In a report issued July 1, 2013, the California Attorney General, Kamala Harris, notes that more than 2.5 million Californians were “put at risk” by data breaches in 2012. The Data Breach Report 2012 (“the Report” or “the Data Breach Report”) cites key findings: 131 data breaches reported to the AG in 2012; the average breach incident involved 22,500 individuals; more than 28% of the breaches would not have required notification if the data had been encrypted; the retail industry reported the most data breaches; and, more than half of the breaches were the result of intentional intrusions by outsiders or unauthorized insiders. See link to AG website: http://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-releases-report-data-breaches-25-million.
Notably, Attorney General Harris provides some recommendations:
- Companies should encrypt digital personal information
- Companies and agencies should review and tighten security controls
- Companies and agencies should improve readability of breach notices
- Companies and agencies should offer mitigation products
- And, in a message to the Legislature – amend the breach notification law to require notification of breaches of online credentials, such as user name and password
This last recommendation would appear to significantly alter the notification landscape as there are numerous breaches that do not fall within the reporting/notifying criteria given the nature of the information impacted. States with notification statutes have used a variety of ways to define personal information (e.g., SSNs, bank information, routing numbers, taxpayer IDs) and typically the definition is based on the assumption that access to such information leaves a resident of that state more susceptible to some type of credit or financial fraud. The Data Breach Report notes that, in recent years, intrusions online have targeted passwords and other account credentials, which then allows criminals access to the account information (specifically referencing news reports on Sony, Yahoo!, the New York Times and Twitter). The Report highlights the social engineering aspect of data security: most consumers do not use unique passwords for all of their accounts. A takeover of one account may result in access to all, “including banking and other supposedly secure accounts.”
The Report specifies that the incidents reported on were submitted to the AG in 2012, while some occurred earlier and some breaches that occurred in 2012 were reported in 2013. Also, the Report does not cover the universe of data breaches, given that the notification law requires reporting to the AG only on breaches of electronic data affecting more than 500 individuals.
Another recommendation to the Legislature is a law to require the use of encryption to protect personal information on portable devices and media and in email. Other than the statutory suggestions, the Report serves as a guidepost for businesses, given the admonishments regarding improvement for security, clarity/accessibility in the actual notification texts and encouraging the notifying entities to offer credit security freezes. With respect to the last point, the Report underscores another serious type of ID theft: new account fraud.