Businesses can learn some valuable lessons from the Data Breach Report 2012 issued by the California Attorney General on July 1, 2013. The financial, insurance, and retail industries accounted for 49 percent of all reported data breaches; and those breaches involved mostly social security numbers, credit card information, health and medical information, driver’s license numbers, and bank account numbers. California law requires a business or state agency to give written notice to any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person. Data breaches are often accompanied by high expense to a business required to notify affected consumers, serious adverse publicity for such a business, and in some instances, class action lawsuits with risk of high liability to the business.
This Could Happen to Your Business in Any State
The results shown in this Report are likely representative of the data breaches reported in the other 46 jurisdictions that have similar laws. Yes, a serious data breach could happen to you, your employees or your customers.
California’s Breach Notification Law requires that a business provide a breach notification to the California Attorney General Attorney’s Office only if that business is required to notify more than 500 California residents of a single breach. CAL. CIV. CODE § 1798.82(f). Still, in 2012 alone, the California Attorney General received 131 such notifications, concerning more than 2.5 million California residents.
Encryption Helps Mitigate Consequences of Breach
The Report highlights the fact that much of the damage to consumers and the harm caused by loss of, or unauthorized access to, personal information could have been avoided or mitigated through the encryption of digital personal information. The Report estimates that if encryption had been used more than 1.4 million California residents would not have had their information put at risk in 2012 in connection with reported breaches.
Breaches Are Not Just By Hackers
According to the Report, more than half of the reported breaches in 2012 were caused by intentional intrusions (like hacking; 10 percent by insiders); however, other types of events also lead to a significant number of breaches. For example, physical loss (such as lost documents, storage media, flash drives and laptops) accounted for 27 percent of reported breaches. This could be improved through training, better tracking of assets, and taking a hard look at who has custody of what data and whether that is appropriate. Procedural failures caused by processing errors such as misdirected mail or email, unintentional web posting, and disposal failures accounted for 18 percent of reported breaches.
The Report Has Good Recommendations
The Report contains a number of helpful recommendations for companies handling personal information that may help to mitigate the risk of the serious consequences to both the business and consumers impacted by a data breach. The recommendations include encrypting digital personal information, reviewing and tightening security controls, training employees and contractors, and legislative movement toward mandatory encryption laws.
Additional recommendations include the implementation of a security framework as found at Critical Security Controls, a protocol developed at the initiative of the U.S. National Security Agency. The U.S. State Department has demonstrated more than 94 percent reduction in “measured” security risk through the rigorous automation and measurement of the Critical Security Controls.
Additional Key Takeaways from the Report
Companies handling personal information may want to take the following steps when dealing with the management of such information:
- Make security of personal information a top priority
- Harden security on the key assets that are typically the target of data breaches (ATMs, desktops, file servers and laptops)
- Disable old email accounts and network backdoors to avoid sabotage by former employees
- Make preparations to prevent the most common type of breaches such as at, or through, point-of-sale or ATM devices
- Prevent malicious code from being installed by disabling auto-run content for USB and other external media upon insert
- Give notice to employees and customers of the crucial importance of unique passwords (on their websites, network access points, and other places) and require frequent changing of passwords
- Detect and contain breaches early, including through the deployment of essential technology, processes, and personnel in order to assure early detection and containment
- Encrypt digital personal information
- Note that additional legislation may be on the way in California and in other states requiring notification when “online credentials” are lost or stolen, and businesses should monitor California’s and other states’ activities in this area to ensure that compliance is maintained