Imagine, you walk into your new office and you see a copy of a job application letter on the top of a wastepaper basket full of office documents and trash. You pick it up and read it. The applicant and previous office occupant proclaims his or her attentiveness to privacy and security practices in the workplace. A study published nearly a decade ago indicated that as much as 70% of identity theft originates in the workplace.
The job application letter generates curiosity, and you dive into the wastepaper basket. You find client Social Security numbers, checks disclosing personal and business checking account numbers, and other personally-identifiable information and business confidential documents in the trash
So much for the job applicant’s understanding and practice of privacy and security in the workplace. The reality is, there is little privacy and security in the workplace. Thousands of incidents like this real example occur every day that go unnoticed and undetected especially in small organizations.
The relatively infrequent large-organization data breach incidents, where thousands and occasionally millions of customer profiles are compromised, are highly publicized by the media. What we do not hear about are the thousands of incidents that occur daily in small businesses. These incidents may outnumber those publicized. Cumulatively they may be as or more serious.
For example, if there are 10,000 small organizations incidents nationwide each week with an average of 10 items of personally-identifiable information compromised, that’s one million potential identity theft victims per week, or 52 million a year. What if the number of incidents is 10,000 a day? That’s a million of potential identity theft victims a day.
“10,000 small organizations is less than 0.05% of all organizations in the U.S. Put in different terms, it is easy to see how there could be 500 data compromises per million organizations each week, if not each day!”
It is unknown how many of these smaller breaches occur daily, although it has been suggested that there arethousands. The overwhelming majority of nearly 25 million small organizations have not trained their employees on privacy and security compliance essentials. Consequently, these organizations do not have controls in place to detect or report data breaches.
Publicly traded companies have ethics and compliance programs largely as a requirement of the Sarbanes-Oxley Act. One component of an ethics program is regulatory compliance. As a result the roughly 8,000 publicly traded organizations in the U.S. have fundamental awareness of privacy and security statutory requirements including state laws requiring them to report data breaches when they occur.
Publicly traded companies make up less than 0.1% of all organizations in the U.S. that have employees or customers. If an organization has employees or customers they typically have Social Security number, financial account numbers and other personally-identifiable information. That leaves 99.9% of the organizations in the U.S. without a clue when it comes to protecting the information you entrust with them.
Whom have you shared your personal information with lately?