Encryption is Key to Limiting Company Exposure for Data Security Breaches


Companies doing business in California may find themselves targeted for investigation if they fail to encrypt personal information, according to a recent report issued by the California Attorney General’s office.   Last week, California Attorney General Kamala D. Harris released a report stating that the AG’s Office will investigate breaches involving unencrypted personal information and urged law enforcement agencies to prioritize these investigations, noting that data breaches in California exposed more than 2.5 million residents to the risk of identity theft in 2012 and that 1.4 million Californians could have been protected from this risk had their personal data been encrypted.  “Data breaches are a serious threat to individuals' privacy, finances and even personal security," Harris said. "Companies and government agencies must do more to protect people by protecting data."

The report’s recommendations are intended to strengthen and supplement the protections established by California’s 2002 data breach notification law (Cal. Civ. Code 1798.82 and 1798.29) (the “Breach Notification Law”).  These laws require government agencies and private companies, respectively, to disclose any breach of unencrypted security information to any California resident whose personal information has been, or is reasonably believed to have been, acquired by an unauthorized person.  Although the Breach Notification Law provides a safe harbor for companies which encrypt personal data by exempting them from the statute’s notification requirements, according to the AG, this “carrot” has not been a sufficient motivator: organizations are still not encrypting personal information and consequently are “subjecting too many Californians to a risk that is eminently avoidable.”

The AG also recommended enacting a law to require the use of encryption to protect personal information on portable devices, media and in email and suggested that “an appropriate encryption standard might be FIPS 197, the National Institute of Standards and Technology’s standard approved for U.S. Government organizations to protect higher risk information.”

Encryption was not the report’s entire focus. The AG also recommended additional security and disclosure measures for companies storing or transmitting personal information from their secure networks.  These measures include requiring companies to:

  • Review and tighten security controls on personal information, including security training for the company’s employees and contractors;
  • Make breach notices more plainly comprehensible to individuals whose data may have been compromised;
  • Offer damage mitigation products, such as credit card monitoring, and provide information on other protective measures to individuals whose social security and/or driver’s license numbers have been exposed; and
  • Notify individuals when there has been a breach of online security credentials (e.g. user names and passwords).

The AG’s recommendations also include broadening disclosure requirements under the Breach Notification Law to require the disclosure of any breach of online credentials such as usernames and passwords.  Such information is not presently deemed “personal information,” as defined in the statutes.  The report notes that such breaches not only create vulnerabilities for personal and corporate security, but can also be exploited to launch cyber-attacks on public infrastructure and government networks. 

The recommendations in the report, if enacted, would set a substantially higher standard for the storage and transmission of personal information.  Companies should consider getting ahead of this trend by upgrading their network and security measures and policies, including developing data encryption for transmitting personal data and providing employee training on data security policies and procedures.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Cohen & Gresser LLP | Attorney Advertising

Written by:


Cohen & Gresser LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.