California data breach study indicates lack of encryption
A recent study by the California attorney general indicates that 2.5 million residents of the Golden State had their personal information exposed in the 131 online data breaches reported to her office in 2012.
But, more than half of these incidents were easily avoidable.
Attorney General Kamala Harris released a report this month in which she reveals that 1.4 million California residents affected by breaches in 2012 would have been just fine had companies encrypted their data. In fact, the incidents would have never even had to been reported under existing state law if the exposed data was cloaked.
Some other notable 2012 findings include: An average of 22,500 people were affected in each breach incident, with the retail industry reporting the most data leakage incidents, followed by the finance and insurance sectors. More than half of breaches involved Social Security numbers, and five of the reported breaches involved 100,000 or more individuals.
“Data breaches are a serious threat to individuals' privacy, finances and even personal security,” Harris said in a release. “Companies and government agencies must do more to protect people by protecting data.”
Harris has suggestions too. The big one is data encryption, she said, explaining it should always be used. Still, a recent study found that many companies still eschew encryption.
Another suggestion by Harris is for companies and agencies to train employees and contractors as one part of beefing up overall security in an organization. Some in the IT security industry, however, have declared security awareness training to be a waste of time and money.
Other proposals by Harris include improved readability of breach notices, better access to resources for victims of breaches involving Social Security and driver's license numbers, and the passage of legislation mandating notifications of breaches involving the exposure of online credentials, such as usernames and passwords.
California historically has served as a pioneer in terms of data security and privacy laws. In 2003, with a bill known as SB-1386, it became the first state to require notification to victims following a breach.