5. Subcontractor Breaches
In November 2008, the Arizona Department of Economic Security had to notify families of about 40,000 children that their personal data may have been compromised following the theft of several hard drives from a commercial storage facility. The drives were password-protected but not encrypted. The agency says no information was used to commit fraud.
Costs: Subcontractor breaches are more costly than internal incidents, averaging US$231 per record compared with US$171, according to Ponemon.
Blinders: According to Ponemon's annual cost study, breaches by outsourcers, contractors, consultants and business partners are on the rise, accounting for 44 percent of all cases reported by respondents last year. That's up from 40 percent in 2007. In the ITRC study, 10 percent of breaches were associated with subcontractors in 2008.
Eye-openers: Companies need to create service-level agreements that are airtight and specific, and then ensure that subcontractors are in compliance and penalize them if they aren't. In cases that involve the use of backup tapes or disks, Semple says, insist on encryption and password protection.