Yet, when asked later about having become identity theft victims, few of the survey respondents attributed their fraud to the data breach they’d been involved in.

The objective behind sending the data breach notification letters is to let consumers know their personal or financial information has been compromised. The notices should spur credit card and bankcard holders to place fraud alerts or credit freezes on their credit reports, or to enroll in identity theft protection services or credit monitoring services.

Unfortunately, it seems few recipients of the data breach notifications are taking heed.

More than 285 million records were compromised in 2008, according to the Verizon Business 2009 Data Breach Investigation Report. Nearly 10 million Americans became ID theft victims in 2008, a 22% increase over 2007.

The report is based on information collected during Javelin’s 2008 Identity Fraud survey, which involved nearly 5,000 American consumers during October 2008. The results are consistent with similar findings in 2006 and 2007.

Javelin is the leading provider of nationally representative, quantitative research focused exclusively on financial services topics. Based on the most rigorous statistical methodologies, Javelin conducts in-depth primary research studies to pinpoint dynamic risks and opportunities.

Additionally, the data breach notification rule applies to any business associates of any entity covered by HIPAA.

The notification is to be made “as soon as reasonably possible,” but in most cases within 60 days of discovery. An exception to this provision is made if law enforcement requests a delay, a common occurrence when an investigation is ongoing, particularly if the breach appears to affect a large number of people or is part of a larger scam.

However, even if notification takes place within 60 days, but the Department of Health and Human Services (HHS) could determine the covered entity failed to meat the provision if notification could have been made sooner.

If the breach involves 500 or more people, HHS and the media have to be notified. All other smaller breaches should be reported annually.

Another exception to the rule is encrypted or destroyed information. If a hacker breaks into a server or database that the health care entity has taken measures to adequately protect, the entity is off the hook and doesn’t have to make any notification.

Data breach is defined as “the acquisition, access, use or disclosure of protected health information in a manner not permitted (by the HIPAA Privacy Rule) that compromises the security or privacy of the protected health information” or that means a “significant risk of financial, reputational or other harm to the individual.”

The rule is part of an alphabet soup of new legislation. It applies to any entity covered by the Health Insurance Portability and Accountability Act (HIPAA), and is part of the new Health Information Technology for Economic and Clinical Health (HITECH) Act, which is part of the American Recovery and Reinvestment Act of 2009 (ARRA).

The district offices sent out notification letters last Friday, telling the employees about a lost USB flash drive that holds 6,000 employees’ addresses, phone numbers, birth dates and Social Security numbers.

Apparently, a district-level employee had a legitimate purpose for storing the data on the flash drive, but maybe has a little bit of a problem with short-term memory. “At, this point we have no reason to believe the information was stolen or used to perpetuate fraud or identity theft,” said Jennifer Toomer-Cook, spokeswoman for the district.

To their credit, the school district mailed the notification letters only two days after the data breach was reported. The letters provided employees with a Web address where they can initiate a 90-day fraud alert or credit freeze, but didn’t mention anything about their paying for their employees’ credit monitoring or identity theft protection services.

And they did try to assuage the concerns of district employees by saying they are working to improve security policies and building a secure network for file transfers.

Unfortunately, those changes are too late for the employees left at risk of identity theft.

“ID theft is the designer crime of the day. Of all the people I trust with my information, my employer is paramount. So, yes, I am concerned,” said Margot McCallum, a middle school teacher.

Visit LifeLock.com to learn more about their innovative tools and strategies for protecting the identities of their nearly 1.5 million customers. Enroll using the LifeLock promo code DEFENSE and pay only $9 a month for comprehensive identity theft protection services, and get 30 days of free protection.

Perhaps the most disturbing discovery is that of the roughly 250 reported breaches, only one of the victims could say the stolen information was encrypted.

Almost every state has laws compelling entities to report data breaches, but apparently even the fear of public disclosure and bad publicity still isn’t enough to make businesses and other organizations protect the data they hold.

“It’s a dual problem here undeterred by law or common sense,” said Linda Foley, co-founder of the ITRC. “You’d think if all these organizations have to notify, that they would take some steps to make sure their data doesn’t get exposed in the first place.”

Another surprising finding is that employees are stealing records at the same rate as hackers. Together, the two types of attacks are responsible for 36.4% of the roughly 250 data breaches reported publicly this year as of June 12.

The only good news to be found in the study is that the total number of data breaches is down by roughly 30% from the same time last year when 342 breaches had already been reported.

Unfortunately, even that slight ray of sunshine is dimmed by the fact that at least 12 million businesses and consumers are affected by this year’s data breaches, and the total is probably far greater than that; fewer than half of the entities that reported breaches revealed the number of victims affected.

“This study shows that both personal and corporate information is flowing out of the organizations entrusted with its confidentiality,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.
The survey was commissioned by Compuware Corporation, and conducted by the Ponemon Institute. The survey respondents hailed from the US, UK, France and Germany, and had an average of nine years experience.

These results follow the results of another survey that revealed that only 50% of organizations that experience data breaches notify their customers and clients; only 40% notify authorities.

Though the results of both studies are infuriating, there is hope. LifeLock professional identity theft protection services is a great way to protect your personal and financial information.

LifeLock is the service of choice for almost 1.5 million Americans. LifeLock has partnered with the FBI, AARP, and dozens of private businesses organizations to help protect the identities and credit of their constituents.

Since January 2005 nearly 250 million records have been lost or stolen in data breaches. If you’ve ever thought you needed, but couldn’t afford, a professional identity theft protection service, this is the perfect time to learn more about LifeLock. Right now, LifeLock is offering their comprehensive ID protection programs at a discounted rate, when you use the LifeLock promo code Defense.

Visit LifeLock.com for more information.

A recent survey of 300 companies by Logica–an information technology security firm—revealed that only 40% of the companies who experienced data breaches notified their customers. Only 50% of the companies notified police or other authorities. Only 30% of them give their employees training on how to prevent or respond to data breaches.

To date, only six states (South Dakota, New Mexico, Missouri, Kentucky, Alabama and Mississippi) have failed to enact laws that require customers be notified when their information has been lost or stolen. And there is as yet no federal law requiring them to do so. Even in the states that require notification, apparently companies still aren’t doing it.

Since January 2005 almost 250 billion records are known to have been lost or stolen. Because, in many instances, the private or public agencies cannot determine how many records have been exposed, the total number is actually much higher.

So, if you can’t trust the people who control your personal and financial information to responsibly protect it, how can you protect yourself from identity theft?

Visit LifeLock.com to see how their award-winning service works. Use LifeLock’s promo code “Defense” and let them save you money while they’re saving your credit. Click here to enroll now.