In 2012, for the first time, companies and government agencies subject to California law were required to submit copies of their data breach notices. After reviewing the results, the CAGO found that there were 131 breaches during year, each affecting more than 500 California residents. In all, the average breach incident involved the information of 22,500 individuals. The median breach size was 2,500, with five breaches involving the personal information of 100,000 or more.
The retail industry reported the most data breaches in 2012, accounting for 26% of the total reported breaches, followed by finance and insurance with 30 (23%).
More than half of the breaches (55%) were the result of intentional intrusions by outsiders or by unauthorized insiders. The other 45% were largely the result of failures to adopt or carry out appropriate security measures. Out of all of the incidents, more than 1 .4 million Californians would not have been put at risk, and 28% of the data breaches would not have required notification, if the data had been encrypted.
And, more than half of the breaches (56%) involved Social Security numbers, which pose the greatest risk of the most serious types of identity theft.
“More than half of these breaches involved social security numbers, which are targeted because they can be sold on the open market and then used to steal identities and gain access to financial accounts,” said Attorney General Kamala Harris, in the report.
She added, “Particularly striking is the impact of the failure to encrypt sensitive personal information. It has been 10 years since we realized the vulnerability of personal information on stolen laptops, lost data tapes, and misdirected emails. If encryption had been used, over 1 .4 million Californians would not have had their information put at risk in 2012. That number represents more than half of the 2 .5 million people affected by the 131 breaches covered in this report. It is my strong recommendation that companies and agencies implement encryption as a basic protection and reasonable security measures to help them meet their obligation to safeguard personal information entrusted to them and receive commands.”
The CAGO said that it would make it an “enforcement priority” to investigate breaches involving encrypted personal information, and encourage allied law enforcement agencies to similarly prioritize these investigations. It also suggested that the legislature could consider requiring the use of encryption to protect personal information in transit.
“Cybersecurity is a continual and escalating battle, but it is one that must be vigorously waged,” the report said. “Not only must safeguards be constantly reviewed and adapted to meet new threats, but employees and contractors must be provided with regular training in organizational policies and procedures.”