On October 28, 2014, the California Attorney General (“AG”) released its second annual report detailing the security breaches reported to the AG’s office in 2013, and provided recommendations to both the industry and lawmakers to reduce security breaches and the harm caused by them. The AG called out the payment card industry, retailers, and the healthcare industry to make specific improvements.  Here is an outline of the recommendations made in the report:

• Retailers should:
  • Update point of sale terminals so that they are chip-enabled, and install software necessary to operate this technology: The United States has been slow to adopt chip technology for payment cards.  When the United Kingdom adopted the technology, counterfeit card fraud losses reportedly fell by 34%. The technology reduces fraud tied to face-to-face transactions, which still account for the vast majority of payment card transactions. Retailers will play a significant role in the implementation of chip technology in the U.S., but the incentive is there—not only due to the massive retailer breaches in 2014, but also because, in 2015, the payment card networks will shift liability to retailers for counterfeit fraud resulting from transactions involving a chip card used at a terminal that is not chip-enabled.
  • Implement encryption solutions to devalue payment card data that falls into unauthorized hands: Encryption technology will help to reduce fraud not only in face-to-face transactions, but also in online and mobile transactions. Data should be encrypted by retailers from the point of capture until the completion of transaction authorization. So long as the decryption key is not stolen, the value of stolen encrypted card data is reduced because the data is not readable.
  • Implement tokenization solutions to devalue payment card data that falls into unauthorized hands:Tokenization differs from encryption because, with tokenization, payment card data is replaced with a random number (the “token”) rather than using a mathematically reversible algorithm. Tokenization is effective in securing online and mobile transactions because the data captured by a hacker is not usable. In addition, it limits the amount of cardholder data that is stored in the retailers’ payment environment, which also makes PCI compliance simpler for the retailers.
  • Respond promptly to data breaches and notify affected individuals in the most expedient time possible, without unreasonable delay: The report points to notification delays by companies that sometimes last months.
  • Improve substitute notices regarding payment card breaches: The AG explains that retailers often must use a substitute notice method because retailers do not have access to the home addresses of their customers. The AG recommends that substitute notices be made more conspicuous on retailer websites, and that notices remain available for at least 30 days. Retailers should also update the notice as more information is known about the incident. Also, the notice should tell individuals how to protect themselves, and the advice should differ based on the type of data involved. For example, credit monitoring is very useful for breaches involving SSNs, but the AG indicates that the best response to a breach involving a debit card number is to cancel the card immediately.
• Retailers and financial institutions should:
  • Work together to protect debit card holders in retailer breaches of unencrypted payment card data: The AG explains in the report that the impact to victims of debit card fraud is particularly severe, and that credit monitoring and online account monitoring are not sufficient protection to the consumer. Rather, the best action is to promptly cancel the card. The AG acknowledges that this course of action may result in additional burdens on the issuing banks, but the AG encourages those involved in the payment card industry to work together to resolve that issue.
• The healthcare sector should:
  • Consistently use strong encryption to protect medical information on laptops and on other portable devices, and should consider the same for desktop computers:The AG report calls out the healthcare industry for frequently being the victim of lost and stolen mobile devices (including laptops) that contain unencrypted sensitive healthcare information. There are technologies to prevent these breaches, in particular full disk strong encryption. The AG strongly encourages those in the healthcare industry to employ encryption technologies to prevent future breaches.
• All industries should:
  • Conduct risk assessments at least annually: Organizations handling sensitive personal information should annually review and update their privacy and security practices and policies. Technologies and business practices evolve rapidly, and the industry must respond to the changes. In particular, the AG recommends annual training of employees and service providers who handle sensitive information.
  • Use strong encryption to protect personal information in transit:Many breaches can be prevented by the use of strong encryption of data sent by email stored on laptops or portable media.
• California legislature should:
  • Consider legislation to amend breach notice law to strengthen the substitute notice procedure, clarify the roles and responsibilities of data owners and data maintainers, and require a final breach report to the AG:The AG notes that in responding to breaches, data owners and their vendors have different responsibilities under state breach notice laws. However, their roles are not very clear under those laws. Accordingly, the AG recommends legislation to clarify which entity is responsible for what action in the event that a breach involves both a data owner and its vendor.
  • Consider legislation to provide funding to support system upgrades for small California retailers.