Maine needs to analyze breach data, not just store it

Since April 2008, more than 24,000 Mainers have had their personal e-information compromised in more than 200 corporate security breaches, according to information gathered from five state agencies by the Sun Journal for a story about e-security that appeared Jan. 24.

Many of the breaches resulted from criminal hacking, but many others happened because laptops containing sensitive information were stolen or lost, or e-mails containing personal information were sent with attachments that should not have been shared. The public never heard about most of the breaches.

There are five separate agencies in Maine that collect information about identity breaches, instances in which someone's personal computerized information — payroll records, credit card purchases, bank account balances and numbers, Social Security numbers, addresses, birth dates — are lost or "compromised."

These agencies do a good job of collecting the data, but not such a good job of cataloging, collating and comparing that data. Breach notifications are received by these agencies and individual consumers alerted by the companies, but there is no requirement to analyze patterns or report worrisome developments to the Legislature or to the public.

The Sun Journal asked these five stage agencies for information about recent security breaches, and each of the agencies willingly provided the data, all stored in different formats.

The Office of Securities, which collects data of breaches at stock brokerages; the Bureau of Insurance; the Bureau of Consumer Credit Protection, monitoring breaches of mortgage companies and loan brokers; and the Bureau of Financial Institutions, which monitors banks and credits unions, provided data on internal spreadsheets. The Attorney General's Office, where 76 percent of all security breaches in Maine are reported, keeps the reports on paper filed in file folders.

Storing these reports on paper without any real means to alert the general public seems an ineffective way to protect consumers. It's no defense against e-thieves.

The Sun Journal created its own spreadsheet of data at the AG's Office during a two-day inspection of the paper files, and compared it to data collected at the state's four other reporting agencies.

We were struck by how inaccessible this information is in the digital age. Consumers who are the subject of an e-breach are alerted, but there is no general public alarm about how widespread or creative these breaches can be, which makes it difficult for others to respond to protect their own personal information.

We can try to protect our e-selves by creating passwords, being careful about logging on to unsecure sites and not putting personal information on computers at work, but we can't prevent widespread breaches of databases that happen because someone in the corporate world makes a mistake, leaving a laptop with our credit card history on a plane or e-mailing other personal information where it doesn't belong.

As a group, Mainers are less likely to be the victims of identity theft than others across the country, but as digital access increases here, that's not likely to remain the case.

Maine doesn't need a new agency to monitor security breaches, but it does need some means of combining breach reports intra-agency and some means of analyzing the data in real time, in time for consumers, when they can, to defend themselves.

Information is not only power. It's protection.

editorialboard@sunjournal.com