Every year, we hear about how climate change is worsening. It seems the same story is happening with data security. Last year was the worst year in recorded data breach history. More than 5,200 breaches were reported in 2017, with more than 7.8 billion records compromised. By comparison, there are 7.6 billion people on Earth, so 2017 saw the number of records compromised surpass the total world population. Previously, 2016 was the record-holder with 6.3 billion records compromised. Are there any records left that haven’t been compromised?
Major breaches and security incidents included the enormous Equifax breach of 145 million records, the Uber breach, and the NSA leaked tools, which spawned WannaCry and other niceties. Click here for a collection of summaries of some of the more notable breaches of 2017.
Note that all this involves the known and reported data breaches. For every known reported data breach, there are probably many known unreported data breaches. Then there are the unknown unreported data breaches, which are probably a staggering number.
What lessons can be learned from all this? There is one big important lesson that 2017 has taught us, and it is this: We know what causes data breaches, but we are not making progress in stopping them. What we’re doing isn’t working. This should be a wake-up call. We can’t keep doing what we’re doing. Policymakers need to try a new approach. But instead, we are just getting more doses of data breach notification laws, and shortening notification time periods. These laws help inform us about the problem, but they won’t fix it. Despite countless breach catastrophe stories in the news, we’re not seeing a huge change in what organizations are doing to protect themselves.
But, hey, we’re not waking up to climate change either. Maybe all the computers will be underwater soon. As we float along, desperately clinging to driftwood, we will finally be able to smile. The data security problem will have been resolved.
* * * *
This post was authored by Professor Daniel J. Solove, who through TeachPrivacy develops computer-based privacy training, data security training, HIPAA training, and many other forms of awareness training on privacy and security topics. Professor Solove also posts at his blog at LinkedIn. His blog has more than 1 million followers.
Professor Solove is the organizer, along with Paul Schwartz of the Privacy + Security Forum (Oct. 3-5, 2018 in Washington, DC), an annual event that aims to bridge the silos between privacy and security.
NEWSLETTER: Subscribe to Professor Solove’s free newsletter (2x per month).
TWITTER: Follow Professor Solove on Twitter.