On February 16, 2016, California Attorney General Kamala D. Harris – who has been mentioned as a potential nominee to fill Justice Antonin Scalia’s recently vacated seat on the U.S. Supreme Court – released her California Data Breach Report for 2012-2015 (the “Report”). Although focused on California, the Report provides insights and guidance that are valuable to businesses everywhere.  In light of the high cost of securing data, businesses must thoughtfully strategize how best to allocate their breach prevention resources.  The Report aids this endeavor by discussing the types of breaches that have impacted businesses, the types of data that have commonly been compromised, and which industries have been most affected.  The Report also provides recommendations for protecting against future breaches.

Malware and hacking, physical breaches, and breaches caused by error have been the three most common types of breaches. Of the three, malware and hacking have been by far the largest source of data breaches, with 90% of all breached records breached by means of malware and hacking.  Physical breaches, resulting from the theft or loss of unencrypted data on electronic devices, were next most common, with heath care entities and small businesses most heavily impacted.  Breaches caused by error – such as mis-delivery of email and inadvertent exposure of information on the public Internet – ranked third.  Government entities made half of all such errors.

Social Security numbers and medical data were found to be the most common types of data breached. The Report predicts that, as retailers continue to transition to EMV (chip-enabled payment cards), cybercriminals will likely devote less attention to payment card data from in-store systems, which will become increasingly difficult to compromise, and more to Social Security data.

Retail, the Report indicates, has been the industry hit hardest by data breaches. Most retail breaches were caused by malware and hacking, with cybercriminals often targeting payment card data.  The financial sector was another frequent victim of data breaches.  In this industry, more than in any other, breaches were caused by insiders – such as employees and service providers – who, through unintentional errors and/or intentional misuse of privileges, compromised the security of company data. The final industry the Report spotlighted was health care; an industry which showed particular vulnerability to physical breaches, as well as to malware and hacking breaches facilitated by the sector’s transition to electronic medical records.  Notably, small businesses, despite possessing less data than large businesses, still accounted for 15% of all breaches reported.  The Report notes that small businesses were susceptible to hacking and malware attacks, and experienced physical breaches at a higher rate than large businesses.

To aid businesses in securing against data breaches, the Report recommends the following:

  1. Implement all 20 of the controls identified in the Center for Internet Security’s Controls for Effective Cyber Defense;
  2. Make multi-factor authentication available on consumer-facing online accounts that contain sensitive personal information;
  3. Use strong encryption to protect personal information on laptops, other portable devices, and desktop computers. This step is particularly critical for health care organizations, which, the Report indicates, have lagged behind other sectors in utilizing encryption to secure data; and  
  4. Encourage individuals whose Social Security numbers or driver’s licenses have been breached to place fraud alerts on their credit files.