10 Years After SB 1386, California Attorney General Issues First Ever Report and Recommendations on Data Breaches

As most know, California was the first state in the country, only 10 years ago, to pass the first ever state data security breach notification law, SB 1386, codified at California Civil Code sections 1798.29 and 1798.82.  Last year, SB 24 amended the law, effective January 1, 2012, to require organizations issuing a security breach notification to more than 500 California residents as a result of a single breach submit a copy of that notification to the Attorney General.  Today, for the first time, California Attorney General Kamala Harris issued a report describing the notifications her office saw in 2012 and providing recommendations based on those findings.  Recommendation number one?  Encrypt, encrypt, encrypt. Following is more detail on the interesting facts and figures set forth in the report, as well as the Attorney General's key recommendations.

The Stats

The Attorney General received reports of only 131 data breaches affecting more than 500 Californians, involving only 103 different entities - these include incidents reported in 2012, not incidents that occurred in 2012 but that were reported in 2013.  Nine of those 103 entities reported more than one breach - three of those were payment card issuers where the breach occurred either at a merchant or at a payment processor.

Size

The average breach incident involved the information of 22,500 individuals, but the median breach size was 2,500 affected individuals.  Only five of the reported breaches involved more than 100,000 individuals.  It is not clear whether these stats refer only to California residents, but that seems to be the case based on other specific references in the report to the number of California residents affected.

Industry

Retail, finance, and insurance were the industries reporting the most data breaches in 2012.  Not surprisingly, the Attorney General classified as retail breaches of payment card account numbers that occurred in merchants' systems, even where the payment card issuers notified consumers.

Type of Information

More than half of the breaches involved Social Security numbers.  Surprisingly, in 29 percent of the breaches involving Social Security numbers or driver's license numbers, no credit monitoring or other mitigation product was offered to the victims.  (Credit monitoring or a similar "identity theft protection"' product was offered in 50 percent of the total breaches.)

Incident Type

The Attorney General utilized a classification of data breach types described in a taxonomy created by C. Matthew Curtin and Lee T. Ayres several years ago in "Using Science to Combat Data Loss:  Analyzing Breaches by Type and Industry," 4 ISJLP 525-922 (2008).  I was lucky enough to see Matt present on this at an American Bar Association Information Security Committee meting back in 2009, and I was very impressed with the work at that time.  As noted in the Attorney General's report, in this taxonomy, all breaches are broken down into three categories:  physical, logical, and procedural.  The breaches are then further broken down into more specific categories (respectively, document, media, and hardware; insiders and outsiders; and processing and disposal).

Using this taxonomy, the Attorney General reports that more than half of the breaches were the result of logical failures, i.e., intentional access to data by outsiders or unauthorized insiders.  Fifty-five percent of the breaches involved intentional intrusions. Although breaches resulting from physical failures constituted only 27 percent of the total breaches, they accounted for 58 percent of the victims.

Readability of Notices

The Attorney General states that the "average reading level of the breach notices submitted in 2012 was 14th grade" based on a Flesch-Kinkaid Grade-Level analysis of 70 randomly selected notices using Microsoft Office Word 2007's built-in readability calculating function.  According to the report, the U.S. average reading level is eighth grade.

Time to Notify the AG/Law Enforcement Notices

The Attorney General reports that breaches were reported to it an average of 12 days from notification of the affected individuals.  Twenty-five percent were reported before or on the same day and 63 percent within 10 days.

Reporting entities indicated that they had notified law enforcement in 60 percent of the breaches.

Paper Breaches

Even though California's law does not cover paper documents, 10 of the breaches reported (a full eight percent) involved paper records.

Recommendations

Encryption

As mentioned above, the Attorney General's first and foremost recommendation is that organizations encrypt personal information in transit.  The Attorney General notes that 1.4 million Californians, more than half of the 2.5 million Californians affected by the breaches described in the report, "would not have had their information put at risk in 2012" if encryption had been used.  Further, 28 percent of the data breaches would not have even required notification (due to the encryption exemption under the California law) had encryption been used.  Thirty-six of the breaches (27 percent) involved lost or stolen digital data or misdirected emails in which the personal information was unencrypted.

