If organizations throughout California encrypted their customers' sensitive data, more than 1.4 million Californians would not have had their information put at risk in 2012, according to a newly released report [PDF] on statewide data breaches from California Attorney General Kamala Harris. All told, some 2.5 million people were affected by the 131 breaches reported to the state. Notably, organizations in the Golden State are only required to report a breach if it affects 500 or more users, so it's plausible (if not likely) that the overall number of breaches is higher.
California does offer incentives to companies that embrace encryption, according to Harris, but because the carrot isn't working, she's now turning to the stick: She cautioned that her office "will make it an enforcement priority to investigate breaches involving unencrypted personal information" and will "encourage ... law-enforcement agencies to similarly prioritize these investigations."
According to the report simply titled "Data Breach Report 2012," 103 different entities suffered data breaches in 2012, nine of which reported more than one. Three of the entities reporting multiple breaches were payment card issuers: American Express with 19, Discover Financial Services with three, and Yolo Federal Credit Union with two. Those breaches occurred either at a merchant or at a payment processor.
Other key stats from the report:
- The average breach incident involved the information of 22,500 individuals.
- The retail industry reported the most data breaches in 2012: 34 (26 percent of the total reported breaches), followed by finance and insurance with 30 (23 percent).
- More than half of the breaches (56 percent) involved Social Security numbers.
- Outsider intrusions accounted for 45 percent the total incidents, with 23 percent occurring at a merchant via such techniques as skimming devices installed at a point-of-sale terminal.
- 10 percent of the breaches were caused by insiders -- employees, contractors, vendors, customers -- who accessed systems and data without authority.
Encryption and beyond
Beyond threatening greater scrutiny of companies that suffer data breaches but don't use encryption, Harris recommended that the California Legislature should consider enacting a law requiring organizations to use encryption to protect personal information.