On July 1, 2013, California Attorney General Kamala Harris issued her first-ever “Data Breach Report” detailing the 131 data breaches that were reported to her office by 103 different entities in 2012. According to the report, 2.5 million Californians had their personal information compromised by data breaches in 2012. The financial, insurance, and retail industries accounted for 49% of all reported data breaches. The most common breaches involved social security numbers, credit card information, health and medical information, driver’s license numbers, and bank account numbers.
California was the first state in the nation to pass a data breach notification law. That law, codified at Cal. Civ. Code §1798.29 and §1798.82, was first passed in 2003. It requires that Californians be notified “in the most expedient time possible and without unreasonable delay” whenever any governmental agency or business suffers a breach of “computerized data” involving the unauthorized access of “personal information.” Notice may be given in writing, electronically, or by substitute service. The notice must be written in plain language and must include: (1) the name and contact information of the notifying entity, (2) the types of personal information involved, (3) the contact information for the credit reporting agencies in the case of a breach of Social Security or driver’s license numbers, and (4) if known at the time of notification, the date of the breach and a general description of the incident.
In 2007, given the growing sensitivity of medical privacy and the growing awareness of medical identity theft, the law was amended to include medical and health information within the definition of notice-triggering “personal information.”
In 2011, this law was again amended to require all companies and governmental entities to submit copies of their data breach notices to the California Attorney General when any breach involved the personal information of more than 500 California residents. Thus, the 2012 report issued by the California Attorney General on July 1, 2013 was the first-ever such report.
The 2012 report highlights the fact that much of the harm to California residents from data breaches could have been lessened or avoided entirely if the business and government agencies had encrypted the personal information that they stored. The report then makes several recommendations on how data security could be improved, including:
- Encrypt all digital personal information when in transit out of secure networks
- Review and tighten internal controls on personal information, including training employees and contractors
- Improve the readability of breach notices
- Offer mitigation products and/or information on security freezes for breaches involving Social Security numbers or driver’s license numbers
- Consider amending the breach notification law to require notification of breaches of online credentials, such as user name and password