On Tuesday, California Attorney General Kamala Harris addressed the Stanford Cyber Initiative to reveal her office's latest California Data Breach Report. As AG Harris noted in her remarks, the California constitution guarantees an inalienable right to privacy, but determining what privacy means in a digital age is more complicated than legislating and prosecuting physical acts of snooping. Last year, 178 breaches placed 24 million records of Californians at risk. This means that as many as three in five Californians may have been victims of a data breach in 2015 alone. In the report, AG Harris notes "nearly all of the exploited vulnerabilities, which enabled these breaches, were compromised more than a year after the solution to patch the vulnerability was publicly available. It is clear that many organizations need to sharpen their security skills, trainings, practices, and procedures to properly protect consumers."
The report outlines five recommendations to prevent data breaches:
- The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.
- Organizations should make multi-factor authentication available on consumer-facing online accounts that contain sensitive personal information. This stronger procedure would provide greater protection than just the username-and-password combination for personal accounts such as online shopping accounts, health care websites and patient portals, and web-based email accounts.
- Organizations should consistently use strong encryption to protect personal information on laptops and other portable devices, and should consider it for desktop computers. This is a particular imperative for health care, which appears to be lagging behind other sectors in this regard.
- Organizations should encourage individuals affected by a breach of Social Security numbers or driver’s license numbers to place a fraud alert on their credit files and make this option very prominent in their breach notices. This measure is free, fast, and effective in preventing identity thieves from opening new credit accounts.
- State policy makers should collaborate to harmonize state breach laws on some key dimensions. Such an effort could reduce the compliance burden for companies, while preserving innovation, maintaining consumer protections, and retaining jurisdictional expertise.
The full report is available here.