Data breaches are on the rise—and so is government enforcement action and data breach litigation. Retailers are not the only ones at risk; data breaches are affecting a growing number of industries. In addition to recent privacy enforcement actions from the Federal Trade Commission and now the Federal Communications Commission, the increased frequency and severity of data breaches continue to draw attention from state attorneys general.
In October 2014, California Attorney General Kamala D. Harris released "The California Data Breach Report." The report analyzes data breach statistics involving California residents. The report also offers targeted recommendations to companies looking to prevent, or respond to, data breaches.
- In 2013, 167 data breaches were reported to the California attorney general.
- More than 18.5 million California residents were involved in breaches in 2013, a 600 percent increase over data breaches in 2012. (Note, however, that the data is skewed by two very large incidents.)
- Although the retail sector reported the most breaches in 2013 (26 percent of total breaches), the finance/insurance sector (20 percent) and health care sector (15 percent) followed closely behind.
- A wide variety of other sectors reported breaches, including government, education, hospitality, and professional services.
- More than half of total breaches in 2013 were caused by malware and hacking (53 percent).
- Twenty-six percent of all data breaches were attributable to physical loss or theft of an electronic device.
- Eighteen percent of all reported breaches were caused by "miscellaneous errors" (for example, insecure disposal of confidential information).
- Four percent of total breaches were caused by "misuse" (such as when an insider makes unauthorized use of privileges or resources).
- Social Security numbers were the most frequently compromised records in 2013.
Retail Industry Recommendations
According to the report, in the retail sector, 84 percent of data breaches were the result of malware and hacking. The report advises California retailers to act quickly to update their point-of-sale terminals so that they are chip-enabled and to install the software needed to operate this technology. The report also urges retailers and financial institutions to work together to protect debit cardholders in retailer breaches. Retailers are encouraged to devalue payment card data by encrypting the data from the point of capture until completion of transaction authorization. Similarly, retailers are urged to employ tokenization to devalue payment card data during online and mobile payment transactions. By using such tokens, payment data stolen from one institution cannot be used to make a future payment or counterfeit a stolen credit card.
Health Care Recommendations
In the health care sector, physical loss or theft of data poses the greatest challenge, with 70 percent of breaches reportedly caused by lost or stolen hardware or portable media containing encrypted data. The report urges the health care sector to focus on strong encryption to protect medical information on laptops, portable devices, and even desktop computers.
No Specific Recommendations for the Financial Sector
The report notes that the financial sector accounts for the largest share of "miscellaneous error" data breaches (30 percent) but makes no specific recommendations for how to address them. However, financial institutions should be mindful of the attorney general's advice to work alongside retailers to protect debit cardholders in retailer breaches. Federal financial services regulators, however, have issued varying data security guidelines and requirements for the financial sector. There are also increasing calls by state regulators for financial institutions to increase their efforts in protecting consumer data from cyber theft, and to more effectively conduct cybersecurity oversight of dependent third-party providers.
Taking Action Post-Breach
In the event of a breach, the California attorney general advises companies to respond promptly and notify affected individuals without unreasonable delay. The report also emphasizes that breach notices should be "readable" by the average American consumer, using plain, straightforward language and avoiding technical or legal jargon. Companies should have a data breach plan prepared in advance to facilitate a prompt and appropriate response.
In light of the rising frequency of data breaches, companies operating in California should review the attorney general's report and carefully consider its recommendations.