This post was also written by Maytak Chin.
A California attorney general’s report released this month shows that data security threats are on the rise in the Golden State. Against a backdrop of increasing security breaches, the report recommends best practices for companies to adopt as a way to reduce their vulnerabilities and to better protect consumers.
The report highlights trends in security breaches that have occurred in California over the past two years. Last year alone, personal data from more than 18.5 million California residents was compromised, which represents a 600 percent increase from the 2.6 million records breached the year before. Moreover, the leading industries targeted for hacks and malware attacks were retail, financial services, and health care. In 2013, the retail industry had 26 percent of total breaches, followed by financial services at 20 percent, and health care at 15 percent. These industries are most at risk for security breaches because they possess and transact sensitive consumer data as an integral part of their business models.
Large retailers are particularly in jeopardy for cyber attacks. For instance, Target had a security breach that compromised 41 million individual records, and Living Social had 50 million of its consumer records hacked in 2013, which affected consumers nationwide. The magnitude of the security compromises at Target and Living Social illustrates how large retail companies have become prime targets for cyber attacks. However, updating company practices and technological processes can reduce system vulnerabilities.
The California attorney general’s report recommends that companies take four steps to improve data security and reduce breaches:
- First, companies could update point-of-sale terminals and systems, e.g., cash registers and other payment card technologies, to accept chip-embedded cards. Chip cards interact with physical sale terminals to authenticate payment cards and have the ability to send a one-time message, which changes with each transaction. Since 1994, more than 80 countries have moved toward using chip cards, including Canada, Mexico, and Brazil, and several countries in Europe and Asia.
- Second, encrypting sensitive information could reduce unauthorized access to the data. Once encrypted, the data transforms into a non-readable format that becomes readable only when paired with a matching cryptographic key generated by a matching mathematical algorithm. This prevents access to such information from unauthorized users who do not have the matching cryptographic key.
- Third, companies could employ tokenization solutions to make sensitive information less accessible. Tokenization is similar to encryption, except the key or token is generated at random at the point of use, rather than through a set mathematical algorithm.
- Fourth, companies should implement security breach policies to ensure prompt notifications to consumers and responses to address the breach, as measures to prevent further systemic harm.
The California attorney general’s report comes on the eve before new personal information privacy rules take effect next year. In the past month, the California Legislature passed, and the governor approved, Assembly Bill No. 1710, which amend Civil Code section 1798 et seq. The newly enacted provisions will restrict the sale of Social Security numbers, including in advertising and offers to sell, and expand the law to reach any company that owns, licenses, or maintains specified personal information of any California resident. The new laws will also require that security breach notifications include an offer from the business with the breach to provide appropriate identity theft prevention and mitigation service to compromised consumers. For more information on Assembly Bill No. 1710, check our blog post on it here.
The California attorney general’s office is one of the most active offices in the area of state privacy enforcement. In the past several years, however, state attorney generals across all 50 states have become increasingly active in privacy enforcement because of a lack of comprehensive privacy rules in the United States at the federal level.