California AG Releases Data Breach Report | Practical Law

California AG Releases Data Breach Report | Practical Law

On July 1, 2013, California's Attorney General released Data Breach Report 2012. The report analyzes data breaches reported to the Attorney General's office in 2012, provides information about those breaches, and makes recommendations to companies, law enforcement agencies and legislators about how data security could be improved.

California AG Releases Data Breach Report

Practical Law Legal Update 8-533-2986 (Approx. 3 pages)

California AG Releases Data Breach Report

by Practical Law Intellectual Property & Technology
Published on 03 Jul 2013USA (National/Federal)
On July 1, 2013, California's Attorney General released Data Breach Report 2012. The report analyzes data breaches reported to the Attorney General's office in 2012, provides information about those breaches, and makes recommendations to companies, law enforcement agencies and legislators about how data security could be improved.
On July 1, 2013, California's Attorney General, Kamala D. Harris, released Data Breach Report 2012. While not required by law, the Report summarizes the Attorney General's Office's key finding regarding the data breaches reported to the Attorney General's office during 2012.
California's data breach notification law was amended in 2011 to require companies to provide copies of data breach notifications to the Attorney General for breaches involving more than 500 Californians. In 2012, 131 data breaches were reported. Among other facts, the report notes that:
  • The average breach incident involved the information of 22,500 individuals.
  • The retail industry reported the most breaches, followed by the finance and insurance industries.
  • More than half of the breaches involved Social Security numbers.
  • While more than half of the breaches were the result of external or unauthorized internal intrusions, the others were the results of companies failing to undertake adequate security measures.
The report includes recommendations to companies, law enforcement agencies and legislators about how data security could be improved. Specifically, the Attorney General recommends:
  • Companies should encrypt digital personal information when in transit out of secure networks. The Attorney General’s Office noted that in the future it will focus on investigating breaches involving unencrypted personal information and encouraging other law enforcement agencies to engage in similar investigations.
  • Companies and agencies should review and tighten their internal controls on personal information, including training employees and contractors.
  • Companies and agencies should improve the readability of breach notices. The report noted that the average reading-grade level of the breach notices submitted was 14, whereas the average reading-grade level in the US is 8.
  • For breaches involving Social Security numbers or driver’s license numbers, companies and agencies should offer mitigation products or provide information on security freezes. The report identifies breaches involving social security numbers or driver's license numbers as the most serious breaches, but notes that companies only offered credit monitoring and other mitigation products to the victims in 29 percent of such breaches.
  • California legislators should consider amending the breach notification law to require notification of breaches of online credentials, such as user name and password. While online credentials are not currently covered under California law, the office noted that breaches involving such information are increasingly common. The report also noted that the legislature may also want to consider requiring the use of encryption to protect personal information in transit.