Print
Category: California News

San Francisco, California - Attorney General Kamala D. Harris addressed the Stanford Cyber Initiative to release a comprehensive report detailing the nature of data breaches reported to her office over the past four years.  The report found that between 2012 and 2015, there were 657 data breaches, which compromised over 49 million records of Californians’ personal information.

The report is accompanied by recommendations from the Attorney General for organizations, businesses and lawmakers on how to protect against data breaches, and points to a specific set of actions that companies and organizations should start with to meet the state and federal mandates of reasonable security.

Last year, 178 breaches placed 24 million records of Californians at risk.  This means that as many as three in five Californians may have been victims of a data breach in 2015 alone.

“Government and the private sector have a shared responsibility to safeguard consumers from threats to their privacy, finances, and personal security,” said Attorney General Harris.  “California is leading the nation with measures to prevent data breaches, but we can do better.  This report clearly articulates basic steps that businesses and organizations must take to comply with the law, reduce data breaches, and better protect the public and our national security.”

The report includes information on the most common types of data breached, explains what types of breaches different industry sectors were most susceptible to, and provides recommendations to reduce the frequency and impact of future breaches.

Types of Data Breached 

Industry Sectors 

Recommendations for Organizations

Recommendations for State Policy Makers

As data threats evolve, California must remain at the forefront of identifying and implementing creative and effective ways to fend off attackers.  In 2004, California passed its information security statute (AB 1950, Wiggins), which requires businesses that collect personal information to use “reasonable security practices and procedures.” In 2003, California became the first state to mandate data breach notification, requiring businesses and state agencies to inform consumers when a security breach compromises their personal information (AB 700, Simitian). As of 2012, any breach involving more than 500 Californians must be reported to the Attorney General’s Office (SB 24, Simitian).

Attorney General Harris has invested the best talent and resources of the California Department of Justice into the fight for cyber security.  In 2011, she created the eCrime Unit, which is tasked with investigating and prosecuting large-scale identity theft, technology crimes, and crimes that target electronic devices, networks, or intellectual property.  In 2012, Attorney General Harris established the Privacy Enforcement and Protection Unit to enforce and regulate state and federal laws regulating the collection, retention, disclosure, and destruction of personal information, as well as to educate organizations and consumers on privacy responsibilities and rights.

Furthermore, a number of recommendations from Attorney General Harris’s previous data breach reports have been enacted into law.  SB 46 (Corbett), which took effect in January 2014, added online account credentials to the list of personal data covered under SB 24 (Simitian).  In 2014, AB 1710 (Dickinson) was enacted, requiring the source of a breach of such data to offer identity theft prevention or mitigation services at no cost to the affected person and for no less than 12 months.  The law took effect in January 2015.  In 2015, SB 570 (Jackson) amended the breach law to require the use of a format for breach notices that makes them easier to understand. It took effect in January 2016. 

View the full California Data Breach Report February 2016.