As many as three in five Californians may have been data breach victims in 2015, according to a report released by the state’s Department of Justice. The report is accompanied by recommendations from the California Attorney General for organizations, businesses, and lawmakers on how to protect against data breaches and points to a specific set of actions that companies and organizations should start with to meet state and federal mandates of reasonable security.
Data breaches. The “California Data Breach Report 2012-2015” found that 657 data breaches compromised more than 49 million records of Californians’ personal information during that four-year period. In 2015, 178 breaches placed 24 million records of Californians at risk.
“Government and the private sector have a shared responsibility to safeguard consumers from threats to their privacy, finances, and personal security,” said state Attorney General Kamala D. Harris. “California is leading the nation with measures to prevent data breaches, but we can do better.”
The report reveals that Social Security numbers, payment card data, and medical information were the top three types of data breached over the past four years. The retail sector accounted for 24 percent of breaches and 42 percent of records breached. The financial sector came in second, with 18 percent of breaches and 26 percent of records, with SSNs being the most common breached data. Healthcare industry accounted for 16 percent of breaches, with small businesses representing 15 percent.
Recommendations for organizations. The report listed a number of recommendations for organizations to take to reduce the frequency of impact of future breaches. These include:
- adopting the Center for Internet Security’s Critical Security Controls as the start of a comprehensive information security program;
- making multi-factor authentication available on consumer-facing online accounts that contain sensitive personal information;
- consistently using strong encryption to protect personal information on laptops and other portable devices; and
- encouraging individuals affected by a breach of Social Security numbers or driver’s license numbers to place a fraud alert on their credit files.
Recommendations for state policy makers. Although data breach proposals in Congress would eliminate the states’ so-called “patchwork” of laws, the report states that those proposals would “lower the bar,” thereby providing less consumer protection for Californians. The report recommends that state legislators and attorneys general identify common patterns in their laws and reduce differences in order to simplify compliance, preserve consumer protections, and remain flexible in adapting to changing threats.
For more information about data breaches, subscribe to the Banking and Finance Law Daily.