Over 20 Million Customer Accounts Affected by Data Breaches in California; Attorney General Harris Promises Increased Enforcement
When you think of catastrophic events that take place online and have a devastating effect on millions of people, you probably think of HBO Go crashing during the True Detective finale. However, California Attorney General Kamala Harris wants to remind you that you should be thinking about data breaches. New data and statements released by the office of Attorney General Harris disclose that more than 20 million customer accounts been affected over the past two years by the ever-increasing number of data breaches, and also provide insight into the central role the Attorney General’s office hopes to play in remedying the problem.
Since 2012, California has required companies and governmental agencies to submit copies of data breach notices mailed to California residents if the breach incident involves more than 500 Californians. Last year, Attorney General Harris released a first-of-its-kind Data Breach Report that provided in-depth analysis of the numbers behind the breach incidents reported in 2012, including a snapshot of how many individuals were affected. Although a follow-up Data Breach Report for 2013 isn’t scheduled for release until spring, a new report issued by the Attorney General’s office (Cybersecurity in the Golden State) and data released separately to the Associated Press includes alarming statistics about the rate of increase of cyberattacks. According to the Attorney General’s office, 21.3 million customer accounts have been exposed by data breach incidents over the past two years in connection with 300 separate data breach incidents. Based on the number of incidents reported in 2012, that means that the number of data breach incidents increased by 30% in 2013. We expect that figure will increase substantially again during the 2014 calendar year, as California’s newly-effective expansion of its data breach notification law has broadened the type of data that may trigger notification requirements.
Not surprisingly, in response to the rapid growth of cyberincidents Attorney General Harris intends to step up her office’s role in educating the public. For online service providers trying to get a better handle on security threats, Cybersecurity in the Golden State provides a solid starting point. The report describes a number of common security threats and a proposes steps that should be taken to reduce risk, such as data encryption, use of secure browser connections and implementation of a breach response plan. Perhaps most importantly, the report includes statistics aimed at driving the point home that targeted cyberattacks should be a concern of all businesses, not just high-profile retailers and service providers. For example, in 2012 50% of targeted cyberattacks were aimed at businesses with less than 2,500 employees and 31% were aimed at businesses with less than 250 employees. Or, to put it another way, “[s]mall size and relatively anonymity no longer ensure you will be left alone.”
Attorney General Harris also announced that her office would be leading a multistate investigation of data breach incidents at Target Corp. and Neiman Marcus; noting that from the Target breach alone, over 7 million California residents were affected. The multistate investigation will be directed toward establishing whether Target and Neiman Marcus had appropriate security control in place prior to their respective incidents, and whether the retailers responded appropriately after discovery of the incidents.
For online service providers, this new announcement by the Attorney General is yet another reminder that increased enforcement is coming and there is no time like the present to audit security practices and perform a risk assessment. Although the Cybersecurity report is careful to clarify that the recommended protective steps are not regulations, mandates or legal opinions, following a number of heavily-publicized breach incidents, not being informed regarding the potential risks will certainly not meet the standard of “reasonable” security measures required by law.