California AG on data breaches: Companies should encrypt data

Companies are not encrypting data thoroughly, adequately, or at all, California's state attorney general said in a statement this week. 

Read this

California introduces 'right to know' data access bill, and why Silicon Valley will hate it

Read now

State AG Kamala D. Harris released this week figures from her office that showed out of the 131 data breaches that companies suffered in 2012, around 2.5 million Californians had personal data put at risk as a result. But around 1.4 million, or 55 percent, of all Californians affected, could have been protected had their data been encrypted when companies' moved or sent it out of their secure networks.

Among the list of data breaches, Barnes & Noble and the California Dept. of Social Security were named, while American Express was named numerous times, as were a number of other financial institutions and universities.

"Data breaches are a serious threat to individuals' privacy, finances and even personal security," Harris said. "Companies and government agencies must do more to protect people by protecting data."

According to the report's key findings:

• The average breach of each incident involved the data of 22,500 individuals
  
• 28 percent of all data breaches would not have required notification should the data have been encrypted
  
• 26 percent of all data breaches were reported by the retail industry, followed by the finance and insurance sector at 23 percent
  
• 56 percent of all breaches involved Social Security numbers
  
• 55 percent of breaches were as a result of hacks and attacks by outsiders, while 45 percent was a result of failure for companies to adopt appropriate security measures

Harris said her office will "make it an enforcement priority to investigate breaches involving unencrypted personal information." She noted that companies should review and tighten security controls on their data, such as training employees and contractors to handle data in the highest regard.

California is currently working on a new law that would see basic elements of existing European data protection and privacy laws to be included in the state's legislature. The so-called "right to know" law that would allow citizens to see data that business holds on them within 30 days of that customer's request.