In the first report of its kind, California's Attorney General, Kamala D. Harris, revealed last week that 2.5 million people—roughly 6.5 percent of the state's population—were exposed by data breaches in 2012.
California has always been the go-to state for innovative technologies. A law passed in 2009 requires data breaches affecting more than 500 residents to be reported to the state attorney general's office. It was also the first state to have breach notification laws, which were adopted by the state legislature. Forty-six other states have since followed with their own notification requirements, so perhaps these states will now follow California once again, and release their own breach reports.
While not as detailed as some of the studies released by data security vendors, the California Attorney General's breach report tells all of the essential data, including the fact that of the 2.5 million people placed at risk due to a data breach, 1.4 million of them didn't need to be on the list. Specifically, the report states that those 1.4 million people would have been protected if only the "companies had encrypted data when moving or sending the data out of the [network]."
"Data breaches are a serious threat to individuals' privacy, finances and even personal security. Companies and government agencies must do more to protect people by protecting data," Attorney General Harris said in a statement.
Most breaches involved retail
The report covers 131 incidents in all, with the average (mean) breach accounting for 22.500 people. The retail sector reported the most data breaches with 26 percent of the cases, followed by the finance and insurance sectors with 23 percent and healthcare with 15 percent. It's worth noting that more than half of the breaches involved intentional intrusions from the outside or intentional acts from insiders. The rest of the breaches, 45 percent, were largely due to failure "to adopt or carry out appropriate security measures," the report notes.
As mentioned, the report singles out those firms that didn't take precautions when it comes to protecting data, and focuses largely on encryption to make that point. In fact, the report says, 28 percent of the reported breaches in 2012 wouldn't have required notification if the data was encrypted at the time of the incident.
"Despite the incentive created by the breach notification laws exemption for encrypted data, many companies are still failing to use this effective security measure. Far too many people continue to be put at risk when companies do not encrypt data," the report adds.
As part of the California Online Privacy Protection Act, the state also requires app vendors to offer privacy policies that can be read before a consumer downloads or installs an app.
This story, "Data breaches hit 2.5 million in California in 2012, report says" was originally published by CSO.