July 2008

	If your Internet provider filters incoming e-mail, please add ncxgroup.com to your list of approved senders to make sure you receive NCX Group Security Updates.
	DATA BREACH DISCLOSURES FOR FIRST HALF OF 2008 During the first half of 2008, NCX Group listed 169 breach disclosures where significant identity theft was a factor. These disclosures, substantiated by news outlets, letters to state attorneys general, or notifications within specific business sectors or industries, remind us that data exposures can and do happen within all business and service areas. Each year, many studies are done to let us know what industries are taking the most “hits”, what made them vulnerable, and why. The following statistics will provide a basic overview of how data breaches are trending so far this year according to NCX. In reviewing the information on our 2008 Reported Data Breaches website for the first six months, it would conclude that educational institutions rank highest, exposing 40% of the personal data breaches listed, followed by general business entities at 23%, healthcare and medical at 16%, government at 13%, and financial at 8%, probably because they are so regulated. These percentages are no doubt skewed, though, because many breaches involve multiple businesses that have not been disclosed. Likewise, companies, medical facilities, financial or educational institutions may be noted for a breach, yet the vendor they used who actually was responsible sometimes goes unnamed. As featured in our April newsletter, Contract Vendors Causing Many Breaches, these vendor and business partners are fast becoming the culprits of many of the breaches reported, and as more companies outsource human resource functions we will see this area continue to increase. So based on how the breach was disclosed and reported, and who is taking responsibility for it, will determine the results of the statistics.

ISSUE: July 2008


		Subscribe to Security Update

	2008 Reported Data Breaches Keep yourself updated on the latest security breach disclosures


	NCX Vision See What You’ve Been Missing Learn more here >>



	Looking for Managed Security Services? Call us at 888-448-5451 or contact us below

	To have an NCX Group Representative Contact You Email us here

NCX Group describes the cause of a breach using the following terms. “Lost” and “Stolen” are defined in more detail on our disclosure web site, but for this purpose it is grouped as one.

TYPE OF BREACH

Percent	Description
47%	Lost or Stolen Devices/Laptops/Computers/Paperwork
23%	Hacking – Unauthorized access
15%	Web Exposure – Accessible web applications, security faults
10%	Inadvertent Exposure – Employee error, accidental posting, printing errors, etc.
9%	Improper Disposal – Illegal dumping or undo care when discarding documents
6%	Dishonest Employee – Stealing information for profit, revenge

TYPE OF BREACH BY INDUSTRY / SERVICE CATEGORY

	Lost/Stolen Devices	Hacking	Web Exposure	Inadvertent Exposure	Improper Disposal	Dishonest Employee
Education	36%	31%	24%	6%	0%	3%
Business	56%	25%	3%	3%	13%	0%
Financial	31%	46%	0%	0%	15%	8%
Government	54%	5%	18%	18%	0%	5%
Healthcare	60%	4%	18%	4%	7%	7%

Now that more than 44 states (five this year) have a state security notification law, we should see a higher reporting average going forward. Some states list civil penalties for not reporting a data breach so companies and CSOs should know the ramifications. These laws typically require covered entities to implement a breach notification policy, and include requirements for incident reporting and handling and external breach notification. If you use the California law SB1386 as your guide, you should be covered for all the other states since California has the strictest guidelines. NCX Group is also able to help you put your guidelines in place.

To keep your company name off the identify theft reporting sites, develop a security program that meets your company objectives. The best place to start is finding out where your company is vulnerable and what changes are necessary to lower your risk. NCX Group can help you with web application testing, penetration tests, security reviews and business continuity plans. And if the time comes when you need computer forensic help, we can provide the expertise you need.

For more information about our services or for a free consultation on how our experts can help you secure your data at a price that will fit your budget, call us at 888-448-5451 or request a representative to call you.

NCX Group, Inc. is a leading information risk management firm specializing in the assessment and mitigation of risk associated with today’s technologies and business processes.

NCX Group, Inc.
5000 Birch Street, West Tower, Suite 3000
Newport Beach, CA 92660
888-448-5451
www.ncxgroup.com