An estimated 2.5 million Californians had personal information put at risk in 2012 through some type of electronic data breach, according to the state's Attorney General Kamala Harris' office. A total of 131 data breaches were reported to her office during the year, according to a report released Monday. |
The report from the AG's office found that 1.4 million Californians would have been protected if companies had encrypted data when moving or sending the information out of the companys network.
In 2003, California was the first state to pass a law mandating data breach notification, which requires businesses and state agencies to notify Californians when their personal information is compromised in a security breach. In 2012, companies and state agencies subject to the law were required for the first time to report any breach that involved more than 500 Californians to the AG's Office.
The report listed ways to improve data security.
First, companies should encrypt digital personal information when moving or sending it out of their secure network. The AG's office will make it an enforcement priority to investigate breaches involving unencrypted personal information.
Also, companies should review and tighten security controls on personal information, including training employees and contractors.
Companies should make the breach notices easier to read. The report found that the average reading level of the notices submitted last year was 14th grade, much higher than the average U.S. reading level of 8th grade. Recipients need to be able to understand the notices so that they can take appropriate action to protect their information.
Finally, the report recommends that legislators consider expanding the law to require notification of breaches involving passwords. Harris supports legislation that would require notification of a breach involving a user name or email address, in combination with a password or security question and answer that would permit access to an online account.
Additional key findings:
The average (mean) breach incident involved the information of 22,500 individuals. The median breach size was 2,500 affected individuals, with five breaches of 100,000 or more individuals personal information.
More than 1.4 million Californians would not have been put at risk, and 28% of the data breaches would not have required notification, if the data had been encrypted.
The retail industry reported the most data breaches in 2012: 34 (26% of the total reported breaches), followed by finance and insurance with 30 (23%).
More than half of the breaches (56%) involved Social Security numbers, which pose the greatest risk of the most serious types of identity theft.
More than half of the breaches (55%) were the result of intentional intrusions by outsiders or by unauthorized insiders. The other 45% were largely the result of failures to adopt or carry out appropriate security measures.