Additionally, the report called on organizations to review and tighten their security controls to protect personal information, including training of employees and contractors. "More than half of the breaches reported in 2012 ... were the result of intentional access to data by outsiders or by unauthorized insiders," the report says. "This suggests a need to review and strengthen security controls applied to personal information."
The report further noted that organizations not only "have legal and moral obligations" to protect personal information, but California law requires businesses "to use reasonable and appropriate security procedures and practices to protect personal information."
Suggested practices include using multifactor authentication to protect sensitive systems, having strong encryption to protect user IDs and passwords in storage, and providing regular training for employees, contractors, and other agents who handle personal information. "Many of the 17 percent of breaches that resulted from procedural failures were likely the result of ignorance of or noncompliance with organizational policies regarding email, data destruction, and website posting," the report says.
It also cites companies for making breach notices sent to customers too difficult to read. In reviewing sample notices, Harris' office found that the average reading level of the breach notices submitted in 2012 was 14th grade. That's "significantly higher than the average reading level in the U.S." according to the National Assessment of Adult Literacy.
"Communications professionals can help in making the notice more accessible, using techniques like shorter sentences, familiar words and phrases, the active voice, and layout that supports clarity, such as headers for key points and smaller text blocks," according to the report.
Additionally, the report called on companies to offer customers affected by data breaches with mitigation products -- such as credit monitoring -- or information on security freezes. These types of protective measures that can limit victims' risk of identity theft, "yet in 29 percent of the breaches of this type, no credit monitoring or other mitigation product was offered to victims."
Finally, the report recommended legislation to amend the state's breach notification laws to require notification of breaches of online credentials, such as user name and password.
This story, "Calif. attorney general: Time to crack down on companies that don't encrypt," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.