A report recently issued by the California Attorney General reveals that millions of Californians were the victims of a data breach in 2012, mostly due to intentional intrusions by outsiders or by unauthorized insiders.

During the time it took you to read the title and subtitle to this article, approximately three seconds, the identity of someone in the United States was stolen. Due to the combination of unprotected devices (smartphones, tablets, etc.), the proliferation of personal and private data, and distributed computing trends (Internet, cloud, electronic health records), data breaches and identity theft have dramatically increased. While in 2003 only five million Americans were the victims of identity theft, in 2012, this number increased to 12.6 million.¹

The California Data Breach Notification Law

For more than a decade, the State of California has been at the forefront of legislation and enforcement in matters of privacy and information security. In 2003 California was the first state to legislate a data breach notification law,² which requires any person or business that conducts business in California, and any state agency that owns or licenses computerized data, including “personal information,” to notify Californians in an expedient manner when their personal information is compromised in a security breach. The purpose of the notification is to allow individuals affected to take defensive action, including closing imperiled accounts, putting a fraud alert or security freeze on credit records, and taking other steps to protect from the consequences of the breach. Per a 2012 amendment to the California data breach notification law,³ data holders must, in addition to sending the notification to the affected individuals, send an electronic copy of the breach notification to the California Attorney General for any single breach that affects more than 500 Californians.

The type of “personal information” that triggers the requirement to notify individuals under the California law is unencrypted, computerized information, consisting of an individual’s name, plus one of the following: Social Security number; driver’s license or California Identification Card number; financial account number, including credit or debit card number (along with any PIN or other access code where required for access to the account); medical information; and health insurance information.

Report and Breach Statistics

On July 1, 2013 California Attorney General Kamala D. Harris issued a report discussing the data breaches notified per the 2013 amendment.⁴ The report shows that 131 such data breaches were reported in 2012, which involved the potential exposure of personal information of 2.5 million Californians. More than half of these breaches (56 percent) involved Social Security numbers, which pose the greatest risk of the most serious types of identity theft. More than half of the breaches (55 percent) were the result of intentional intrusions by outsiders or by unauthorized insiders. The other 45 percent were largely the result of failures to adopt or carry out appropriate security measures.

Recommendations

The attorney general made several recommendations for companies to mitigate breaches and their ramifications:

• Encryption:
  Companies should encrypt digital personal information when moving or sending it out of their secure network. 1.4 million Californians, more than half of the 2.5 million whose information was at risk in 2012, would have been protected if companies had encrypted data when moving or sending the data out of the company’s network. Encryption would also have exempted 28 percent of the data breaches reported from the duty of such report. In order to further incentivize companies to carry out this simple and important measure, the attorney general stated that her office will make it an enforcement priority to investigate breaches involving unencrypted personal information.
   
• Training and Security Controls:
  Companies should review and tighten their security controls on personal information, including training employees and contractors.
   
• Keep it Simple:
  According to the report, breach notifications currently being sent out, are generally at a 14^th-grade reading level, with the average reading level in the United Stated being an eighth-grade level. The report recommends that breach notification be simplified to be easily understood by recipients and to enable recipients to take appropriate action to protect their information.
   
• Provide a Temporary Solution:
  Companies and agencies should offer mitigation products (such as credit monitoring or “iden­tity theft protection” services) or provide information on security freezes to victims of breaches involving Social Security numbers or driver’s license numbers. Per the report, some form of such measures was offered by 50 percent of the data holders who reported breaches in 2012.
   
• Legislation Amendment:
  The report recommends that legislators consider expanding the law to require notification of breaches in a broader set of circumstances, including those involving a user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account. This is because people often do not use unique passwords for each of their online accounts; a thief who has stolen one set of credentials can get access to many accounts. With timely notice, individuals can protect themselves by changing their passwords. Amendments to this effect have been proposed in S.B. 46,⁵ passed in the California senate in May 2013.

Endnotes

1 2013 Identity Fraud Report (released on 2.20.13 by Javelin Strategy & Research) https://www.javelinstrategy.com/news/1387/92/1.

2 SB 1386, Cal. Civ. Code 1798.82 and 1798.29.

3 SB 24, which was signed into law on August 31, 2011 and went into effect on January 1, 2012.

4 http://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/2012data_breach_rpt.pdf?.

5 http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201320140SB46.