California Attorney General’s Second Annual Data Breach Report Finds Dramatic Increase in Number of Data Breaches
Wednesday, October 29, 2014
California Attorney General’s Second Annual Data Breach Report Finds Dramatic In";
Print Mail Download i

California Attorney General Kamala D. Harris yesterday released the second annual California Data Breach Report.   The report provided statistics and analysis related to data breaches that were reported to the Attorney General’s office in 2013.  The report also outlined suggested best practices and provided recommendations on ways to improve data security.

Statistics

The report documented a clear upward trend in both the number of data breaches and those affected by such breaches.  For instance, in 2013, there were 167 data breaches reported in California, which is an increase of over 28 percent from the 131 data breaches reported in 2012.  Additionally, the records containing personal information of over 18.5 million California residents were compromised in 2013—a 600 percent increase from the previous year.  Even if the two largest data breaches involving retailers were excluded from this calculation, California still experienced a 35 percent increase in the number of records affected by data breaches. 

The report also provided statistics related to the causes of the breaches.  Of the breaches reported, 53 percent of them were caused by computer intrusions  (malware and hacking).  The remaining data breaches were the result of “physical loss or theft of laptops or other devices containing unencrypted personal information (26 percent), unintentional error (18 percent) and intentional misuse by insiders (four percent).”  The report also noted that “the majority of breaches in the health care sector (70 percent) were caused by lost or stolen hardware or portable media containing unencrypted data,” a stark contrast to the “19 percent of such breaches in other sectors.”

Data breach activity has only increased in 2014.  In an interview surrounding the release of the report, Attorney General Harris stated that in the first ten months of 2014, the number of data breaches had spiked 30 percent from last year.  She noted that the rise can partially be attributed to the fact that “we are increasingly adopting technology that is putting our data in systems that are ripe for penetration.”

Best Practices and Recommendations

The report also contained various best practices and recommendations on how to slow the upward trend and decrease the number of data breaches.  The recommendations were particularly geared towards retailers, financial institutions, the health care sector, and the state legislature.  The following is a list of those recommendations:

All Industries

  • “Organizations should conduct risk assessments at least annually and update privacy and security practices based on the findings.”

  • “Organizations should use strong encryption to protect personal information in transit.”

  • “Organizations should improve the readability of their breach notices.”

Retailers

  • “California retailers should move promptly to update their point-of-sale terminals so that they are chip-enabled and should install the software needed to operate this technology.”

  • “California retailers should implement appropriate encryption solutions to devalue payment card data, including encrypting the data from the point of capture until completion of transaction authorization.”

  • “California retailers should implement appropriate tokenization solutions to devalue payment card data, including in online and mobile transactions.”

  • “California retailers should respond promptly to their data breaches and should notify affected individuals in the most expedient time possible, without unreasonable delay.”

  • “California retailers should improve their substitute notices regarding payment card data breaches.”

Retailers and Financial Institutions

  • “California retailers and financial institutions should work together to protect debit cardholders in retailer breaches of unencrypted payment card data.”

Health Care Sector

  • “The health care sector should consistently use strong encryption to protect medical information on laptops and other portable devices, and should consider it for desktop computers.”

Legislative Recommendations

  • “Consider legislation to amend the breach notice law to strengthen substitute notice procedure, clarify the roles and responsibilities of data owners and data maintainers and require a final breach report to the Attorney General.”

  • “Consider legislation to provide funding to support system upgrades for small California retailers.”

This post was written with contributions from Randall Friedland.

© 2024 Covington & Burling LLP

Current Legal Analysis

More from Covington & Burling LLP

Standing Issues in Data Breach Litigation: An Overview
by: Priscilla Fasoro , Lauren Wiseman
Financial Agencies Release Joint Statement on Innovative Efforts to Combat Money Laundering and Terrorist Financing
by: Lucille C. Bartholomew
Senate Confirms Kraninger as BCFP Director
by: Luis Urbina
FTC Solicits Public Comment on Identity Theft Detection Rules
by: S. Burr Eckstut
Significant FDA Digital Health Policy Development for Prescription Drug Sponsors
by: Mingham Ji , Christina G. Kuhn
First Significant Pay-to-Play Legislation for the District of Columbia Approved by D.C. Council
by: Kevin Glandon
FTC Settles with PR Firm and Publisher Over Social Media Endorsements
by: Inside Privacy Blog at Covington and Burling
Senate Testimony Highlights Tensions in BSA/AML Reform Efforts as Lawmakers Consider Bipartisan Legislation
by: Sam Adriance
Reprieve in U.S.-China Trade Tensions: U.S. Tariffs on $200 Billion in Chinese Imports to Stay at 10 Percent for 90 Days; China to Purchase U.S. Goods
by: Christopher Adams , John Veroneau
AI Update: FCC Hosts Inaugural Forum on Artificial Intelligence
by: Thomas Parisi

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins