The Massachusetts Office of Consumer Affairs and Business Regulation has released a report on data breach notifications (office pdf; archive pdf), and the office says that “encryption is a key – but often lacking – component in information security.” “Our analysis found that our businesses, institutions and others need to do a better job protecting the information of individuals,” said Barbara Anthony, Undersecretary of Consumer Affairs and Business Regulation. “Encrypting data remains the key to protecting our personal and financial information. The best way to prevent identity theft and other serious issues is to keep information protected, safe and secure.”
Here’s an excerpt from the report:
Since the Data Security law, c. 93H, went into effect, the Office of Consumer Affairs and Business Regulation has tracked the data breach notifications it has received. As of Sept. 30, 2011, there had been 1,833 notifications of security breaches. The number of Massachusetts residents affected by the reported incidents since November 1, 2007 now totals 3,166,031. The reporting requirements of the law appear to reach all kinds of entities, as reports have come in from banks, government agencies, credit card companies, retail businesses, and the healthcare industry, among others.
The reported breaches for 2011 continued, as in years past, to include a combination of criminal or malicious acts, poor data management practices, and errors in processing information.
Criminal or malicious acts reported in 2011 resulting in breaches involved theft of personal information by a variety of means, including by outside intrusions into databases (often referred to as “hacking”), and the use of computer programs designed to access personal information without authorization (generally characterized as “malware”). […]
Also in the criminal or malicious category in 2011, there were breaches affecting smaller numbers of residents made by disgruntled former employees of businesses which held personal information who either retained access to data, or used the access codes of a former co-worker to gain access.