In 2002 California became the first state to pass a data breach notification law, requiring companies doing business in the state to disclose any breach of the security of computerized data including personal information. The law went into effect in the beginning of 2003 and, in the intervening years, the majority of states followed suit. Today 47 out of 50 states (and the District of Columbia) require companies to notify the Attorney General or another state agency in the event of data loss. As of this writing, there is no national notification requirement, but in 2015 S.177: the Data Security and Breach Notification Act was introduced to congress by Senator Bill Nelson (D) of Florida.
Of the 47 states requiring disclosure, six of them (Vermont, New Hampshire, Maryland, Montana, California, and Washington state) post all of the notifications that they receive on the AG’s website. Dedicated researchers at Bitsight Technologies utilize appropriate state laws to request security breach records from the remaining 41 state agencies. Requests sent out in early 2016 generated response documents from 20 states totaling 3515 data breach notifications. A manual curation of these notifications uncovered 1188 unique data breaches for the year of 2015!
While BitSight received breach information from slightly less than half the states queried, there was a considerable amount of variation in the number of records provided from state to state. This could be a sign of low levels of compliance and enforcement of data breach notification laws in certain states. It could also be due to lapses in record keeping on the part of these state AGs’ offices.
The map above illustrates the distribution of breach notifications by state per 100,000 residents. Much of the midwest provided no notifications and is shown in gray. Vermont- with its modest population of 625,000 and convenient online access to breach reports- provided the most notifications per capita. California and New York, with their large populations appear somewhat subdued in this visualization despite providing large numbers of breach notifications. Other notable mentions with large quantities of response documents are Maine, New Hampshire, North Carolina, Louisiana, and Montana.
Digging In Deeper
While the raw number of breach reports is interesting (especially when mapped!), we are more keen to know the amount of unique notifications being captured by each state. Many of the breaches BitSight looks at are large enough to require companies to notify several states. For instance, our researchers received notifications on the well known Anthem data breach from at least 8 Attorneys General. In order to make determinations on source value, BitSight looks at the relative proportions of unique notifications provided by each state. Sources with relatively few uniques provide less value as they likely only received notifications from relatively high-profile data incidents.
Why stop there? We can go one level deeper and look at how our sources are correlated with one another. For instance, researchers looking to properly allocate their time and attention benefit from the knowledge that 100% of the relatively few breach notifications provided by Colorado were also covered by North Carolina. The following correlation matrix illustrates these relationships with darker colors corresponding to greater overlap between sources.
We can tell from this matrix that the breach notifications that we get from WV, OK, OH, MS, GA, KY, CO, and AZ are 100% covered by other sources. We can also deduce which state AGs receive breach notifications that don’t come to other states.
Taking different lenses to the information provided by our many sources allows BitSight researchers to draw more thorough conclusions. Looking at notifications on an individual basis provides valuable narrative information that we can provide to customers and use to inform our ratings. On aggregate BitSight uses these reports to identify trends and patterns so we can predict breaches with greater accuracy. Using a wide lens (as we did in this blog post) allows us to visualize how effective our sources are and determine areas to devote more energy.