California Attorney General Kamala D. Harris has released a “California Data Breach Report,” which presents a series of findings and recommendations based on a review of breaches reported to the Attorney General’s office in 2012 and 2013.  It should come as no surprise that breaches are on the rise, but the Attorney General’s analysis of the reported breaches outlines the root causes of these breaches on an industry basis and recommends best practices to address the sources of those breaches.  For instance, the vast majority of retail breaches were the result of computer intrusions (malware and hacking), leading to recommendations such as the implementation of chip-and-pin technology, end-to-end encryption and tokenization of payment card data.  Similarly, in the healthcare industry, where 70% of the reported breaches were the result of physical loss or theft of hardware or portable media containing unencrypted data, the Attorney General recommends health care providers and institutions use strong encryption to protect covered information on laptops and other portable devices.

Key Findings

  • 28% year-over-year increase in breaches reported to the California Attorney General.
  • Excluding Target and LivingSocial breaches: a 35% year-over-year increase in the number of records breached.
  • Including Target and LivingSocial breaches: a 600% year-over-year increase in in the number of records breached.
  • Industries most affected:
    • Retail:
      • 26% of reported breaches
      • 15.4 million records of Californians (84% of total)
      • 84% of the reported breaches were the result of malware and hacking
    • Health Care:
      • 25% of reported breaches
      • 1.1 million records of Californians (6% total)
      • 70% of the reported breaches were the result of physical loss or theft of hardware or portable media containing unencrypted data, while only 8% of the reported breaches were the result of malware and hacking, making it the only sector where malware and hacking was not the leading cause of breaches.
    • Finance and Insurance:
      • 20% of reported breaches
      • 245,000 records of Californians (1% of total)
      • 38% of the reported breaches were the result of malware and hacking, while 25% of the reported breaches were the result of unintentional errors
      • Computer intrusions (malware and hacking) were the leading cause of breaches overall (53%), followed by physical loss or theft of unencrypted data (26%), unintentional errors (18%) and intentional misuse by insiders (4%).
      • Social Security numbers were the most frequent type of data compromised (48%), followed by payment card data (38%).  Medical information was compromised 19% of the time, rising 2% from 2012.
      • 71% of entities that reported a breach of Social Security numbers or driver’s license numbers offered affected consumers a mitigation service, such as credit monitoring or a security freeze; 29% of entities that reported such a breach offered no mitigation services.
      • 8% of the reported breaches involved paper records, even though such reporting was not required.

Key Recommendations

  • These are the key recommendations each industry should follow
    • ​​Retailers:
      • Update point-of-sale terminals to enable chip-enabled payment cards to decrease fraud in face-to-face transactions.
      • Implement technological solutions to devalue payment card data, including:
        • End-to-end encryption; and
        • Tokenization throughout the payment system, including online and mobile transactions.
    • Respond promptly to breaches and provide expedient consumer notification.
    • When retailers provide “substitute” notification on their websites, should include conspicuous links from homepage, leave the information posted for longer periods of time and other improvements.
  • Retailers and Financial Institutions
    • Work together to better protect debit cardholders in retailer breaches.
  • Health Care:
    • Use strong encryption to protect covered information on portable devices; consider using encryption to protect covered information on desktop computers.
  • All Industry Sectors:
    • Implement an effective data protection program that includes:
      • Periodic risk assessments (conducted at least annually);
      • Regular updates to privacy and security policies;
      • Regular employee training; and
      • Technological controls.
    • Use of strong encryption tools, especially for data in transit or stored on laptops or portable media.
    • When a breach notification is provided to consumers, make it more by using shorter sentences, familiar words and phrases, an active voice and a layout that supports clarity.
  • California State Legislature:
    • Consider legislation to amend the breach notice law to strengthen the substitute notice procedure, clarify the roles and responsibilities of data owners and data maintainers, and require a final breach report to the Attorney General.
    • Consider legislation to provide funding to support system upgrades for small California retailers.