On Monday, California Attorney General Kamala Harris for the first time released a data breach report; the report details 131 data breaches reported to the CA AG’s office, which collectively exposed the personal information of 2.5 million Californians.  56% of the breaches involved Social Security numbers, a category of information disclosure which creates a heightened risk of identity theft.

“Data breaches are a serious threat to individuals’ privacy, finances and even personal security,” Attorney General Harris said. “Companies and government agencies must do more to protect people by protecting data.”

The report contains recommendations to companies, law enforcement agencies, and the legislature about how data security could be improved, including:

  • Encrypt digital personal information when moving or sending it out of their secure network.  The report states that 1.4 million Californians would have been protected if companies had encrypted data when data traveled outside the company’s network and indicates that the AG’s office will make it an enforcement priority to investigate breaches involving unencrypted personal information.
  • Review and tighten their security controls on personal information, including training employees and contractors.  The report states that computer intrusions, by outsiders and malicious insiders, accounted for over half of the reported breaches in 2012.
  • Make breach notices easier to read so recipients can take appropriate action to protect their information.  The report found that the average reading level of the notices submitted in 2012 was 14th grade, much higher than the average U.S. reading level of 8th grade. 
  • Offer mitigation products or provide information on security freezes to victims of breaches involving Social Security numbers or driver’s license numbers.  The report notes that breaches that compromise Social Security or driver’s license numbers expose victims to the risk of one of the most serious types of identity theft, new account fraud.  In 29% of the 2012 breaches of this nature, however, no credit monitoring or other mitigation product was offered to victims.
  • For legislators, consider expanding California’s law to require notification of breaches involving passwords.  Attorney General Harris currently supports Senate Bill 46 (Corbett), which would require notification of a breach involving a user name or email address, in combination with a password or security question and answer that would permit access to an online account

In 2003, California was the first state to pass data breach legislation, which requires CA businesses and state agencies to notify Californians if their personal information was compromised.  In 2012 this legislation was amended to require notification to the Attorney General where a breach involved more than 500 Californians.  A list of the 131 breaches reported to the CA AG’s office in 2012, can be found here