Chronology of Data Breaches: FAQ

Return to the Chronology of Data Breaches

  1.  Why do we maintain this Chronology of Data Breaches?
  2. What should you do if your personal information has been exposed in a data breach? 
  3. Is the Chronology of Data Breaches an exhaustive list of data breaches?
  4. How do we determine which data breaches to include in the Chronology?
  5. Is it accurate to say that the number of records breached reflects the number of individuals affected by the breach?
  6. Do we make all of our Chronology data available in downloadable format?
  7. Copyright and research use.
 

1.  Why do we maintain this Chronology of Data Breaches?

We maintain this Chronology of Data Breaches as a source of information to assist in research involving reported data breaches from 2005 to present. 

2.  What should you do if your personal information has been exposed in a data breach?

Read our guide, What to Do When You Receive a Data Breach Notice.

3.  Is the Chronology of Data Breaches an exhaustive list of data breaches?

No, we are not able to list every data breach. Many organizations are not aware they’ve been breached or are not required to report it based on reporting laws. Our Chronology is limited to data breaches reported in the U.S.  If a data breach affects individuals in other countries, it is included here only if individuals in the U.S. are also affected.

4.  How do we determine which data breaches to include in the Chronology?

Our Chronology reflects data breaches and the number of records breached reported through either government agencies or verifiable media sources.

If the number of records breached is unknown, we note that as a "0" in our Chronology. Additionally, as the number of records breached will often change over time as an organization investigates the data breach, we continue to update the number of records breached accordingly.

5. Is it accurate to say that the number of records breached reflects the number of individuals affected by the breach?

Not always. The number of records breached does not necessarily indicate the number of people affected.  One person may have multiple records breached in a single data breach by having multiple accounts within the affected organization (i.e. multiple email accounts with a single provider).

We no longer report two numbers due to the ever-changing definitions of personal information and lack of consensus amongst states and sectors.  Starting October 30, 2017, we record the number of records breached in all breaches we find reported in the media and through government agencies.

6.  Do we make all of our Chronology data available in a downloadable format?

Yes, we provide the ability to download our data as a CSV file that can be used to create a spreadsheet.  Once you have conducted a search, click on the orange button that says "Download Data Breach File."

7.  Copyright and research use.

PRC strongly believes in the spirit of sharing information and access to knowledge, and we encourage use and re-use of our data. We license everything on our website under the permissive Creative Commons 4.0 Attribution Non-Commercial Share-Alike (CC-BY-NC-SA) open license. This means that you are free to use our content in any non-commercial use, provided that you give us attribution and share the resulting work under the same license terms. If you're interested in using our database or any other content on our website in a way that does not conform to the CC-BY-NC-SA license, please reach out to our Data Breach Chronology manager, chronology@privacyrights.org , and we're happy to discuss different terms. 

Why does PRC publish the Chronology of Data Breaches?

 

PRC publishes the Chronology as a source of information on reported data rbreaches from 2005 to present. 

 

What should an individual do if his or her personal information has been exposed in a data breach?

 

Read our guide, What to Do When You Receive a Data Breach Notice.

 

Is the Chronology of Data Breaches an exhaustive list of data breaches?

 

No. We are not able to list  every breach  in the Chronology. Many organizations are not aware they’ve been breached or are not required to report it based on reporting laws (see below). PRC’s Chronology is limited to breaches reported in the U. S.  If a breach affects individuals in other countries, it is included here only if individuals in the U.S. are also affected.

 

How does PRC determine which breaches to include  in the Chronology?

 

[ML1] PRC’s Chronology includes breaches reported through either government agencies or verifiable media sources.

 

How does PRC determine whether to include the number of records breached in the Chronology[ML2] ?

 

We want the number of records breached in the Chronology to reflect breaches that have a high chance of exposing individuals to identity theft as well as breaches that organizations are required to report under state laws.  This means the number of records breached usually reflects compromised records that include data elements such as Social Security numbers, financial account numbers, and driver’s license numbers.

 

If the number of records breached is unknown, we note that.  In addition, the number of records breached will often change over time as an organization investigates the breach.  When we learn of updates, we change the number of records breached accordingly.

 

 

When we find out about breaches where data elements traditionally associated with identity theft exposure are not compromised, we will list the breach but will not include the number of records breached in our total. 

 

 

 

Why is the number of records breached higher than the number of data breaches?

 

Each data breach consists of many individual breached records.  However, the number of breached records does not necessarily indicate an accurate number of people affected. Many individuals have been affected by more than one breach.

 

Does every state have a data breach notification law that requires individuals to be notified of a data breach affecting their personal information?

 

47 states have enacted data breach notice laws.  These websites provide information about the laws of each state plus the District of Columbia and territories.

 

For more information, see:

 

Davis Wright Tremaine (map and summaries of U.S. state data breach notice laws);

Steptoe & Johnson (both state and federal laws); or

National Conference of State Legislatures (provides links to state laws).

Does PRC make all of its Chronology data available in a downloadable format?

 

Yes. The PRC provides the ability to download our data as a CSV file that can be used to create a spreadsheet.  If you would like a copy of this file, please send your request via email to admin@privacyrights.org .  Please also tell us if your use is for an educational, research, or commercial purpose.

 [ML1]I took this first sentence out because I think we could eventually have to go down the rabbit hole of how to define “personal information”

 [ML2]I split this into another question because it did not contribute to the question above, but is important information.  Please check my writing to make sure it is accurate.

Chronology of Data Breaches: FAQ | Privacy Rights Clearinghouse

Error

The website encountered an unexpected error. Please try again later.