A report released Tuesday from the California Attorney General’s Office found that between 2012 and 2015, there were 657 data breaches in the state, which compromised over 49 million records of Californians’ personal information.
The report, discussed by Attorney General Kamala Harris at the Stanford Cyber Initiative, is accompanied by recommendations from the Attorney General for organizations, businesses and lawmakers on how to protect against data breaches, and points to a specific set of actions that companies and organizations should start with to meet the state and federal mandates of reasonable security.
“Government and the private sector have a shared responsibility to safeguard consumers from threats to their privacy, finances, and personal security,” said Harris. “California is leading the nation with measures to prevent data breaches, but we can do better. This report clearly articulates basic steps that businesses and organizations must take to comply with the law, reduce data breaches, and better protect the public and our national security.”
Last year, 178 breaches placed 24 million records of Californians at risk. This means that as many as three in five Californians may have been victims of a data breach in 2015 alone.
The report includes information on the most common types of data breached, explains what types of breaches different industry sectors were most susceptible to, and provides recommendations to reduce the frequency and impact of future breaches.
Social Security numbers, payment card data, and medical information were the top three types of data breached over the past four years.
According to the report, the retail sector has been the most vulnerable industry, accounting for 24 percent of breaches and 42 percent of records breached in the past four years. The financial sector accounts for the second largest share of breaches at 18 percent, and 26 percent of records breached. Social Security numbers are the most common data breached in this sector.
The healthcare industry was the third most frequent target, accounting for 16 percent of breaches, and continues to be particularly vulnerable to physical breaches.
Small businesses represent 15 percent of all reported breaches.
The state’s eCrime Unit was established in 2011 and is tasked with investigating and prosecuting large-scale identity theft, technology crimes, and crimes that target electronic devices, networks, or intellectual property. In 2012, Harris established the Privacy Enforcement and Protection Unit to enforce and regulate state and federal laws regulating the collection, retention, disclosure, and destruction of personal information, as well as to educate organizations and consumers on privacy responsibilities and rights.
The Attorney General’s Office recommends organizations adopt the Center for Internet Security’s Critical Security Controls as the start of a comprehensive information security program. The Attorney General’s Office stated not doing so would be indicative of an organization’s failure to provide reasonable security. In 2004, California passed its information security statute (AB 1950, Wiggins), which requires businesses that collect personal information to use “reasonable security practices and procedures.” In 2003, California became the first state to mandate data breach notification, requiring businesses and state agencies to inform consumers when a security breach compromises their personal information (AB 700, Simitian). As of 2012, any breach involving more than 500 Californians must be reported to the Attorney General’s Office.
The Attorney General’s Office also recommends organizations:Make multi-factor authentication available on consumer-facing online accounts that contain sensitive personal information. This procedure provides greater protection than the username-and-password combination typically used for online shopping accounts, health care websites and patient portals, and web-based email accounts.Consistently use strong encryption to protect personal information on laptops and other portable devices, and consider using it for desktop computers. This is particularly important for health care, which appears to be lagging behind other sectors in this area.Encourage individuals affected by a breach of Social Security numbers or driver’s license numbers to place a fraud alert on their credit files. This measure is free, fast, and effective in preventing identity thieves from opening new credit accounts.