In case there was any doubt that regulators are focused on data security and privacy, California’s Attorney General Kamala D. Harris has issued a formal report on the topic. “Data Breach Report 2012” shares information on data breaches reported to her office in 2012, and provides observations on vulnerabilities they may reveal and recommendations for future prevention and mitigation.
In 2003, California was the first state in the nation to require its businesses to notify consumers when their personal information was compromised by a security breach. Since then, 46 states have followed suit, and notification is federally mandated for the healthcare sector. Beginning in 2012, California required businesses to provide the Office of the Attorney General with copies of notices on breaches involving more than 500 Californians. The report offers valuable analysis for the insurance community.
The Hardest Hit
According to the report, retail, finance and insurance were the industries suffering the most data breaches in California, accounting for 49 percent of the 131 breaches reported to the office in 2012. The average breach involved 22,500 individuals; five of the breaches reported involved the personal information of 100,000 or more individuals.
The Most Preventable
In total, more than 2.5 million Californians were put at risk by breaches in 2012. More than half of these – 1.4 million individuals – had data exposed in incidents involving lost or stolen digital data or misdirected emails in which the personal information was unencrypted. A full 28 percent of the breaches examined would not have required notification – with all the costs and reputational issues that entails – if encryption was in place. California, and all but two states with notification laws in place, includes a “safe harbor” provision making encrypted information immune from notice requirements. The attorney general noted: “In spite of the carrot of the breach notification law’s encryption exemption, organizations are subjecting too many Californians to a risk that is eminently avoidable.”
The report’s No. 1 recommendation? Encrypting digital personal information when moving or sending it out of a secure network. According to the Harris, this is for companies “a basic protection and reasonable security measure to help them meet their obligation to safeguard personal information entrusted to them.” The attorney general also made it clear that her office is making investigating breaches involving unencrypted personal information an enforcement priority.
Forty-five percent of the data breaches emanated from failures to adopt or carry out appropriate security measures. This was the impetus for the report’s second recommendation, for companies to review and tighten security controls, including training of employees and contractors on organizational policies and procedures.
This can be hard for resource-strapped businesses. Online resources can provide a cost-effective way to keep policy and procedures up-to-date and provide online training for employees.
Raising the Bar in Response
The report highlights ways to improve data breach response. Fifty-six percent of the reported breaches involved Social Security numbers. Breaches of Social Security and driver’s license numbers are especially concerning as they leave victims vulnerable to the possibility of identity thieves establishing new accounts in their name. Yet in 29 percent of breaches of this type, no credit monitoring or other mitigation recourse was offered to victims. Harris recommends offering mitigation products, such as credit monitoring, and providing information on security freezes when breaches involve this most sensitive personal information.
Given that the breach notification letters shared with her office were, on average, at the 14th grade reading level – significantly higher than the U.S. average 8th grade level – the attorney general emphasized the need to improve readability so victims can readily understand what protective measures they can take. Notification is one of the most complex areas for a business to tackle, as specifics on how to notify victims of breaches vary widely. Some states require companies to reveal how a breach happened, others forbid it. If the breach notification itself is not written properly, it can create substantial liability for the company issuing it. Experienced legal counsel and experts in the notification process can be pivotal in enabling a company to create notices that are both compliant and customer-friendly.
On The Horizon
The report’s final recommendation provides a glimpse at an emerging exposure, suggesting legislation be considered to amend breach notification law to require notification of breaches of online credentials, such as passwords and user names. An area worth watching carefully, these breaches have implications for everything from the banking industry, where credentials are used for fraudulent theft of funds, to social media, where unauthorized postings can lead to claims of libel or slander.
With “Data Breach 2012,” California’s attorney general offers up valuable insights based on recent experience – and sends a loud-and-clear message that as data breach risk evolves, the expectations for businesses managing and mitigating the exposure do too. Businesses across the spectrum of industries are wise to align themselves with experienced partners who can assist in managing and mitigating the multiple facets of this exposure – providing not only funding but the expertise and resources to respond to data breach incidents that occur. As the attorney general’s report makes clear, regulators are watching.
Was this article valuable?
Here are more articles you may enjoy.