According to the Privacy Rights Clearinghouse, a non-profit consumer education organization, businesses and governmental and educational entities have reported more than 2,500 data breaches involving nearly 600 million records since 2005. The Open Security Foundation, a non-profit organization that provides information about data security risks, says that organizations have reported 210 breaches so far this year. And according to the Federal Trade Commission (FTC), nearly 9 million Americans are victims of identity theft every year.
The rules for reporting data breaches vary across the country. In sum, 46 states and Washington, D.C., have disclosure laws that require organizations those whose personal data was compromised as soon as reasonably possible. (Only Alabama, Kentucky, New Mexico and South Dakota currently do not have notification requirements.) Organizations must report breaches to affected individuals according to the disclosure laws of the state in which the individual resides, which can be complicated.
The cost of a data breach is multifaceted and can be difficult to estimate. It depends on the extent of the breach and the type of information exposed. Many data security experts say companies pay $200 on average per record lost.