If You Care About the Security of Your Online Data or Just Love Charts, This Report is For You

Californians are a diverse bunch (as you’ve probably gathered from those commercials with Arnold Schwarzenegger), but apparently there is something that 2.5 million of us all have in common.  California Attorney General Kamala Harris has released a first-of-its-kind data breach report  that includes statistics, recommendations and assessments based on breaches that were reported to the Attorney General’s office during the 2012 calendar year.  The most notable/alarming finding is that in 2012, 2.5 million California residents had personal information compromised in connection with a data breach.  That’s roughly equal to the populations of San Diego, San Francisco and Oakland combined.

California was the first to pass a data breach notification law (California Civil Code Sections 1798.29(a) and 1798.82(a)) ten years ago, but 2012 was the first year in which organizations who issue certain types of data breaches were also required to notify the office of the Attorney General.  In total, 131 data breaches were reported  by 103 different entities, with the average breach incident involving 22,500 individuals.   According to the Breach Report, more than half of the breaches involved social security numbers and more than half were the result of intentional acts by an unauthorized individual.   California is the first state to compile a comprehensive review of reported breaches and the results provide important information and other states should take up the example.

The Breach Report includes recommendations for the California legislature and the state’s enforcement agencies, but arguably the most important recommendations are those directed at the providers of online services:

• Encryption – If your online service collects personally identifiable information and does not encrypt it, expect very little sympathy from Attorney General Harris following a breach.  In the message preceding the Breach Report, Attorney General Harris calls the failure of companies to encrypt sensitive personal information “particularly striking,” and notes that if encryption had been used, over 1.4 million of the Californians would not have had their data put at risk in 2012.  As noted in the Breach Report, California’s data breach notification law includes an incentive to encrypt data in the form of an exemption for certain data breach incidents from the notification requirements where the personally identifiable information that was accessed was encrypted.  If that isn’t enough motivation, however, the Breach Report also warns that the Attorney General’s Office intends to make the investigations of breaches involving unencrypted personal information a priority, and will encourage other enforcement agencies to do the same.
• Security Through Training – As noted above, more than half of the breaches that were reported in 2012 were the result of an intentional act by outsiders or malicious insiders.  The Attorney General’s office recommends that companies that collect private information review their security procedures on an ongoing basis to make sure that their security controls remain up to date.  As part of this process, the Attorney General’s office recommends regular training for employees and contractors to ensure that best practices are implemented and updated to address new threats.
• Stop With the Fancy Talk – The average reading level of individuals in the United States is 8^thgrade.  A survey conducted by the Attorney General’s office using data breach notification samples provided by organizations in connection with reported breaches found that the average notification was written at a 14^th-grade level.  The Breach Report emphasizes that the point of such notices is to ensure that each recipient can understand its contents.  Generally this is an important point to keep in mind for any notification, terms or policy that is intended for your consumers, including your privacy policy.
• Be Prepared to Offer Credit Monitoring Assistance – The Breach Report found that in 29% of the most serious types of breaches (those involving Social Security or driver’s license numbers), credit monitoring services were not offered to the consumers whose information was put at risk.  Attorney General Harris noted that clearing up this type of identity theft can be both costly and time-consuming, but that protective measures provided by the company who experienced the breach can help to limit ongoing risks.

Perhaps the biggest take-away for providers of online services, however, is how common data breaches have become.  The data and statistics included in the report demonstrate that data breaches happen across all industry sectors, in all sizes of companies, with all types of data and in a number of different ways.  The time to prepare your company for a data breach is before it happens, rather than after.  Nobody wants to be on this list, but if you do experience a data breach, having a plan in place will help keep your sleepless nights to a minimum.