January 12, 2010, 03:00 PM ET
Educational Data Breaches Declined Last Year, Report Says
The number of data breaches at educational institutions last year was slightly lower than each of the previous two years, according to a report released Monday by the Identity Theft Resource Center.
The report, which attempts to summarize all reported data breaches for 2009, shows that about 16 percent of them happend in the educational sector, while 41 percent took place at businesses and 18 percent occurred at government or military facilities.
Hacking was the most common type of data breach, just ahead of accidental exposure of information, and "data on the move," according to the report. That last kind of incident was particular troubling to Linda Foley, a founder of the center, who defined the category as theft or misplacement of mobile devices, such as laptops and jump drives, that contain confidential information. She said that most instances occurred when a professor took home a laptop that was subsequently stolen or lost.
Because there is no way to guarantee that people and institutions will report data breaches, it is nearly impossible to get an accurate count of how many instances occur in any year. The center's 2009 report analyzes the 498 cases that were reported, but it acknowledges that that number is probably lower than the actual number of data breaches in 2009.
“This is what we know, and this is what we have analyzed based on the information we know,” Ms. Foley said.
The report shows that of the 498 reported cases, paper breaches account for 26 percent, an increase of 46 percent from 2008. It also shows that malicious attacks have surpassed human error for the first time in three years.
Adam Dodge, who tracks security breaches at colleges on his blog, said that he has also noticed that the gap is shrinking between the number of malicious attacks and human error.
“We’re not sure if it is that these malicious attacks are growing or that the number of employee-related mistakes are shrinking,” said Mr. Dodge, who is assistant director for information security at Eastern Illinois University (though he says his work on the report is not connected with his role there).