By Roy Urrico
In its 2022 Annual Data Breach Report, the Identity Theft Resource Center (ITRC) revealed data compromises reached 1,802 with some 422.1 million victimized individuals. ITRC made it clear however that the number of breach notices with detailed attack and victim information has dropped by more than 50% since 2019.
ITRC has collected, analyzed, and published information about publicly reported data compromises since 2005. This time around, ITRC described the number of data compromise victims as “estimated” due to the fact not all states require disclosure of the number of impacted individuals in breach notices and there is currently no methodology to accurately determine the number of individuals affected by multiple data compromises.
ITRC pointed out a lack of breach details creates risk. This makes it more difficult for individuals, government officials, and businesses, including financial service organizations such as credit unions and banks, to make informed decisions about the hazards of data incidents and actions to take in their aftermath.
“Common sense tells us that data breaches are underreported in the United States. The 1,802 reported here are a minimum estimate. The trends related to publicly reported data breaches in 2022 reinforce the conclusion that the data breach environment is worse than we know and can prove with quantifiable data,” said Eva Velasquez, president and CEO of the ITRC, in her letter introducing the report.
“The result is individuals are largely unable to protect themselves from the harmful effects of data compromises, which are fueling an epidemic – a ‘scamdemic’ – of identity fraud committed with stolen or compromised information.” She added, “The full picture of the impacts of data compromises is unclear and we hope this report will be the start of a national conversation on how to bring more clarity, transparency, and effectiveness to the breach notice process.”
A State of Mixed Notification Laws
Currently, no federal data breach notification law exists. However, according to global law firm DLA Piper's Data Protection Laws of the World Handbook, all 50 U.S. states, Washington, D.C., and most U.S. territories (including, Puerto Rico, Guam and the Virgin Islands) have passed laws that require notifying state residents of a security breach involving more sensitive categories of information, such as Social Security numbers and other government identifiers, credit card and financial account numbers, health or medical information, insurance ID, tax ID, birthdate, as well as online account credentials, digital signatures and/or biometrics.
Under many state laws, where incidents impact more than 500 individuals, notice must also go to credit bureaus. Nearly half of states also require notice to the state’s attorney general and/or other state officials of certain data breaches.
Further, some states require impacted individuals receive credit monitoring services for specified lengths of time (if the breach involves Social Security numbers). Certain state data breach laws impose varying notice content and timing requirements (with respect to notice to individuals and to state’s attorney general and/or other state officials).
According to the international law firm DLA Piper, federal laws require notification in certain data breach cases involving financial institutions, healthcare, telecom usage, and government agencies.
A Quilt of Inadequacy
Velasquez pointed out the trend away from transparency as the result of “the overall inadequacy of the current patchwork quilt of state data breach notification laws, many of which now date back to 2005 when virtually all breaches involved paper records, lost or stolen laptops, or data tapes lost in transit.”
Said Velasquez, “Most states put the burden of determining the risk of a data breach to individuals or business partners on the organization that was compromised. Oregon stands out as an exception because law enforcement agencies and the impacted organization jointly make the decision if individuals are at risk as a result of the breach.”
Velasquez observed in all states, if the determination is there is no risk, then there is no notice. Consequently, in the U.S. there were an average of about seven breach notices issued each business day in 2022. “Compare that to the 356 breach notices issued each day in the European Union during 2021, the last year for which data is available. In the E.U., as in Oregon, data protection/law enforcement officials and the compromised organization make the determination that individuals or businesses are at risk, requiring a full notice to the impacted parties.”
ITRC suggested several causes of only token breach information sharing:
• Recent court decisions provide an incentive to keep information sharing to a minimum. Federal courts in different parts of the U.S. have recently issued rulings supporting the conclusion that actual harm, not potential harm, is required for an individual to file a damage claim linked to a data breach. Therefore, absent a requirement to include attack details, businesses may no longer include detailed information for fear of revealing facts that are usable in a lawsuit against the company.
• Companies making a conscious decision to withhold information. Organizations as varied as Samsung, DoorDash, and LastPass decided to include limited or no detail about what happened in their state-mandated breach notice.
• Shifting cybersecurity priorities and an increasing volume of cyberattacks makes it difficult to determine what happened. The 2022 IBM Cost of a Data Breach study, for example, indicates the median number of days to identify a breach is 207 days. Also: Organizations preparing for a potential financial downturn or recession in 2023 realigned their cybersecurity priorities.
Changes Coming to States
ITRC reported Maryland and Pennsylvania updated their data breach laws in 2022. Maryland now requires organizations to report details surrounding a data breach, including the number of victims within 10 days of learning of a breach (down from 45 days). Pennsylvania has expanded the definition of personally identifiable information (PII) to include health-related information as well as usernames and email credentials.
DLA Piper reported five significant state privacy laws coming into force in the next 12 months. On January 1, 2023, Virginia’s comprehensive omnibus state privacy law, the Virginia Consumer Data Protection Act, and the California Privacy Rights Act, which substantially amended the California Consumer Privacy Act, took effect. Omnibus privacy laws in Colorado and Connecticut — both of which are substantially similar to the Virginia Consumer Data Protection Act — take effect on July 1, 2023; and on January 1, 2024, Utah’s omnibus privacy law will come into force. Additionally, it is expected sometime in 2023 both California and Colorado will expand their respective state privacy laws. “In addition to these upcoming laws, this year is shaping up to be an active legislative season for privacy, and it is very possible that additional states will pass omnibus privacy laws in 2023,” DLA Piper noted.
Federal Regs Stumbling Ahead?
At the federal level, a bipartisan group of legislators presented the American Data Privacy and Protection Act in 2022, which gained some momentum initially, but later stalled. DLA Piper suggested, “While many U.S. businesses and policy groups continue to advocate for a comprehensive, federal privacy law, the likelihood of passing long-awaited federal privacy legislation in 2023 remains uncertain at best.”
DLA Piper perceived privacy class actions also continue to be a key risk area in the United States, including in the context of biometric privacy, under the Illinois Biometric Privacy Act; text messaging, under the federal Telephone Consumer Privacy Act; and call recording, wiretapping and related claims, under the California Invasion of Privacy Act and other state laws.
DLA Piper also pointed out online monitoring and targeting activities—including via cookies, pixels, chat bots, and so-called “session replay” tools—are areas of specific attention in the U.S. from a regulator and enforcement perspective and are developing litigation risk areas.
Help on the Way
In 2020, ITRC and Sontiq, now a TransUnion Company, launched services to help individual consumers learn more about the risks resulting from the data breaches impacting them and their personal information. The ITRC offered a searchable database of data compromises and the attributes of each event based on public notices. Sontiq created a risk score based on ITRC’s data and a proprietary algorithm. The higher the breach risk score, the higher the risk and the more urgent it is that individuals take protective actions as soon as possible. The chart below shows the risk scores of the largest data compromises in 2022.
Most state data breach laws do not require business customers to be alerted in the event of a data breach or other data compromise. That means absent a contractual obligation to inform a business customer of a data compromise, organizations may not know when a vendor suffers a data compromise.
Later in fourth quarter of 2023, ITRC will launch a paid data breach monitoring and alert service for businesses. The service, called Notified for Business, will allow organizations to conduct due diligence and monitor partner organizations and prospective vendors.