3.2m in Mass. have had data lost, stolen
4-year study shows consumers need more safeguards
Nearly half of Massachusetts residents have had their personal information lost or stolen as a result of about 1,800 data breaches over the past four years, according to a new report from the state’s Office of Consumer Affairs and Business Regulation.
Banks, hospitals, and retailers exposed the personal data, such as Social Security and credit card numbers, of roughly 3.2 million consumers in Massachusetts. Most of the incidents reported to the state involved electronic information that was vulnerable because it was not properly encrypted. The data breaches, which included a combination of criminal acts and poor data management, could have put consumers at risk of identity theft or incurring fraudulent charges on credit and debit cards.
The report, the first of its kind in Massachusetts, found the financial services industry reported the greatest number of breaches over the last four years, with 955 incidents that exposed the data of 901,156 people. The vast majority of these breaches, however, involved credit card transactions that occurred at retail establishments. The financial services institutions then reported the incidents to state officials. The health care industry, meanwhile, had 214 breaches, but they exposed more people - about 983,746. That included the loss of more than 800,000 patient records at South Shore Hospital in Weymouth in 2010.
Although state regulations require portable electronic devices to be encrypted - meaning information kept on them is protected - the report found that stolen or lost portable electronic devices usually are not secure. Of the 365 devices reported lost or stolen over the past four years, only 13 were encrypted, the state said.
“It’s taking businesses and institutions longer than we’d hope to encrypt these devices. That would certainly cut back enormously on the number of breaches where consumers data is more vulnerable,’’ said Barbara Anthony, the state’s consumer affairs and business regulation undersecretary. “Businesses, institutions, and others need to do a better job protecting the information of individuals. There is still a lot of work to be done.’’
Since 2007, businesses and groups have been required to notify the state if personal information of Massachusetts residents is lost or stolen. The rule went into effect after several high-profile data breaches, including one at TJX Cos., the Framingham retail discounter that runs T.J. Maxx and Marshalls stores. Hackers allegedly stole more than 130 million credit and debit card numbers from TJX’s systems.
In 2011, businesses and organizations in Massachusetts reported 454 breaches that affected 1,008,275 residents, compared with 471 incidents in 2008 that put at risk data from about 717,053 consumers, the first full year that institutions were required to notify the state.
“This means your personal data still is at risk and you have to monitor your credit report and bills from companies to ensure there aren’t fraudulent charges,’’ said Edgar Dworsky, who runs the consumer education site ConsumerWorld.org, based in Cambridge.
In March 2010, new regulations were put in place mandating that any business or entity storing or transmitting personal information of a Massachusetts resident create a written security plan that details how that information will be protected from theft or loss.
“Breach reporting is useful. It forces breached entities to be accountable for those breaches,’’ said Beth Givens of the Privacy Rights Clearinghouse, a California firm that keeps a database of reported data breaches. “Ideally, once an entity has experienced a breach it had to report publicly, it will put in place practices and policies to keep it from happening again.’’