California to Focus on Unencrypted Data in Breach Investigations

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://threatpost.com/california-to-focus-on-unencrypted-data-in-breach-investigations/101196

Data breaches affected more than 2.5 million California residents last
year, and the state’s attorney general said that the information belonging
to more than half of those victims would have been unaffected had the data
been encrypted by the companies storing it. In an effort to remedy this
situation, Attorney General Kamala Harris is planning to take a close look
at data breaches that involve unencrypted data, making them an enforcement
priority.

California has been at the forefront of the data breach reporting and
enforcement movement, passing the landmark breach-notification law in 2002
that was the first of its kind in the U.S. The law requires that any
company that believes one of its customers in California is affected by a
data breach must report the incident to the state. There has been a lot of
discussion of the law and its value in the last decade and many states have
since followed suit with similar breach-notification measures.

Now, Harris says that she believes companies that hold consumer data need
to do a better job of protecting it and that means using encryption.

“Data breaches are a serious threat to individuals’ privacy, finances and
even personal security,” Harris said Monday after releasing a new report on
the number of Californians affected by breaches in 2012. “Companies and
government agencies must do more to protect people by protecting data.”

In many states, including California, encrypted data is exempt from breach
notifications, with the assumption being that attackers won’t be able to
access the encrypted data in a reasonable amount of time. Privacy advocates
and security experts have been encouraging more widespread use of
encryption for storing sensitive data for years now, but companies have
been slow to adopt it for a variety of reasons, including the complexity
and cost of implementation.

However, that may change now that Harris is planning to make the
investigation of beaches involving unencrypted data an “enforcement
priority”. Californians were affected by 131 data breaches last year, and
the report from Harris’s office says that 28 percent of them would not have
required notification had the data involved been encrypted.

“Particularly striking is the impact of the failure to encrypt sensitive
personal information . It has been ten years since we realized the
vulnerability of personal information on stolen laptops, lost data tapes,
and misdirected emails. If encryption had been used, over 1 .4 million
Californians would not have had their information put at risk in 2012 .
That number represents more than half of the 2 .5 million people affected
by the 131 breaches covered in this report . It is my strong recommendation
that companies and agencies implement encryption as a basic protection and
reasonable security measure to help them meet their obligation to safeguard
personal information entrusted to them,” Harris wrote in the introduction
to the report, which is the first one from her office.

In the recommendations section of the report, Harris says that while her
office will focus on incidents involving unencrypted data, lawmakers may
also have something to say on that issue.

“The Legislature may also want to consider requiring the use of encryption
to protect personal information in transit,” the report says.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!