Over the course of the last year, the fact that many – perhaps most – data security breaches are going unreported by the majority of data breach reporting organizations and web sites has become very apparent. 

Almost every day, small breaches that appear in news items around the United States are never reported to the public by the Privacy Rights Clearinghouse, the Identity Theft Resource Center and other organizations that the media often cites as authoritative on the total number of data breaches.  This under-reporting does a disservice to the American public and our elected representatives and government agencies charged with protecting those who’ve had their personal information exposed.

Equally as important, those overlooked “small” breaches are often far more significant than the larger breaches that are reported by data breach monitoring organizations.  More often than not, the small, unreported breaches have actual victims who’ve sustained actual losses as compared to many of the larger breaches where it is fairly obvious the missing data will never fall into the wrong hands.

By way of one extreme example, yesterday the Associated Press reported from Virginia:

A former bank credit card department manager has been sentenced to two years, three months in prison for bank fraud and identity theft.

U.S. Attorney Dana Boente said Monday that 38-year-old Bernard James Brown Jr. of Saluda also was ordered to pay more than $65,000 in restitution to his former employer, Eastern Virginia Bankshares.

According to prosecutors, Brown used a stolen access device and identifying information to withdraw money from someone else’s account. After the credit card account was closed, Brown reopened it under a new name and address and continued to tap the account for cash and purchases.

Granted, this is a relatively small breach of one customer account, of one bank, by one bank employee.  Odds are this breach will never appear on the lists of breaches compiled by the Privacy Rights Clearinghouse, the Identity Theft Resource Center and other breach reporting organizations.

Yet, to the bank and its’ customer, this is an extremely serious breach that resulted in at least $65,000 in losses – not to mention the damage to the bank’s reputation for safeguarding customers.

This is not to criticize the fine work that the PRC, ITRC and others do.  It is a recognition that the collection and reporting methods of breaches are so inadequate as to be useless from a statistical perspective.

And, without good data about data breaches, we cannot come to the correct answers in addressing the epidemic of data breaches.