Data breaches affected more than 2.5 million California residents last year, and the state’s attorney general said that the information belonging to more than half of those victims would have been unaffected had the data been encrypted by the companies storing it. In an effort to remedy this situation, Attorney General Kamala Harris is planning to take a close look at data breaches that involve unencrypted data, making them an enforcement priority.
California has been at the forefront of the data breach reporting and enforcement movement, passing the landmark breach-notification law in 2002 that was the first of its kind in the U.S. The law requires that any company that believes one of its customers in California is affected by a data breach must report the incident to the state. There has been a lot of discussion of the law and its value in the last decade and many states have since followed suit with similar breach-notification measures.
Now, Harris says that she believes companies that hold consumer data need to do a better job of protecting it and that means using encryption.
“Data breaches are a serious threat to individuals’ privacy, finances and even personal security,” Harris said Monday after releasing a new report on the number of Californians affected by breaches in 2012. “Companies and government agencies must do more to protect people by protecting data.”
In many states, including California, encrypted data is exempt from breach notifications, with the assumption being that attackers won’t be able to access the encrypted data in a reasonable amount of time. Privacy advocates and security experts have been encouraging more widespread use of encryption for storing sensitive data for years now, but companies have been slow to adopt it for a variety of reasons, including the complexity and cost of implementation.
However, that may change now that Harris is planning to make the investigation of beaches involving unencrypted data an “enforcement priority”. Californians were affected by 131 data breaches last year, and the report from Harris’s office says that 28 percent of them would not have required notification had the data involved been encrypted.
“Particularly striking is the impact of the failure to encrypt sensitive personal information . It has been ten years since we realized the vulnerability of personal information on stolen laptops, lost data tapes, and misdirected emails. If encryption had been used, over 1 .4 million Californians would not have had their information put at risk in 2012 . That number represents more than half of the 2 .5 million people affected by the 131 breaches covered in this report . It is my strong recommendation that companies and agencies implement encryption as a basic protection and reasonable security measure to help them meet their obligation to safeguard personal information entrusted to them,” Harris wrote in the introduction to the report, which is the first one from her office.
In the recommendations section of the report, Harris says that while her office will focus on incidents involving unencrypted data, lawmakers may also have something to say on that issue.
“The Legislature may also want to consider requiring the use of encryption to protect personal information in transit,” the report says.