Earlier this month, the California Attorney General’s Office released the 2016 Data Breach Report covering years 2012 through 2015 for the State of California (the “AG’s Report”). The AG’s Report reveals that 557 data breaches reported to its office have occurred over the last four years, affecting nearly 50 million records. According to the report, while “California has been on the cutting edge, adopting the strongest and most sophisticated consumer privacy laws in the United States,” these efforts alone are not enough to shield sensitive data from being breached. To that end, the AG’s Report sets forth a number of recommendations, for both businesses and lawmakers alike, to better protect themselves from the ever evolving threat of cybercrime.
Overview of Reported Data Breaches in California
Since 2012, businesses and government agencies have been required to notify the AG’s office on breaches involving more than 500 Californians. According to the AG’s Report, in 2012 there were 131 breaches involving 2.6 million records of Californians, but by 2015 the number of annual breaches had risen to 178, placing more than 24 million records at risk.
The breaches occurred in all parts of the economy, including but not limited to, retailers, banks, hospitals, government agencies and universities. The types of breaches ranged from malware and hacking to physical breaches and breaches caused by human error.
What Are the Types of Breaches Occurring?
Breaches from malware and hacking presented the greatest threat, in both the number of breaches (365 incidents, 54 percent) and the number of records that were affected (45 million, 90 percent). The six reported breaches of more than 1 million records all involved hacking or malware.
Physical breaches typically involved the theft or loss of unencrypted data stored on laptops, desktop computers, hard drives, USB drives, data tapes and paper documents. The relative share of these breaches actually declined, from 27 percent of all breaches in 2012 to 17 percent in 2015. These types of breaches were most commonly seen in the healthcare industry and small business.
Error breaches, predominately involving the misdelivery of information through email and accidental exposure over the internet, remained at 17 percent of all breaches, and were most frequently seen in breaches involving the government.
What Kinds of Records Are Typically Involved in Data Breaches?
The types of data most commonly involved in data breaches over the last four years involved sensitive personal information—including Social Security numbers (SSNs), driver’s license numbers and medical information—and payment card data. SSNs were involved in nearly half of all breaches; payment card data was the subject of 39 percent of breaches, while medical information was included in 19 percent of breaches. However, as retailers continue to transition toward chip-enabled payment cards at point-of-sale locations, the Office of the Attorney General anticipates that the attractiveness of trying to steal payment card data will decrease and cyber criminals’ interest in Social Security numbers will likely increase.
The AG’S Recommendations to Minimize and Prevent Future Data Breaches
Following this analysis, the AG’s Report listed five specific recommendations; however, these recommendations have potentially far reaching consequences as they suggest not only that there is a definite standard of care for the security of personal information but a number of specific factors to be analyzed in determining whether or not there was a breach of that standard. The recommendations are as follows:
1. Adoption of the 20 controls defined by the Center for Internet Security’s Critical Security Controls for Effective Cyber Defense (the “Controls”) as the minimum level of information security. “The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.” The Controls are as follows:
|
Count Connections
|
Know the hardware and software connected to your network. (CSC 1, CSC 2)
|
|
Configure Securely
|
Implement key security settings. (CSC 3, CSC 11)
|
|
Control Users
|
Limit user and administrator privileges. (CSC 5, CSC 14)
|
|
Update Continuously
|
Continuously assess vulnerabilities and patch holes to stay current. (CSC 4)
|
|
Protect Key Assets
|
Secure critical assets and attack vectors. (CSC 7, CSC 10, CSC 13)
|
|
Implement Defenses
|
Defend against malware and boundary intrusions. (CSC 8, CSC 12)
|
|
Block Access
|
Block vulnerable access points. (CSC 9, CSC 15, CSC 18)
|
|
Train Staff
|
Provide security training to employees and vendors with access. (CSC 17)
|
|
Monitor Activity
|
Monitor accounts and network audit logs. (CSC 6, CSC 16)
|
|
Test and Plan Response
|
Conduct tests of your defenses and be prepared to respond promptly and effectively to security incidents. (CSC 19, CSC 20)
|
2. Make multi-factor authentication available on consumer-facing online accounts that contain sensitive personal information. The Attorney General’s Office specifically highlighted accounts including online shopping accounts, healthcare websites and patient portals, and web-based email accounts. The Attorney General used multi-factor authentication to refer to advanced security systems combining a password with either a physical token/cell phone or biometric elements, such as a fingerprint scan (sometimes referred to as “something you know plus something you have”).
3. All organizations, particularly those in healthcare, “should consistently use strong encryption to protect personal information on laptops and other portable devices, and should consider it for desktop computers.” Specifically, this recommendation contemplates elevated security on the physical devices themselves to reduce the chances of a breach resulting in loss or theft of that device.
4. All organizations should encourage those affected to place a fraud alert on their credit files when SSNs or driver’s license numbers are breached. This was recommended as a more convenient alternative to implementing a credit freeze against any potential new account fraud.
5. Nationwide, state policy makers should collaborate to harmonize the various state data breach laws on key dimensions. This recommendation implies that much of the proposed unifying federal legislation has a lower bar for data security than California’s existing state laws. The Attorney General proposed that state legislators and Attorneys General offices from other jurisdictions collaborate in “identifying opportunities to highlight the common pattern and reduce some of the differences. Such an effort could result in simplifying compliance, while preserving consumer protections, flexibility in adapting to changing threats and the benefits of jurisdictional expertise.”
While it remains to be seen if or when any of these recommendations might be adopted into law, either by statute or through the common law itself, businesses in California that handle sensitive personal information would be well-served to track these developments closely in anticipation of potentially rising standards of care for protecting sensitive personal/medical/financial information.