Therefore, it is the Attorney General's "strong recommendation that companies and agencies implement encryption as a basic protection and reasonable security measure to help them meet their obligation to safeguard personal information entrusted to them." Specifically, she recommends that companies encrypt digital personal information when moving or sending it out of their secure network (not unlike what is currently required by 201 Code of Massachusetts Regulations 17.00 et seq. and Nevada's SB 227) and she suggests that the California Legislature may want to consider requiring such use of encryption.  She also explicitly states that her Office will make it an enforcement priority to investigate breaches involving unencrypted personal information.  The Attorney General goes as far as suggesting that FIPS 197 might be an appropriate encryption standard.  Interestingly, she does not discuss encryption of personal information stored on mobile devices.

Going beyond encryption, Attorney General Harris makes a number of other recommendations.  Many of these (with some exceptions) are nothing new for seasoned privacy and security professionals, but it is significant that the Attorney General is making these issues a priority:

Review and Tighten Security Controls, Including Training

The Attorney General reminds the reader that California does in fact have a statute that requires businesses to use reasonable and appropriate security procedures and practices to protect personal information, California Civil Code section 1798.81.5 - so this is more than a mere recommendation.  I always like to refer to this infrequently cited statutory provision in contract negotiations since many organizations also fail to realize that it requires any business that discloses personal information about a California resident pursuant to a contract with a nonaffiliated third party to require by contract that the third party implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.

But the law is not the only thing that matters - as the Attorney General notes, effective security controls are "also a competitive imperative for companies whose business model depends on the use of customer information and on the trust of those who tender it" (emphasis added).  She also notes that the best protection is to limit collection and retention of personal information, one of the basic FIPPs.  In light of the risks posed by theft of online credentials, she also recommends multi-factor authentication and strong encryption to protect user IDs and password in storage.  Finally, she suggests using system-enforced strong passwords.

Small businesses are not exempt: they "may be the custodian of the very sensitive personal information of thousands of past and present clients and employees.  Protecting that information is part of their professional and legal responsibilities.  We encourage them to review their security practices, including investigating ways to use encryption effectively, and  to consult their professional organizations and security experts for best practice guidance."

Improve the Readability of Breach Notices

The Attorney General recommends that communications professionals get involved in preparing notices, and suggests techniques such as shorter sentences, familiar words and phrases, active voice, and layout that supports clarity such as headers and smaller text blocks.

Offer Mitigation Products or Provide Information on Security Freezes to Victims of Breaches Involving Social Security Numbers or Driver's License Numbers

This is consistent with the reality that products like credit reporting are not particularly useful for breaches involving only credit card numbers.  The Attorney General keeps the recommendation narrow in this fashion even though credit monitoring products were offered in 12 breaches involving just payment card numbers, which, as she notes, " do not facilitate the opening of new account."  The report states:  "[w]hen a breach compromises a credit card number, victims can protect themselves from charges made by a thief simply by closing the affected account, which generally takes just a phone call and perhaps a letter of dispute.  In addition, federal law limits a consumer's liability for unauthorized credit card transactions to $50 and most banks today have a zero-liability policy."

By contrast, "[a] thief can use [a Social Security] number, along with the victim's name and other easily obtainable information, to do a number of things, including opening new accounts, taking out loans, receiving medical services, even providing the information when arrested or prosecuted for a crime."

The Attorney General suggests providing victims with the option of a security freeze even if another mitigation product like credit monitoring is offered.

Legislation Should be Considered to Amend the Breach Notification Law to Require Notification of Breaches of Online Credentials Such as User Name and Password

This is the most surprising, and likely controversial, recommendation of the report.  This recommendation is focused on incidents involving a user ID or email address, in combination with password or security question and answer.  The Attorney General bases this recommendation on the growing incidence of theft of online credentials.  She notes that, "because most consumers do not use unique passwords for all their accounts, a takeover of one can result in access to all, including banking and other supposedly secure accounts."

Although this is the case, adding such data elements would represent a fundamental shift away from existing law and would cover a number of incidents where little harm is likely to come to affected individuals.  The potential harm from such incidents can also be mitigated in large part by consumer education, encouraging individuals to use different passwords for their various accounts.  Most consumers these days are familiar with the risks associated with using the same password on several accounts.

Conclusion

Businesses of every shape and size should pay close attention to the Attorney General's recommendations and review their security programs, if they have not already.  Once upon a time, California was a state where enforcement related to data security breaches was rare, despite the laws on the books.  No longer.  We can expect the Attorney General to increase enforcement efforts, especially in those areas identified in her report.