As the world’s eighth-largest economy and home to many of the world’s biggest and most successful technology businesses, California has often been at the forefront of privacy and security issues. The state was the first in the nation to pass a breach notification law in 2003, and Attorney General (AG) Kamala Harris has not been shy about the need for strong privacy practices—take, for example, her release of privacy guidelines for the mobile ecosystem in 2013.
On Tuesday, Harris unveiled the California Data Breach Report, the state’s first since 2012, and it does carry some weight. The previous report, for example, included five recommendations, and two have since been codified in law. This year’s report includes nine recommendations that hit most directly upon the retail and healthcare sectors.
In it, the AG sets forth recommendations that call for more readable breach notices, increased use of technology like chip cards to devalue stolen credit card data and for the healthcare industry to employ widespread encryption. She also calls for additional security funding for smaller retailers, a perceived and growing target of cyber-attacks.
The report also includes a number of key findings, including a rise in reported breaches in 2013, up 28 percent from 2012. The retail industry, notably, reported the most breaches in 2013, according to the report, including 15.4 million records of Californians or “84 percent of the total records breached in 2013.” Though loss or theft of laptops was a common occurrence in the healthcare sector, more than half of the reported breaches involved intrusion by hackers or malware.
“Data breaches pose a serious threat to the privacy, finances and personal security of California consumers,” Harris said in a press release. “The fight against these kinds of cyber-crimes requires the use of innovative strategies by government and the private sector ... I strongly encourage more use of encryption to significantly reduce the risk of data breaches.”
As part of California’s breach-notification regime, any event affecting more than 500 Californians must be reported to the Office of the Attorney General. This report analyzes the nearly 300 reported breaches since 2012 to come up with a set of best practices and recommendations for businesses, law enforcement and the state legislature.
Notably, the AG specifically calls on companies to “take advantage of cutting-edge technology to devalue payment data in the event of a security breach,” particularly by using chip cards and tokenization. Plus, the report asks lawmakers to consider funding a support system for small retailers.
“We are concerned about the situation of smaller retailers. Hence our recommendation about considering grants to assist them,” said Office of the Attorney General Director of Privacy, Education and Policy Joanne McNabb, CIPP/US, CIPP/G, CIPT, in comments provided to The Privacy Advisor.
McNabb said the retail and healthcare sectors were the two industries that stood out in the data. “They were each dominated by a single type of breach to a far greater degree than other sectors, and their breaches affected the most records,” she said.
To mitigate the effect of these breaches, Harris is urging organizations to improve the “readability and helpfulness of breach notices, particularly of the substitute notices, which involve website posting and media notification that are used in retailer breaches of payment card data.”
Notably, 70 percent of the compromised personal records in the healthcare sector were the result of lost or stolen unencrypted laptops or other portable devices. As such, the “need to use encryption is a lesson that must be learned by the healthcare industry, and we recommend that it be applied not only to laptops and portable media but also to many computers in offices,” the report states.
“It is stunning that this continues to be an issue in healthcare,” said McNabb. “That they are relative newcomers to the world of digital data may be a factor. But for ‘data in transit,’ the solution is certainly available.”
Moving forward, the AG lays out nine recommendations in total, but more than half are specifically aimed at retailers.
As has been heavily reported in the wake of the Target and LivingSocial breaches, the AG recommends that retailers “move promptly to update their point-of-sale terminals so they are chip-enabled” while also encrypting the data from point-of-capture until the completion of a transaction. Harris also calls for retailers to use tokenization, respond “promptly to their data breaches” and improve substitute notices.
Retailers should work with financial institutions “to protect debit cardholders” when unencrypted data is accessed. McNabb said the department has also released a consumer guide, which includes “tips tailored to the type of data breached.” She said “notices often don’t do a very good job of informing customers” and are often at a college reading level with advice “no matter what the data involved,” adding debit card breaches “pose somewhat different risks than a credit card breach.”
Harris also included recommendations for the state legislature moving forward, specifically “to amend the breach notice law to strengthen the substitute notice procedure, clarify the roles and responsibilities of data owners and data maintainers and require a final breach report” to the AG.
One question that remains is whether the state legislature will move on any of these recommendations.
Andrew Serwin, CIPP/US, CIPP/C, CIPP/E, CIPP/G, CIPM, a partner at Morrison & Foerster, said legislative action won’t happen right away but left the door open for future movement.
“Given that the security breach law in California was just amended, I do not think that there will be immediate legislative action,” he said, “but these type of reports and recommendations can ultimately impact legislation in the future.”
McNabb is cautiously optimistic. “There is great interest in addressing data breaches among California legislators,” she said. “One bill passed this year, adding a requirement for identity-theft prevention and mitigation services for certain types of breaches. I wouldn’t want to make a prediction, though.”
If you want to comment on this post, you need to login.