More than 2.5 million Californians had personal information put at risk through 131 data breaches reported to state Attorney General Kamala Harris in 2012.
Harris released a report on Monday that said 1.4 Californians would have been protected during those breaches if companies had encrypted data when moving or sending data out of its networks.
“Data breaches are a serious threat to individuals’ privacy, finances and even personal security,” Harris said. “Companies and government agencies must do more to protect people by protecting data.”
Additional key findings of the report include:
- The average (mean) breach incident involved the information of 22,500 individuals. The median breach size was 2,500 affected individuals, with five breaches of 100,000 or more individuals’ personal information.
- The retail industry reported the most data breaches in 2012: 34 (26 percent of the total reported breaches), followed by finance and insurance with 30 (23 percent).
- More than half of the breaches (56 percent) involved Social Security numbers, which pose the greatest risk of the most serious types of identity theft.
- More than half of the breaches (55 percent) were the result of intentional intrusions by outsiders or by unauthorized insiders. The other 45 percent were largely the result of failures to adopt or carry out appropriate security measures.
California law mandates that businesses and state agencies notify citizens when their personal information is comprised in a security breach. In 2012, for the first time, companies and agencies subject to the law were required to report any breach that involved more than 500 Californians to the attorney general’s office.
While Monday’s report was not required by law, Harris released the report to provide information to the public about the types of breaches and to make recommendations to companies, law enforcement agencies and the legislature about how data security can be improved.
Some of those recommendations include practices that would decrease the number of breaches, make it easier for consumers to recover from the loss or theft of personal information and to call for law enforcement to more aggressively target breaches involving unencrypted personal information.