Calif. attorney general: Time to crack down on companies that don't encrypt

State's first data breach report finds that more than 1.4 million residents' data would have been safe had companies used encryption

If organizations throughout California encrypted their customers' sensitive data, more than 1.4 million Californians would not have had their information put at risk in 2012, according to a newly released report [PDF] on statewide data breaches from California Attorney General Kamala Harris. All told, some 2.5 million people were affected by the 131 breaches reported to the state. Notably, organizations in the Golden State are only required to report a breach if it affects 500 or more users, so it's plausible (if not likely) that the overall number of breaches is higher.

California does offer incentives to companies that embrace encryption, according to Harris, but because the carrot isn't working, she's now turning to the stick: She cautioned that her office "will make it an enforcement priority to investigate breaches involving unencrypted personal information" and will "encourage ... law-enforcement agencies to similarly prioritize these investigations."

California breachin'
According to the report simply titled "Data Breach Report 2012," 103 different entities suffered data breaches in 2012, nine of which reported more than one. Three of the entities reporting multiple breaches were payment card issuers: American Express with 19, Discover Financial Services with three, and Yolo Federal Credit Union with two. Those breaches occurred either at a merchant or at a payment processor.

Other key stats from the report:

  • The average breach incident involved the information of 22,500 individuals.
  • The retail industry reported the most data breaches in 2012: 34 (26 percent of the total reported breaches), followed by finance and insurance with 30 (23 percent).
  • More than half of the breaches (56 percent) involved Social Security numbers.
  • Outsider intrusions accounted for 45 percent the total incidents, with 23 percent occurring at a merchant via such techniques as skimming devices installed at a point-of-sale terminal.
  • 10 percent of the breaches were caused by insiders -- employees, contractors, vendors, customers -- who accessed systems and data without authority.

Encryption and beyond
Beyond threatening greater scrutiny of companies that suffer data breaches but don't use encryption, Harris recommended that the California Legislature should consider enacting a law requiring organizations to use encryption to protect personal information.

Additionally, the report called on organizations to review and tighten their security controls to protect personal information, including training of employees and contractors. "More than half of the breaches reported in 2012 ... were the result of intentional access to data by outsiders or by unauthorized insiders," the report says. "This suggests a need to review and strengthen security controls applied to personal information."

The report further noted that organizations not only "have legal and moral obligations" to protect personal information, but California law requires businesses "to use reasonable and appropriate security procedures and practices to protect personal information."

Suggested practices include using multifactor authentication to protect sensitive systems, having strong encryption to protect user IDs and passwords in storage, and providing regular training for employees, contractors, and other agents who handle personal information. "Many of the 17 percent of breaches that resulted from procedural failures were likely the result of ignorance of or noncompliance with organiza­tional policies regarding email, data destruction, and website posting," the report says.

It also cites companies for making breach notices sent to customers too difficult to read. In reviewing sample notices, Harris' office found that the average reading level of the breach notices submitted in 2012 was 14th grade. That's "significantly higher than the average reading level in the U.S." according to the National Assessment of Adult Literacy.

"Communications professionals can help in making the notice more accessible, using techniques like shorter sentences, familiar words and phrases, the active voice, and layout that supports clarity, such as headers for key points and smaller text blocks," according to the report.

Additionally, the report called on companies to offer customers affected by data breaches with mitigation products -- such as credit monitoring -- or information on security freezes. These types of protective measures that can limit victims' risk of identity theft, "yet in 29 percent of the breaches of this type, no credit monitoring or other mitigation product was offered to victims."

Finally, the report recommended legislation to amend the state's breach notification laws to require notification of breaches of online credentials, such as user name and password.

This story, "Calif. attorney general: Time to crack down on companies that don't encrypt," was originally published at Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow on Twitter.

Copyright © 2013 IDG Communications, Inc.