In a new report, California Attorney General Kamala Harris revealed that 2.5 million state residents were the victims of a data breach in 2012, with the average breach involving the personal information of 22,500 individuals.
The report details the 131 data breaches reported last year, the first in which companies were required to report breaches to the AG’s office. Although California enacted the first data breach notification law in 2003 which mandated that businesses and state agencies notify state residents when their personal information is compromised, an amendment took effect in 2012 that required covered entities to report to Harris’s office a breach involving more than 500 Californians.
Based on the first year of numbers, Harris said the retail industry suffered the most data breaches with 34, followed by finance and insurance, each with 30 breaches. Five breaches involved the personal information of 100,000 or more individuals, while more than half of all breaches included Social Security numbers, which the report said “pose the greatest risk of the most serious types of identity theft.” More than half – 55 percent – of the breaches were caused by unauthorized users or intentional intrusions; the rest were a result of lackadaisical security measures.
“Data breaches are a serious threat to individuals’ privacy, finances and even personal security,” Attorney General Harris said in a statement. “Companies and government agencies must do more to protect people by protecting data.”
To that end, the report also made recommendations for improving data security, particularly the use of encryption. While California law does not mandate encryption, entities that encrypt data for transmission are protected by a safe harbor in the event of a breach. But the report said this incentive was not motivating enough covered entities. The report concluded that had companies encrypted data during transmission, 1.4 million Californians would not have had their information revealed (28 percent of all breaches).
Therefore, Harris suggested updating the data breach law to require the use of encryption for personal information in transit.
“It is my strong recommendation that Companies and agencies implement encryption as a basic protection and reasonable security measure to help them meet their obligation to safeguard personal information entrusted to them.”
Other recommendations included that companies should review and tighten security controls on personal information, offer mitigation products or provide information about a “security freeze” to breach victims, and improve breach notices to make them easier for consumers to read. According to the report, the average reading level of the notices provided to consumers was 14th grade – higher than the average U.S. reading level of 8th grade. “Recipients need to be able to understand the notices so that they can take appropriate action to protect their information,” Harris said.
The AG also threw her support behind SB 46, legislation that would broaden notification requirements to breaches involving a user name or e-mail address in combination with a password or security question and answer that would permit access to an online account.
To read the 2012 California Breach Report, click here.
Why it matters: AG Harris noted that the issuance of the report is not required by state law, but she chose to make the information public – including a list of all entities that suffered a data breach – in part to make recommendations about how to improve data security. In addition, Harris announced her support not only for best practices and more help for consumers, but also for law enforcement “to more aggressively target breaches involving unencrypted personal information” and legislation that would expand notification requirements.