Attorney General Kamala D. Harris Releases Data Breach Report; Over 49 Million Records of Californians’ Personal Information Put at Risk in Last Four Years
Types of Data Breached
- Social Security numbers, payment card data, and medical information were the top three types of data breached over the past four years.
- The retail sector has been the most vulnerable industry, accounting for 24% of breaches and 42% of records breached in the past four years.
- The financial sector accounts for the second largest share of breaches at 18%, and 26% of records breached. Social Security numbers are the most common data breached in this sector.
- The healthcare industry accounts for 16% of breaches, and continues to be particularly vulnerable to physical breaches.
- Small businesses represent 15% of all reported breaches.
Recommendations for Organizations
- Adopt the Center for Internet Security’s Critical Security Controls as the start of a comprehensive information security program, since not doing so would be indicative of a failure to provide reasonable security.
- Make multi-factor authentication available on consumer-facing online accounts that contain sensitive personal information. This procedure provides greater protection than the username-and-password combination typically used for online shopping accounts, health care websites and patient portals, and web-based email accounts.
- Consistently use strong encryption to protect personal information on laptops and other portable devices, and consider using it for desktop computers. This is particularly important for health care, which appears to be lagging behind other sectors in this area.
- Encourage individuals affected by a breach of Social Security numbers or driver’s license numbers to place a fraud alert on their credit files. This measure is free, fast, and effective in preventing identity thieves from opening new credit accounts.
Recommendations for State Policy Makers
- Collaborate to harmonize state breach laws on key dimensions. Such an effort could reduce the compliance burden for companies, while preserving innovation, maintaining consumer protections, and retaining jurisdictional expertise.
As data threats evolve, California must remain at the forefront of identifying and implementing creative and effective ways to fend off attackers. In 2004, California passed its information security statute (AB 1950, Wiggins), which requires businesses that collect personal information to use “reasonable security practices and procedures.” In 2003, California became the first state to mandate data breach notification, requiring businesses and state agencies to inform consumers when a security breach compromises their personal information (AB 700, Simitian). As of 2012, any breach involving more than 500 Californians must be reported to the Attorney General’s Office (SB 24, Simitian).
Attorney General Harris has invested the best talent and resources of the California Department of Justice into the fight for cyber security. In 2011, she created the eCrime Unit, which is tasked with investigating and prosecuting large-scale identity theft, technology crimes, and crimes that target electronic devices, networks, or intellectual property. In 2012, Attorney General Harris established the Privacy Enforcement and Protection Unit to enforce and regulate state and federal laws regulating the collection, retention, disclosure, and destruction of personal information, as well as to educate organizations and consumers on privacy responsibilities and rights.
Furthermore, a number of recommendations from Attorney General Harris’s previous data breach reports have been enacted into law. SB 46 (Corbett), which took effect in January 2014, added online account credentials to the list of personal data covered under SB 24 (Simitian). In 2014, AB 1710 (Dickinson) was enacted, requiring the source of a breach of such data to offer identity theft prevention or mitigation services at no cost to the affected person and for no less than 12 months. The law took effect in January 2015. In 2015, SB 570 (Jackson) amended the breach law to require the use of a format for breach notices that makes them easier to understand. It took effect in January 2016.
View the full California Data Breach Report February 2016.