When California changed its law to require Attorney General (AG) notification in the event of a data breach, Attorney General Kamala D. Harris' office began analyzing the data it was receiving. A report issued by her office made a number of findings summarized below. However, key among them is the impact encryption would have on data at risk. Based on this finding, the Attorney General announced an enforcement priority to investigate breaches involving unencrypted personal information.
Attorney General Harris stated in the report:
Particularly striking is the impact of the failure to encrypt sensitive personal information. It has been ten years since we realized the vulnerability of personal information on stolen laptops, lost data tapes, and misdirected emails. If encryption had been used, over 1.4 million Californians would not have had their information put at risk in 2012. That number represents more than half of the 2 5 million people affected by the 131 breaches covered in this report. It is my strong recommendation that companies and agencies implement encryption as a basic protection and reasonable security measure to help them meet their obligation to safeguard personal information entrusted to them.
The report contains some interesting findings:
- In 2012, 131 breaches, each affecting more than 500 California residents, were reported to the Attorney General’s Office.
- The average breach involved information of 22,500 individuals, with the median breach size being 2,500 affected individuals.
- More than 2.5 million Californians were put at risk by data breaches in 2012.
- The retail industry reported the most data breaches in 2012: 34 (26 percent of the total reported breaches.
- More than half of the breaches (56 percent) involved Social Security numbers.
- While more than half of the breaches (55 percent) were the result of intentional intrusions by outsiders or by unauthorized insiders, the other 45 percent resulted from failures to adopt or carry out appropriate security measures.
- The average reading level of breach notices submitted in 2012 was 14th grade.
- In 50% of the breached considered, the breaching entity offered credit monitoring services.
Based on these findings, the report makes a number of recommendations, including calling for legislation requiring encryption of data in transit:
Companies should encrypt digital personal information when moving or sending it out of their secure network. The Attorney General’s Office will make it an enforcement priority to investigate breaches involving unencrypted personal information, and encourage our allied law enforcement agencies to similarly prioritize these investigations. The Legislature may also want to consider requiring the use of encryption to protect personal information in transit.
Similar requirements already exist in Massachusetts and Nevada. Other recommendations include:
- Train employees and contractors.
- Improve readability of breach notices.
- Offer mitigation products and/or provide information of security freezes.
- To the legislature, expand the definition of personal information in the State's breach notification law to include online credentials such as username and password.
Companies, particularly those that maintain personal information about California residents, should read this report and carefully review the steps they take to mitigate their "information risk." Remember that in 2003 California was the first state to enact a data breach notification law, and 45 state followed shortly thereafter. Other states' AGs have and may take similar steps to respond to the continuing risks data breaches raise for their state's residents.