Will the Real “Year of the Data Breach” Please Stand Up?

My New Year’s Day ritual has been the same for nearly 10 years now: a late breakfast, a cup of strong coffee and a scan of security blogs and news for two things that always make me chuckle: cyber predictions for the new year, and a retrospective that declares the past year the “Year of the Data Breach.” perfectly and I actually thought we might go a year without the latter, until I found this headline on Bloomberg news in which : Kelly Shortridge parodied the former 2017 is named the Year of the Data Breach Source: Bloomberg; https://www.bna.com/2017-year-data-b73014473359/ If you are wondering to yourself, It’s nearly 10 of the last 12 years, to be exact. where have I seen this before…? every year. Here’s a retrospective on the last 12 years and a glimpse into 2018’s prospects. 2005 2005 was the first year ever to be declared “The Year of the Data Breach” by many media outlets, such as . The phrase “data breach” entered into everyday usage in 2005 as well, due to data breach notification laws being enacted, litigation as well as , and all disclosing incidents. InfoWorld increased data breach Ameritrade CitiGroup CardSystems 2006 2006 was a big year for data breaches — it featured the and the breach. It caused and one to dub 2006 the year of the data breach. AOL search data leak scandal US Department of Veterans Affairs one blogger security vendor 2007 , the and the Canadian Federal Privacy Commissioner in a all declared 2007 “the year of the data breach.” I remember 2007 for two things: and the . Attrition.org Identify Theft Resource Center letter to Parliament Britney Spears’ sad meltdown TJ Maxx data breach 2008 Nothing! 2008 is not the year of the data breach! Good job, 2008. 2009 If 2005, 2006 and 2007 were all the year of the data breach, 2009 is the year of the MEGA DATA BREACH, and . It was a big one, primarily due to the Heartland Payment Systems which was a compromise of 130 million records. according to Forbes a security vendor data breach 2010 After the MEGA year of 2009, we all decided to take a break. 2011 After 2008 and 2010 were the year of the data breach, it was as if security journalists, vendors and cyber experts all stood up and shouted, in unison, “NEVER AGAIN! There shall never be a year that is the Year of the Data Breach!” not not And a good year it was. Trend Micro and Brian Krebs, among many others . The most notable incident was the Sony Playstation Network . called it referenced it suffering a prolonged service outage and data breach 2012 A small security vendor, , named 2012 the “Year of the Data Breach,” with breaches at , and several high-profile incidents in the government sector dominating the news. It was also the “Year of the Data Breach in New Zealand,” . in a year end retrospective Yahoo Zappos according to the country’s privacy commissioner 2013 2009 wants its adjective back. Symantec, , dubbed 2013 the “Year of the Mega Data Breach,” citing attacks on small and medium-sized businesses and the government sector. the “Year of the Retailer Breach” due to incidents at and . in the 2013 Internet Security Threat Report Others called it Target Adobe 2014 Assuming we could only have one “Year of the Data Breach,” 2014 would have to be the strongest contender. There were a in 2014: UPS, Michael’s, Home Depot, Jimmy John’s, Staples and JP Morgan Chase. The aforementioned are all eclipsed by, (according to Fortune): the Sony Pictures Entertainment hack. massive amount of incidents The Hack of the Century Most media outlets dubbed 2014 the “Year of the Data Breach,” as well as , and Tripwire’s . Advisen Trend Micro State of Security 2015 I declare 2015 the “Year of Superlatives.” Here is how the year was reported: Fortune reported 2015 as the “ Year of Data Breach Litigation.” Security vendor IDM365 called it the “ ” Year of the Super Mega Breach Trend Micro just called it the plain old “ .” However, Trend Micro also the Year of the Data Breach. Year of the Data Breach declared 2014 Vice.com called 2015 the “ ” Year of the Healthcare Breach Hacked.com called it the “ ” Year of the Personal Data Breach GovTech.com settled on “ ” The Year Data Breaches Became Intimate HIPAA Journal called 2015 the “ ” Year of the Mega Healthcare Data Breach Many Americans were affected by data breaches in 2015, with the most notable incidents occurring at , , and the . Ashley Madison OPM Anthem IRS 2016 After 2014 and 2015, one would think it would be time to retire the phrase “Year of the…” and think of something else. Nope. A , , and a named 2016 the “Year of the Data Breach.” small law firm specializing in data privacy SecureWorld radio host In a completely perplexing statement, Ars Technica recognized 2014 and 2015 as the “Year of the Data Breach” and also : issued a challenge [I]f pundits don’t label [2016] ‘the year of the data breach’ — like a one-phase Chinese zodiac for the 21st century — they’re not doing their jobs at all. 2017 Bloomberg the “Year of the Data Breach,” citing incidents at , and . Experian also . declared 2017 Equifax Yahoo Uber jumped on the bandwagon 2018: a cyber prediction Combining my two favorite things: cyber predictions and “year of the data breach” declarations, the non-profit (ISF) Information Security Forum stated that 2018 will be the “year of the data breach.” Conclusion Much has been written about . I have no doubt that breach fatigue is real and headlines like this, year over year, contribute to it. When headlines about cybersecurity cross the line into hyperbole, it’s time to re-think how we present the industry’s most pressing problems to the rest of the world. As it stands now, declaring a year the “year of the data breach” has become virtually meaningless. We know that data breaches are going to occur every year. Perhaps, starting this year, we can pull out the one notable data breach as the “Data Breach of the Year,” instead of naming the whole year the “Year of the Data Breach.” consumer data breach fatigue