Over the past eight years, the New York Attorney General’s office has been compiling statistics on data breaches pursuant to the state’s breach notification law.  Earlier this week, Attorney General Eric Schneiderman published a report titled, “Information Exposed: Historical Examination of Data Breaches in New York State,” which provides analysis and insight into how those breaches have affected New York residents.

It should come as no surprise that data breaches are on the rise, increasing both in size and frequency.  Between 2006 and 2013, more than 3,000 businesses, nonprofits and government entities reported data breaches involving New York residents.  In 2013 alone, New York experienced more than 900 data breaches which exposed the personal information of a record setting 7.3 million New Yorkers.  If we include data for the past eight years, that number balloons to 22.8 million.  By way of comparison, New York’s population last year was only 19 million.  If you live in New York, it is a good chance that at some point, your personal information potentially compromised.

The report also revealed that the leading cause of data breaches was hacking, accounting for over 40% of the number of breaches, with lost or stolen equipment in a distance second with only 23% of breaches. This figure is significant because, as noted in the report, not all breaches are created equal.   Hacking tend to compromise more personal records since they are often performed with the explicit goal of stealing information.

And yet, for most consumers, data breaches are merely a nuisance. However, for affected businesses, data breaches can be very costly.  The Attorney General’s office estimates that data breaches cost organizations doing business in New York State over $1.37 billion in 2013 alone.  This figure includes the cost of investigating the breach, notifying the affected individuals, and in some cases, providing free credit monitoring services for the affected individuals.  There, there are the indirect costs such lost sales and decreased stock price.  Any way you slice it, data breaches can be very expensive.  “What’s truly shocking about this report, beyond the fact that hacking is now the greatest threat to our personal information and costs us billions of dollars, is that many of these breaches could have been prevented,” said Attorney General Schneiderman.  “If millions of New Yorkers were exposed, one can only imagine how many have been compromised across the nation.”

The report goes beyond the historical analysis and provides a few simple steps organizations can take to help protect themselves.  These steps include identifying and minimizing data collection practices, as well as the creation and implementation of an information security plan.  The Attorney General also encourages entities to implement technical safeguarding, including:

  • Requiring encryption of all stored sensitive personal information;
  • Minimizing the storage of sensitive personal information on devices connected to the Internet;
  • Implementing hashing and salting of stored user passwords;
  • Incorporation of firewalls and up-to-date security software to protect corporate networks; and
  • Ensuring that all devices issued to employees require secure authentication to access encrypted sensitive personal information. 

There is nothing earth shattering about these recommendations.  However, as the figures in the report suggest, there remain a significant number of organizations that have failed to take these straightforward steps.

The full text of the Attorney General’s report is available on their website at http://www.ag.ny.gov/pdfs/data_breach_report071414.pdf.