Beginning in 2012, under the California Breach Notification Laws (Cal. Civ. Code 1798.29 and 1798.82), any agency, person or business that notifies more than 500 California residents of a data security breach, must also report such a breach to the California Attorney General. As a result of this requirement, in 2012, the California Attorney General received reports of 131 breaches that affected more than 2.5 million California residents. Based upon these reports, on July 1, 2013, the California Attorney General issued the 2012 Data Breach Report, which provides a summary of the types of reported breaches, as well as actions that may be taken to reduce the likelihood of a breach. Specifically, the California Attorney General made the following 5 recommendations:
1. Encrypt personal information when in transit, on portable devices or in emails.
2. Review and strengthen security controls used to protect personal information.
3. Prepare breach notification letters in an easy-to-understand format.
4. Offer mitigation products to victims of breaches that involve social security numbers or driver’s license numbers.
5. Consider amending breach notification laws to require reporting of breaches that involve usernames and passwords.
These recommendations provide insight into where the California Attorney General will likely focus its data breach investigation and enforcement efforts. They also signal areas where the California Attorney General may advocate for amendments to California’s existing data breach laws. Because, historically, California has always been a leader in the data security arena, other states may look to these recommendations as guidance for their own enforcement and legislative efforts. As such, these recommendations are helpful for agencies and businesses that operate in California, as well as other states.