Privacy & Information Security Law Blog

On October 28, 2014, California Attorney General Kamala D. Harris announced the release of the second annual California Data Breach Report. The report provides information on data breaches reported to California’s Attorney General in 2012 and 2013. Overall, 167 breaches were reported by 136 different entities to California’s Attorney General in 2013. According to the report, 18.5 million records of California residents were compromised by these reported breaches, up more than 600 percent from the 2.6 million records compromised in 2012. In addition, the number of reported data breaches increased by 28 percent in 2013, rising from 131 in 2012 to 167 in 2013.

Other key findings include:

• Computer intrusions, such as hacking and malware breaches, comprised over half of all reported breaches in 2013 and over 93 percent of all compromised records (over 17 million records).
• Retailers reported the most breaches (43), which represented 26 percent of the breaches reported in 2013.
• In 2012-2013, the majority of breaches in the health care sector (70 percent) were caused by lost or stolen hardware or portable media containing unencrypted data.

The report also contains best practices and recommendations for California retailers, consumers, the health care sector and legislatures to improve the security of personal data. “Data breaches pose a serious threat to the privacy, finances and personal security of California consumers,” Attorney General Harris said. “The fight against these kind of cybercrimes requires the use of innovative strategies by government and the private sector to protect our state’s consumers and businesses. I strongly encourage more use of encryption to significantly reduce the risk of data breaches.” The report made several recommendations to retailers, including updating point-of-sale terminals to enable chip card technology, implementing appropriate encryption and tokenization solutions to devalue payment card data and providing more helpful information in substitute notice regarding payment card breaches. In addition, the report recommends that California legislators consider amending the breach notice law to strengthen the substitute notice procedure, clarify the roles and responsibilities of data owners and data maintainers, and require a final breach report to the Attorney General.

Read the full California Data Breach Report.