Breach reports decline in 2009, but what does it mean?
As of today’s date, breach compilations by both the Identity Theft Resource Center and Open Security Foundation indicate that there were fewer breach reports in 2009 relative to 2008. While some of the apparent decrease may be due to two sources used last year not being available online for the second half of this year, the entire decrease cannot be attributed to these two sources.
So why are breach reports down relative to last year? Are more entities now using encryption and safer methods of transporting data leading to a reduced number of breaches or reduced number of breaches that would trigger a breach disclosure? Has the arrest of a number of master cybercriminals put a significant dent in cybercrime? Either would be cause for some celebration. But there are other possible explanations for why breach reports might be down that would not be cause for celebration, such as:
- Entities deciding not to report or disclose breaches despite any mandatory disclosure laws because of the cost of notification during these rough economic times;
- Entities referring incidents to law enforcement in the partial hope that law enforcement will ask them not to disclose or reveal the breach so as not to interfere with any investigation;
- Breaches becoming more sophisticated and entities not even realizing that they have been breached;
- The media getting bored with breach reporting and not giving it as much coverage;
- 2008 may have represented an anomaly, as inspection of OSF’s nifty graphic at the top of their homepage suggests, with breach reports returning to pre-2008 levels in the spring, or;
- None of the above.
So… why do you think that breach reports declined in 2009?