On February 16, California AG Kamala Harris released a report analyzing data breaches reported to her office from 2012 through 2015. During that time period, the report identifies 657 data breaches that compromised more than 49 million Californians’ personal information. The report summarizes the scope of California’s existing breach notice law and notes that notification laws in 46 other states were modeled after California’s original law. According to the report, federal data breach proposals currently under consideration in Congress would, among other things, (i) set the consumer protection bar very low; (ii) infringe on state-based innovation; (iii) encroach on enforcement by state attorneys general; (iv) narrowly define harm and personal information; and (v) set “overly rigid timelines for notification.” The report provides recommendations for organizations and state policymakers on how to improve data security. Specifically, the report recommends that organizations: (i) adopt the Center for Internet Security’s Critical Security Controls relevant to the organization’s specific environment; (ii) use multi-factor authentication to protect critical systems and data, and make the multi-factor authentication available on consumer-facing online accounts containing sensitive personal information; (iii) consistently use strong encryption to protect personal information on laptops and other portable devices; and (iv) encourage persons affected by a breach of Social Security or driver’s license numbers to place a fraud alert on their credit files. Finally, the report recommends that state policymakers “collaborate in seeking to harmonize state breach laws on some key dimensions.”