A not-for-profit organization called the Privacy Rights Clearinghouse has been collecting and reporting personal data breaches since 2005. You can access these data breach records at privacyrights.org/data-breaches and search the database by year, company, type of organization, and type of breach. The organization reports, as of June 2019, a total of 8,804 breaches in the United States affecting more than 11.5 billion personal identification records — in other words, we've all likely had our personal information stolen multiple times. A snapshot of the most current 18 data breaches under investigation as of May 21, 2019, shows how the data is reported (pictured below, but I've excluded the company names). In this example, we can see that these 18 data breaches occurred across 13 states (California, Connecticut, Delaware, Florida, Illinois, Indiana, Kentucky, Massachusetts, Minnesota, New York, Oregon, Texas, and Washington), affecting 286,487 data records. These breaches occurred as a result of hacking, theft, loss of computer, unauthorized access, improper disclosures, and various hacking and phishing events targeting laptops, portable devices, emails, desktop computers, network servers, and other devices.
Each data breach record contains detailed descriptions of the breach. For example, the screenshot below highlights a data breach in which a laptop was stolen from an employee's parked vehicle.
While hacking and theft were involved in many of these data breaches, many other data breaches occurred as a result of employee mistakes. For example, in some cases employees sent emails where all email addresses were visible to all recipients (i.e., they did not use the blind copy field to list email addresses). In other cases, employees sent emails containing sensitive information to the wrong recipients. In one case, an employee improperly allowed her husband to access her computer records to assist her with her work. In other cases, employees threw away trash containing sensitive information without properly shredding the paper-based data. Any CPA concerned with information security may want to spend a few minutes looking through some of the data breach explanations to better understand the types of breaches that are occurring today.
About the author
J. Carlton Collins, CPA, (carlton@asaresearch.com) is a technology consultant, a conference presenter, and a JofA contributing editor.
Submit a question
Do you have technology questions for this column? Or, after reading an answer, do you have a better solution? Send them to jofatech@aicpa.org. We regret being unable to individually answer all submitted questions.
