Attorney General Kamala D. Harris Releases Report on Data Breaches; 2.5 Million Californians Had Personal Information Compromised

SAN FRANCISCO -- Attorney General Kamala D. Harris today released the first report detailing the 131 data breaches reported to her office in 2012, showing that 2.5 million Californians had personal information put at risk through an electronic data breach.

The report found that 1.4 million Californians would have been protected if companies had encrypted data when moving or sending the data out of the company’s network.

"Data breaches are a serious threat to individuals' privacy, finances and even personal security,” Attorney General Harris said. "Companies and government agencies must do more to protect people by protecting data."

In 2003, California was the first state to pass a law (AB 700, Simitian) mandating data breach notification, which requires businesses and state agencies to notify Californians when their personal information is compromised in security breach. In 2012, companies and state agencies subject to the law were required for the first time to report any breach that involved more than 500 Californians to the Attorney General’s Office. (SB 24, Simitian)

While not required by law, Attorney General Harris is issuing this report that analyses the data breach notices reported in 2012, provides information to the public about those breaches, and makes recommendations to companies, law enforcement agencies, and the legislature about how data security could be improved. Those recommendations include practices that would decrease the number of data breaches, make it easier for consumers to recover from the loss or theft of their personal information, and call for law enforcement agencies to more aggressively target breaches involving unencrypted personal information.

First, companies should encrypt digital personal information when moving or sending it out of their secure network.  In 2012, encryption would have prevented reporting companies and agencies from putting over 1.4 million Californians at risk. The Attorney General’s Office will make it an enforcement priority to investigate breaches involving unencrypted personal information.

In addition, companies should review and tighten their security controls on personal information, including training employees and contractors.

Companies should make the breach notices they send easier to read. The report found that the average reading level of the notices submitted in 2012 was 14th grade, much higher than the average U.S. reading level of 8th grade. Recipients need to be able to understand the notices so that they can take appropriate action to protect their information.

Finally, the report recommends that legislators consider expanding the law to require notification of breaches involving passwords. Attorney General Harris is supporting legislation, SB 46 by Senator Ellen Corbett, which would require notification of a breach involving a user name or email address, in combination with a password or security question and answer that would permit access to an online account.

Additional key findings of the report include:

• The average (mean) breach incident involved the information of 22,500 individuals. The median breach size was 2,500 affected individuals, with five breaches of 100,000 or more individuals’ personal information.
• More than 1.4 million Californians would not have been put at risk, and 28 percent of the data breaches would not have required notification, if the data had been encrypted.
• The retail industry reported the most data breaches in 2012: 34 (26 percent of the total reported breaches), followed by finance and insurance with 30 (23 percent).
• More than half of the breaches (56 percent) involved Social Security numbers, which pose the greatest risk of the most serious types of identity theft.
• More than half of the breaches (55 percent) were the result of intentional intrusions by outsiders or by unauthorized insiders. The other 45 percent were largely the result of failures to adopt or carry out appropriate security measures.

Attorney General Harris established the Privacy Enforcement and Protection Unit in 2012 to enforce federal and state privacy laws regulating the collection, retention, disclosure, and destruction of private or sensitive information by individuals, organizations, and the government. This includes California’s Online Privacy Protection Act, as well as laws relating to cyber privacy, health and financial privacy, identity theft, government records and data breaches.

In October 2012, Attorney General Harris announced a settlement with Anthem Blue Cross over allegations the company breached its members’ personal data by failing to protect their Social Security Numbers.

A complete copy of the data breach report and a list of all 131 breaches are attached to the online version of this release at http://oag.ca.gov.

To learn more about the Attorney General’s privacy work, visit http://oag.ca.gov/privacy.