Upcoming Conference | 2019 Re-Wire Policy Conference, Dec 10, 2019 Register

New Report: Fewer, but bigger Washington data breaches in the last year

According to a new report from the Washington State Attorney General’s Office, the number of data breaches reported in Washington from July 2017 to July 2018 was almost 35 percent lower than the year before. But the number of Washingtonians affected by breaches was significantly higher.

“For the second straight year, the number of Washingtonians impacted by data breaches increased, with nearly 3.4 million Washingtonians affected in 2018,” Attorney General Bob Ferguson wrote in the report’s opening letter. “This represents a 26% increase compared to 2017 and more than 700% compared to 2016.”

Data breach increase

Image: Washington State Attorney General’s Office

The counterintuitive contrast between the decreased number of reported breaches and the increased number of impacted people is mostly due to one stark outlier: an Equifax data breach. That breach impacted an estimated 3.2 million people in Washington state, which implies that all other breaches, combined, impacted approximately 200,000 people.

“The Equifax data breach alone is responsible for 95% of the Washingtonians affected by data breaches in 2018,” according to the report.

The Equifax breach, the report notes, was more than double the size of the biggest breach included in last year’s report.

State law requires businesses to report a data breach to the Attorney General’s Office if it impacts 500 or more Washingtonians. The number of reported breaches in every size category (excluding the “Unclear” category) went down between last year and this year. But, in the last year, the size category with the highest number of data breaches was 1,000 to 9,999 people (in-line with 2016). In 2017, the highest number of breaches were in the smallest category, impacting 500-999 people.

Data breach impact

Image: Washington State Attorney General’s Office

The report separates breaches into industry categories. Breaches at organizations categorized as “businesses” made up 70 percent of all breaches in this year’s report. And the number of people impacted by those breaches, on average, has gone up.

“Businesses experienced an increase in the average number of records compromised per breach from 3,772 in 2017 to 5,611 in 2018 – nearly a 50% increase,” according to the report.

In addition to reporting breaches to the AG’s Office, organizations are currently required to alert impacted individuals within 45 days of finding out about a breach. Considering the new data, the report offers several suggestions going forward:

“In light of these trends, our office recommends that policymakers reduce the deadline for notifying affected individuals and the Attorney General’s Office to 30 days after discovery of a breach, including notification of the timeline of any individual data breach. Additionally, policymakers should expand the law to include a preliminary notification deadline to the Attorney General’s Office within ten days, allowing our office to inform the general public of breaches sooner through Consumer Notices. Policymakers should also expand the legal definition of personally identifiable information that triggers these notices.”