The California Office of the Attorney General (OAG) recently released a report detailing a comprehensive analysis of the data breaches reported to the OAG between 2012 and 2015. Fifty million records of Californians were reportedly breached during those four years. The report acknowledges that security is a challenging endeavor for organizations, but points out that many of the breaches reported could have been prevented by taking reasonable security measures. The report provides the following key recommendations for businesses:
- Minimum Security Controls. Organizations that collect or maintain personal information should meet, at a minimum, the 20 controls identified in the Center for Internet Security’s Critical Security Controls.
- Strong Authentication Procedures. Organizations should implement multi-factor authentication for consumer-facing online accounts that contain sensitive personal information. They should also consider multi-channel authentication for administrators and for employees or vendors with remote access to internal systems – this requires adding an out-of-channel mechanism, such as a text message sent to a cellphone to get a one-time use code.
- Strong Encryption. Organizations should consistently use strong encryption to protect personal information on computing devices, such as laptops, phones, tablets, and desktop computers.
- Breach Fraud Alert. Organizations should encourage individuals affected by a breach of Social Security Numbers or driver’s license numbers to place a fraud alert to monitor their credit records for suspicious activities. They should make this option very prominent in their breach notices.
California’s Data Breach Report is noteworthy because it provides actionable takeaways for organizations to implement, including specific security controls.