Study finds public sectors worse on data security

A study in the works from J. Campana & Associates indicates that public- and volunteer-sector enterprises -- schools, government agencies, non-profits and such -- account for well over half of all info-security breaches.

But how can we be sure? We can't, according to Joseph Campana, because it's rather hard to trust that smaller organizations such as community groups or small towns can recognize a breach when one occurs, or follow proper reporting procedures if they do notice.

Such failings would certainly explain some of the anomalies Campana is turning up in his research. According to the report, which is slated to be released in early 2009, the public and not-for-profit sectors account for breaches that have allegedly put more than 60 million million consumer profiles at risk.

Risk, of course, doesn't mean imminent danger, and some breaches are more troubling than others. For instance, the 2006 thefts of equipment with information on 26.5 million US veterans were eventually traced back to simple burglaries, and no cases of identity theft or privacy violation were ever directly attributed to the incident.

In fact, it's probably the smaller breaches that ought to be most worrisome, since users caught up in those incidents are statistically more likely to experience trouble. So when Campana notes that breach incidents reported by local units of government (town, city, municipal, county, and such) are disproportionately low because it's "more likely that smaller units of local government do not have the controls in place to detect security breaches or they are not reporting them when they occur," worry.

Small organizations are notoriously insensate to data-breach and privacy issues. In fact, last October, the Federal Trade Commission announced that it found itself compelled to extend the deadline for compliance on its new "Red Flags Rule" because so many businesses unaccustomed to FTC regulation had no idea the new rule applied to them -- or even that it existed at all. The Red Flags Rule requires many businesses, telecom and utility service providers, and non-profits to have an identity theft protection plan in place.

What's vulnerable? According to Campana's research, 35% of government breaches involve computers or electronic storage. Ten percent, however, are more indirectly high-tech; for example, label-printing programs that scoop up and print inappropriate data such as Social Security numbers. And the education section is particularly breach-prone, representing just 0.6% of US enterprises but nearly one-third of all breaches reported (PDF available here).