California AG Releases Data Breach Report, Proposes Data Security Policy Changes


On July 1, California Attorney General Kamala Harris (AG) released a report analyzing data breaches reported to her office in 2012, the first year companies were required to report to the AG any breach involving more than 500 state residents. The report identifies 131 data breach incidents that put the personal information of 2.5 million individuals at risk. The AG noted that the report is not required by the law, but provides support for the AG’s recommendations to companies, law enforcement agencies, and the legislature about how data security could be improved. Those policy recommendations focus on (i) data encryption, (ii) information security, (iii)notice letters, and (iv) the definition of personal information.

Specifically, the AG claimed that the information for 1.4 million Californians would have been protected if companies had encrypted data, and urges companies to encrypt digital personal information when moving or sending it out of their secure network. The AG pledged to  prioritize enforcement investigations of breaches involving unencrypted personal information.  The AG’s report notes that a large percentage of breaches surveyed resulted from the failure of information security controls and references requirements under state law to protect the personal information of California residents.

The AG also stated that companies should make their data breach notices to consumers easier to read, and that the state legislature should consider expanding breach notice requirements to cover breaches involving passwords. The AG highlighted a pending bill, SB 46, that would revise the notice requirement’s definition of personal information to require reporting of breaches involving information that would permit access to an online account -  user name or email address, in combination with a password or security question and answer. That bill has already passed the state Senate and was approved by the Assembly’s Judiciary Committee. It is scheduled to be considered by the Assembly’s Appropriations Committee on July 3, 2013.

Written by:

Published In:

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© BuckleySandler LLP | Attorney Advertising

Don't miss a thing! Build a custom news brief:

Read fresh new writing on compliance, cybersecurity, Dodd-Frank, whistleblowers, social media, hiring & firing, patent reform, the NLRB, Obamacare, the SEC…

…or whatever matters the most to you. Follow authors, firms, and topics on JD Supra.

Create your news brief now - it's free and easy »

All the intelligence you need, in one easy email:

Great! Your first step to building an email digest of JD Supra authors and topics. Log in with LinkedIn so we can start sending your digest...

Sign up for your custom alerts now, using LinkedIn ›

* With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name.