A Case of Mistaken Identity? News Accounts of Hacker, Consumer, and Organizational Responsibility for Compromised Digital Records

The computer hacker is one of the most vilified figures in the digital era, but to what degree are organizations actually responsible for compromised personal records? To examine the role of organizational behavior in privacy violations, we analyze 589 incidents of compromised data between 1980 and 2006. There were more reported incidents in 2005 and 2006 than in the previous 25 years combined. Excluding a particularly large security breach at Acxiom, hackers account for the largest volume of compromised records, some 45%, while 27% of the volume is attributed to organizational mismanagement and 28% remains unattributed. In terms of incidents, 9% were an unspecified type of breach, 31% of the incidents involved hackers, and 60% of the incidents involved organizational mismanagement: personally identifiable information accidentally placed online, missing equipment, lost backup tapes, or other administrative errors. Options for public policy oversight are discussed.