Despite encryption carrot, California companies chose risky stick

Millions of Californians wouldn't need to worry about the risk to their personal data if some businesses took a little more care in protecting it.

That's what California's Attorney General, Kamala D. Harris, concluded in the state's first data breach report released earlier this week.

The analysis of data breaches reported to the AG's office last year found that the data of some 2.5 million residents of the Golden State was put at risk by the 131 breaches covered in the 40-page report.

It also found that 1.4 million Californians would have been protected if companies had encrypted data when moving or sending the data out of the company's network.

More than a quarter of the breaches reported to the AG (28 percent) occurred because of lost or stolen media or hardware, or misdirected emails containing unencrypted confidential information, the report said.

Some 89 percent of those breaches involved Social Security numbers, which enable new account and account takeover fraud -- the types of identity theft that are the most costly to resolve, it noted.

If the data had been encrypted, the report said, it was very likely all of those incidents would not have required notification and would not have exposed over 1 .4 million victims to the risk of harm.

[Also see: Three quarters of consumers concerned about privacy online, report says]

"It's surprising that despite the high likelihood that a company anywhere -- not only in California -- could suffer a data breach, the rate of encryption appears to be pretty low," Larry Ponemon, founder and chairman of the Ponemon Institute, told CSOonline.

The value of encryption was implicitly recognized when California passed its data breach reporting law in 2003. In the measure, the state exempted from the reporting requirement breaches involving encrypted data.

"In spite of the carrot of the breach notification law's encryption exemption, organizations are subjecting too many Californians to a risk that is eminently avoidable," the report said.

More than half the breaches reported to the AG (55 percent) resulted from intrusions from either insiders, outsiders or outsiders posing as insiders. And 45 percent of the breaches occurred due to companies failing to adopt or implement security measures.

Encryption is a security measure typically ignored, said Scott Hazdra, principal security consultant with Neohapsis. "There is a cost per record breached that a company suffers but frequently they don't take that into account when they look at the cost of preventative measures," Hazdra said in an interview.

"There's a short-sightedness from a business perspective," he said, "and an interest in the short-term bottom line."

Some of the findings in the California report are similar to those in other data breach studies, Ponemon noted. For example, the average size of a data breach in California is around 19,000 records, which is consistent with studies performed by Ponemon.

"A lot of data breaches occur in that size range," Ponemon said, "but they don't get big media pickup any more because it's become a ho-hum topic."

Another finding in the AG report was that the retail sector was a prime target for intruders, representing 26 percent of all the breaches covered in the report. "We always find retail a higher probability than other industries for a material data breach of 1,000 records or more," Ponemon said.

Health Care breaches ranked third in the AG's report, making up 15 percent of the breaches. "Medical records are very valuable on the black market right now because they're a treasure trove of information," Ponemon noted.

While there have been concerns raised by business about public reporting of data breaches, Neohapsis' Hazdra believes reports like the one from the California AG can have a positive influence on businesses.

"Knowing organizations are being impacted and what that impact is helps business leaders decide how to go forward with security and encryption and protecting customer data," Hazdra said.

The AG's report is a good first effort, said John M. Simpson, director of Consumer Watch's Privacy Project. "Any time you do something the first time, there may be some flukes in what happened," he said in an interview. "So it's hard to generalize who's the most sloppy with data from one report."

But he added: "This is an important step to shine a light like this on the problem, and it may prompt some better data management practices by companies when they see their names in reports like this."

Read more about data protection in CSOonline's Data Protection section.

Tags softwarereportapplicationsdata breachesprivacy policyCalifornia

Show Comments