For Immediate Release - April 23, 2012

Encryption a Key Component of Information Security

Office of Consumer Affairs report finds 1,833 breaches affecting 3.1 million since 2007

BOSTON - April, 23, 2012 - A report by the Patrick-Murray Administration's Office of Consumer Affairs and Business Regulation reviewed the first four years of data breach notifications and found that encryption is a key – but often lacking – component in information security.

Since Oct. 31, 2007, any entity that had personal information of a Massachusetts resident lost or stolen has been required to notify the Office of Consumer Affairs of the breach. As of Sept. 30, 2011, the Office had received 1,833 breach notices affecting 3,166,031 people.

"Our analysis found that our businesses, institutions and others need to do a better job protecting the information of individuals," said Barbara Anthony, Undersecretary of Consumer Affairs and Business Regulation. "Encrypting data remains the key to protecting our personal and financial information. The best way to prevent identity theft and other serious issues is to keep information protected, safe and secure."

The vast majority of data breaches included involved the loss of electronic information. Of the reported breaches, 1,336 were for electronic breaches, affecting 3,079,677 people – 97 percent of all the people affected by a reported data breach.

While regulations call for portable electronic devices to be encrypted in order to protect personal information, the Consumer Affairs report found that stolen or lost portable electronic devices are most often not secure. Of the 365 devices reported lost or stolen, only 13 were encrypted. The lost devices led to exposure for 409,572 people. By contrast, the 27 encrypted machines kept information secure for 24,269 people.

The report finds that of the 75 lost or misplaced portable devices reported; only one was encrypted, compromising 1.2 million pieces of information. Of the 290 stolen portable devices stolen, 12 were encrypted, protecting 4,110 pieces of information. The 277 unencrypted devices exposed 220,000 pieces of information.

"Over the last four years, about half of Massachusetts residents have had their information exposed to loss or theft, we have found that information on laptops, thumb drives, storage discs and tapes, and other electronic platforms are most vulnerable," Anthony said. "An important additional layer of security for these items is encryption, which in many cases has been lacking."

In March 2010, new regulations were put in place mandating mandate any business or entity storing or transmitting personal information of a Massachusetts resident create a written security plan that details how that information will be protected from theft or loss. Personal information is defined as the combination of a consumer's name along with information like Social Security number, or bank or credit card account numbers. 

Since the regulations have taken effect, the Office of Consumer Affairs has worked with businesses and organizations around the state, encouraging businesses to put in place written information security plans that adequately protect consumers' information. Additionally, the Office has created a brochure and in-depth FAQ for IT professionals seeking guidance on the regulations.

The report also found that the financial services industry reported the most breaches over the last four years, with 955 breaches affecting 901,156 people. However, the vast majority of these breaches were the result of credit and debit card transactions that occurred at processing centers and retail establishments. The financial services industry took the appropriate step of reporting the breaches to state officials, but they were not in the vast majority of instances responsible for such breaches.

The health care industry has had fewer breaches, with 214, but has had more exposed people with 983,746, including an 800,000-person exposure at South Shore Hospital in 2010.

The entire report can be found at the Office of Consumer Affairs website, along with previous annual reports detailing breach notifications. The Patrick-Murray Administration's Office of Consumer Affairs and Business Regulation is committed to protecting consumers through consumer advocacy and education, and also works to ensure that the businesses its agencies regulate treat all Massachusetts consumers fairly. Follow the Office at its blog, Consumer Connections, and on Twitter, @Mass_Consumer.




Contact – Dan Rosenfeld, Director of Communications, O-617-973-8767, C- 617-875-5968