California's Attorney General released a Data Breach Report based on 131 data breaches reported to the AG office in 2012. The report finds that 2.5 million California residents were impacted by data breaches last year, and that the mean breach affected 22,000 people. More than half of the breaches involved Social Security numbers. The retail industry reported the most data breaches, followed by finance and insurance, and health care. Fifty-five percent of the breaches resulted from intentional intrusion by outsiders or by unauthorized insiders. The report discusses the impact of the failure to encrypt sensitive personal information. Of the Californians affected by data breaches in 2012, had data been encrypted in some of these situations, 1.4 million individuals would not have been impacted. As a result, the Attorney General strongly recommends that companies encrypt digital information when sending data out of their internal networks. The Attorney General alsoannounced its intention to prioritize the investigation of breaches involving unencrypted personal information. Other recommendations focused on reviewing security controls, improving breach notices, and expanding the notification requirements to include username and password information that would grant access to online accounts.
TIP: This report is a reminder – and a warning – that companies should make sure they have appropriate encryption procedures in place for personal information, in particular sensitive personal information that might trigger a reporting requirement under data breach notification laws.