK (90% are in the US). I’m working on a deeper analysis of why and how, so I’ll post more later. Much of the data also will be presented in my webinar next Thursday on PCI DSS 1.2.