By Greg Hammond, J.D.
California Attorney General Kamala D. Harris released a report recently, disclosing the types and extent of data breaches reported to her office since 2012. The report, entitled “California Data Breach Report,” revealed that Harris’ office was notified of 657 data breaches over the course of the last four years, affecting a total of more than 49 million records of Californians’ personal information.
Findings. In 2012, the report noted that there were 131 breaches involving 2.6 million records of Californians. However, in 2015, there were 178 breaches, putting more than 24 million records at risk. “This means that nearly three in five Californians were victims of a data breach in 2015 alone,” the report states.
The data breaches were the result of malware and hacking (accounting for 90 percent of the number of records breached); physical breaches, resulting from theft or loss of unencrypted data on electronic devices; and breaches caused by errors, such as misdelivery of mail and inadvertent exposure on the public Internet. Social Security numbers and medical information were breached more than other data types.
Recommendations. As a result of the report’s findings, Attorney General Harris made four recommendations: (1) organizations should make multi-factor authentication available on consumer-facing online accounts that contain sensitive personal information; (2) organizations should consistently use strong encryption to protect personal information on laptops and other portable devices, and should consider it for desktop computers; (3) organizations should encourage individuals affected by a breach of Social Security numbers or driver’s license number to place a fraud alert on their credit files and make this option very prominent in their breach notices; and (4) state policy makers should collaborate to harmonize state breach laws on some key dimensions, which could reduce the compliance burden for companies, while preserving innovation and maintaining consumer protections.