Attorney General Kamala D. Harris Releases Data Breach Report; 18.5 Million Californians’ Personal Information Put at Risk

Tuesday, October 28, 2014
Contact: (916) 210-6000, agpressoffice@doj.ca.gov

LOS ANGELES – Attorney General Kamala D. Harris today released the second annual report detailing the 167 data breaches reported to the Attorney General’s office in 2013 that impacted18.5 million Californians by putting their personal information at risk. The report is accompanied by recommendations from the Attorney General for consumers, businesses and lawmakers on how to protect against data breaches and prevent them in the future.

“Data breaches pose a serious threat to the privacy, finances and personal security of California consumers,” Attorney General Harris said. “The fight against these kind of cybercrimes requires the use of innovative strategies by government and the private sector to protect our state’s consumers and businesses. I strongly encourage more use of encryption to significantly reduce the risk of data breaches.”

In 2013, the number of reported data breaches increased by 28 percent, from 131 in 2012 to 167 in 201. The number of Californians’ whose records were affected increased by over 600 percent, from 2.5 million in 2012 to 18.5 million in 2013. This increase was largely due to two massive retailer breaches at Target and LivingSocial, each of which put the personal information of approximately 7.5 million Californians at risk.

More than half of the 2013 breaches (53 percent) were caused by computer intrusions, such as malware and hacking. The remaining breaches resulted from physical loss or theft of laptops or other devices containing unencrypted personal information (26 percent), unintentional errors (18 percent) and intentional misuse (four percent).

The report includes specific tips and recommendations to reduce the frequency and impact of future breaches.

            For Consumers:

  • Monitor your credit and debit card accounts for suspi­cious transactions and report any to the card-issuing bank. Ask the bank for online monitor­ing and alerts on the card account.
  • If a data breach notice says your health insurance or health plan number was involved, contact your insurer or plan and ask them to note the breach in their records and to flag your account number.
  • If a data breach notice involves your password or user ID, change both for that account and any other accounts containing the same information.

            For Retailers:

  • Update point-of-sale terminals so that they are chip-enabled and install the necessary software.
  • Implement appropriate encryption solutions to devalue payment card data, including encrypting the data from the point of capture until completion of transaction authorization.
  • Implement appropriate tokenization solutions to devalue payment card data, including online and mobile transactions.
  • Respond promptly to payment card data breaches that occur in retail systems and improve the helpfulness of the “substitute notices” provided via web site and media.

For the Health Care Industry:

  • Use strong encryption to protect medical information on laptops and on other portable devices, and consider encryption for desktop computers.

For the Legislature

  • Consider legislation to amend the breach notice law in order to strengthen the substitute notice procedure; clarify the roles and responsibilities of data owners and data maintainers; and require a final breach report to the Attorney General.
  • Consider legislation to provide funding to support system upgrades for small California retailers.

In 2003, California was the first state to pass a law (AB 700, Simitian) mandating data breach notifications. This law requires businesses and state agencies to notify Californians when their personal information is compromised in a security breach.

In 2012, companies and state agencies subject to the law were also required, for the first time, to report any breach that involved more than 500 Californians to the Attorney General’s Office. (SB 24, Simitian).

Two recommendations from Attorney General Harris’ 2012 data breach report have been enacted as amendments to the AB 700. Attorney General Harris’ 2012 report recommended that, as a result of increased criminal focus on stealing online account credentials, this type of personal information should be included in SB 24. Based on the California Department of Justice’s recommendation, SB 46 of 2013 was enacted to do just that and the law took effect in January 2014.

The 2012 report also recommended that companies should offer mitigation products or provide information on the security freeze to victims of breaches of Social Security numbers or driver’s license numbers. In 2014, AB 1710 was enacted, requiring the source of a breach of such data to offer identity theft prevention or mitigation services at no cost to the affected person and for no less than 12 months.  It will take effect in January 2015.

The full Data Breach 2013 report is available here: https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/2014data_breach_rpt.pdf?

# # #