Earlier this month, the State of California released its first annual data breach report showing that in 2012, 131 data breaches were reported putting more than 2.5 million Californians personal data at risk. The real kicker is that of the 2.5 million, 1.4 million would have been fine if the companies had simply encrypted the data. Yup, over half would've been safe if proper care was taken to protect the data. A bit aggravating isn't it? With all the basic solutions available and data breach media attention you'd think encryption was a no brainer. Add to that, if it was scrambled, it wouldn't have even needed to be reported according to state law! Companies can even avoid data breach lawsuits (in California) for encrypting data. So many reasons.
Retail had the most intrusions with 26% followed closely by finance and insurance with 23% of the total. Health care accounted for 15% with education and government both taking 8%. The remaining 15% represented the ever popular 'other.' Over half included included compromised social security numbers and 5 involved more than 100,000 citizens.
Security and computer failures, including skimmed point-of-sale devices, accounted for the majority of the intrusions with outsiders doing the most damage. Always check those ATMs, gas station pumps, unattended kiosks and other machines you slide with your cards. Sadly, even with personal diligence, once the company has it, they seemingly still let it roam free. I guess the good news is the requirement to report the breaches so individuals are aware and can take action.
This is is the first state-based, state-specific review of reported data breaches and the California Attorney General's Office recommends that companies focus on improving the following areas of privacy and security:
Encryption - If you have unencrypted personal information, you'll probably be next.
Security Training – Review and update security procedures, as well as provide regular training to maintain compliance.
Readability of Consumer Breach Notifications – Companies should ensure that recipients actually understand the content of such notices.
Offering Credit Monitoring Assistance – When offered to consumers, it can limit future issues.
Hopefully, in the near future other states will release their own reports to better understand their situations in context to the all the yearly, national reports.