California Attorney General Kamala Harris released the state’s second Data Breach Report that confirms a rise in breaches and offers nine recommendations that will decrease the chances of security problems.
According to the report, there were 167 data breaches, a 28 percent rise over the prior year. The number of impacted records similarly increased, up 600 percent to a total of 18.5 million. The retail industry suffered the most breaches (84%), with an estimated 15.4 million state residents whose records were impacted.
Skewing the numbers for 2013 somewhat were two “very large” retailer incidents, the AG’s office acknowledged. However, even if those breaches were excluded, the number of records affected in 2013 would still have constituted a 35 percent increase over 2012.
More than half of the breaches were attributed to hackers or malware, followed by the loss or theft of laptops with unencrypted personal information (26 percent), unintentional error (18 percent), and intentional misuse by insiders (4 percent).
The report made nine recommendations, three of which were geared toward all industries. Harris advised that organizations conduct at least annual risk assessments and update their privacy and security practices accordingly, utilize “strong encryption to protect personal information in transit,” and make breach notices more readable.
With the bulk of breaches occurring at retailers, the report made five specific suggestions, including requirements that sales terminals be chip-enabled, that appropriate tokenization solutions be implemented, and that data capture be encrypted until the completion of a transaction. Retailers should also “respond promptly” to a data breach and notify affected consumers as quickly as possible. Financial institutions and retailers should work together to protect consumers, the report added.
Harris urged the healthcare sector – the industry hardest hit after retailers and finance and insurance – to encrypt sensitive patient information.
The report also proposed two items for lawmakers. California legislators should consider establishing a system to provide security funding for small retailers, which have been the target of breaches and cyberattacks. Harris further suggested that legislators should “amend the breach notice law to strengthen the substitute notice procedure, clarify the roles and responsibilities of data owners and data maintainers and require a final breach report” to the AG’s office.
To read the California Data Breach Report, click here.
Why it matters: AG Harris has been a leader in the privacy ecosystem and has advocated for mandatory privacy policies and releasing the state’s first Data Breach Report last year. Businesses, particularly retailers, should take note of the AG’s findings and recommendations, particularly as two of the suggestions in the last report have since been codified into law.