The personal information of more than 18.5 million California residents – nearly half of the state’s population – was at risk last year because of data breaches, California Attorney General Kamala Harris said Tuesday.
The numbers come from the second annual California Data Breach Report, which takes a detailed look at cyber crimes to the state’s 38.8 million residents.
The numbers for 2013 are a 600 percent increase from 2012, due chiefly to massive breaches at Target and LivingSocial, each of which put the personal information of approximately 7.5 million Californians at risk. Even without those two incidents, the number of customer accounts exposed by cyber hacking, lost and stolen hard drives, and accidental data leaks jumped 35 percent last year.
“Data breaches pose a serious threat to the privacy, finances and personal security of California consumers,” Harris said in a statement. “The fight against these kind of cybercrimes requires the use of innovative strategies by government and the private sector to protect our state’s consumers and businesses,” Harris said, urging greater “use of encryption to significantly reduce the risk of data breaches.”
As many as one-third of people whose information is exposed in a data breach will subsequently suffer some kind of fraud, Harris noted in the report, citing estimates by Javelin Strategy & Research, a California firm that tracks financial industry trends.
More than half of the 2013 breaches (53 percent) were caused by computer intrusions, such as malware and hacking. The remaining breaches resulted from physical loss or theft of laptops or other devices containing unencrypted personal information (26 percent), unintentional errors (18 percent) and intentional misuse (4 percent).
More than half of the breaches reported in California involved malicious attempts by hackers or cyber criminals who were determined to steal customer data, according to the report, which said “trans-national criminal organizations” appear to be responsible in many cases.
In 2003, California was the first state to pass a law (AB 700) mandating data breach notifications. This law requires businesses and state agencies to notify Californians when their personal information is compromised in a security breach.
In 2012, companies and state agencies subject to the law were also required for the first time to report any breach that involved more than 500 Californians to the Attorney General’s Office, creating the data for this report.
A new state law that goes into effect next year that will require companies to offer at least one year of free theft-prevention assistance, such as credit monitoring, to consumers affected by data breaches. While many companies already do this, the report says that kind of help was only offered in half of the breaches reported over the last two years and will most impact smaller retailers that have yet to offer the service.
Harris, who earlier this year recommended guidelines for small businesses to protect consumer data, is recommending additional changes, including legislation that sets stricter notification requirements and provides financial aid to help small businesses adopt data safeguards. She also urges companies to use stronger encryption and other protective methods, although she noted that a recent legislative effort to require encryption was unsuccessful.
The full California breach report is available here.