By Randall Friedland
California Attorney General Kamala D. Harris yesterday released the second annual California Data Breach Report. The report provided statistics and analysis related to data breaches that were reported to the Attorney General’s office in 2013. The report also outlined suggested best practices and provided recommendations on ways to improve data security.
Statistics
The report documented a clear upward trend in both the number of data breaches and those affected by such breaches. For instance, in 2013, there were 167 data breaches reported in California, which is an increase of over 28 percent from the 131 data breaches reported in 2012. Additionally, the records containing personal information of over 18.5 million California residents were compromised in 2013—a 600 percent increase from the previous year. Even if the two largest data breaches involving retailers were excluded from this calculation, California still experienced a 35 percent increase in the number of records affected by data breaches.
The report also provided statistics related to the causes of the breaches. Of the breaches reported, 53 percent of them were caused by computer intrusions (malware and hacking). The remaining data breaches were the result of “physical loss or theft of laptops or other devices containing unencrypted personal information (26 percent), unintentional error (18 percent) and intentional misuse by insiders (four percent).” The report also noted that “the majority of breaches in the health care sector (70 percent) were caused by lost or stolen hardware or portable media containing unencrypted data,” a stark contrast to the “19 percent of such breaches in other sectors.”
Data breach activity has only increased in 2014. In an interview surrounding the release of the report, Attorney General Harris stated that in the first ten months of 2014, the number of data breaches had spiked 30 percent from last year. She noted that the rise can partially be attributed to the fact that “we are increasingly adopting technology that is putting our data in systems that are ripe for penetration.”
Best Practices and Recommendations
The report also contained various best practices and recommendations on how to slow the upward trend and decrease the number of data breaches. The recommendations were particularly geared towards retailers, financial institutions, the health care sector, and the state legislature. The following is a list of those recommendations:
All Industries
- “Organizations should conduct risk assessments at least annually and update privacy and security practices based on the findings.”
- “Organizations should use strong encryption to protect personal information in transit.”
- “Organizations should improve the readability of their breach notices.”
Retailers
- “California retailers should move promptly to update their point-of-sale terminals so that they are chip-enabled and should install the software needed to operate this technology.”
- “California retailers should implement appropriate encryption solutions to devalue payment card data, including encrypting the data from the point of capture until completion of transaction authorization.”
- “California retailers should implement appropriate tokenization solutions to devalue payment card data, including in online and mobile transactions.”
- “California retailers should respond promptly to their data breaches and should notify affected individuals in the most expedient time possible, without unreasonable delay.”
- “California retailers should improve their substitute notices regarding payment card data breaches.”
Retailers and Financial Institutions
- “California retailers and financial institutions should work together to protect debit cardholders in retailer breaches of unencrypted payment card data.”
Health Care Sector
- “The health care sector should consistently use strong encryption to protect medical information on laptops and other portable devices, and should consider it for desktop computers.”
Legislative Recommendations
- “Consider legislation to amend the breach notice law to strengthen substitute notice procedure, clarify the roles and responsibilities of data owners and data maintainers and require a final breach report to the Attorney General.”
- “Consider legislation to provide funding to support system upgrades for small California retailers.”