California AG on data breaches: Companies should encrypt data

California AG on data breaches: Companies should encrypt data

Summary: In 2012, around 2.5 million Californians were victim of a corporate data breach. But more than half of those affected could've been protected had their data been encrypted.


Companies are not encrypting data thoroughly, adequately, or at all, California's state attorney general said in a statement this week

State AG Kamala D. Harris released this week figures from her office that showed out of the 131 data breaches that companies suffered in 2012, around 2.5 million Californians had personal data put at risk as a result. But around 1.4 million, or 55 percent, of all Californians affected, could have been protected had their data been encrypted when companies' moved or sent it out of their secure networks.

Among the list of data breaches, Barnes & Noble and the California Dept. of Social Security were named, while American Express was named numerous times, as were a number of other financial institutions and universities.

"Data breaches are a serious threat to individuals' privacy, finances and even personal security," Harris said. "Companies and government agencies must do more to protect people by protecting data."

According to the report's key findings:

  • The average breach of each incident involved the data of 22,500 individuals

  • 28 percent of all data breaches would not have required notification should the data have been encrypted

  • 26 percent of all data breaches were reported by the retail industry, followed by the finance and insurance sector at 23 percent

  • 56 percent of all breaches involved Social Security numbers

  • 55 percent of breaches were as a result of hacks and attacks by outsiders, while 45 percent was a result of failure for companies to adopt appropriate security measures

Harris said her office will "make it an enforcement priority to investigate breaches involving unencrypted personal information." She noted that companies should review and tighten security controls on their data, such as training employees and contractors to handle data in the highest regard.

California is currently working on a new law that would see basic elements of existing European data protection and privacy laws to be included in the state's legislature. The so-called "right to know" law that would allow citizens to see data that business holds on them within 30 days of that customer's request.

Topics: Security, Data Management, Privacy

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Ya,

    it's our fault the government is able to spy on us. Makes perfect politician sense.
  • a surprise for some

    these numbers are quite a surprise for me. We use for quite sometime now and we really don't have too like some that who are under the hipaa law but because if you look on the financial loss due to hacking attacks for the lost ten years...well is worst then leaving your car open with the engine turned on. So we encrypt our emails, files and even sms to avoid sensitive data loss for some time now and I just thought that this is common practice...seems not :)