Despite encryption carrot, California companies chose risky stick

Millions of Californians wouldn't need to worry about the risk to their personal data if some businesses took a little more care in protecting it.

That's what California's Attorney General, Kamala D. Harris, concluded in the state's first data breach report released earlier this week.

The analysis of data breaches reported to the AG's office last year found that the data of some 2.5 million residents of the Golden State was put at risk by the 131 breaches covered in the 40-page report.

It also found that 1.4 million Californians would have been protected if companies had encrypted data when moving or sending the data out of the company's network.

More than a quarter of the breaches reported to the AG (28 percent) occurred because of lost or stolen media or hardware, or misdirected emails containing unencrypted confidential information, the report said.

Some 89 percent of those breaches involved Social Security numbers, which enable new account and account takeover fraud -- the types of identity theft that are the most costly to resolve, it noted.

If the data had been encrypted, the report said, it was very likely all of those incidents would not have required notification and would not have exposed over 1 .4 million victims to the risk of harm.

[Also see: Three quarters of consumers concerned about privacy online, report says]

"It's surprising that despite the high likelihood that a company anywhere -- not only in California -- could suffer a data breach, the rate of encryption appears to be pretty low," Larry Ponemon, founder and chairman of the Ponemon Institute, told CSOonline.

The value of encryption was implicitly recognized when California passed its data breach reporting law in 2003. In the measure, the state exempted from the reporting requirement breaches involving encrypted data.

"In spite of the carrot of the breach notification law's encryption exemption, organizations are subjecting too many Californians to a risk that is eminently avoidable," the report said.

More than half the breaches reported to the AG (55 percent) resulted from intrusions from either insiders, outsiders or outsiders posing as insiders. And 45 percent of the breaches occurred due to companies failing to adopt or implement security measures.

Encryption is a security measure typically ignored, said Scott Hazdra, principal security consultant with Neohapsis. "There is a cost per record breached that a company suffers but frequently they don't take that into account when they look at the cost of preventative measures," Hazdra said in an interview.

"There's a short-sightedness from a business perspective," he said, "and an interest in the short-term bottom line."

Some of the findings in the California report are similar to those in other data breach studies, Ponemon noted. For example, the average size of a data breach in California is around 19,000 records, which is consistent with studies performed by Ponemon.

"A lot of data breaches occur in that size range," Ponemon said, "but they don't get big media pickup any more because it's become a ho-hum topic."

Another finding in the AG report was that the retail sector was a prime target for intruders, representing 26 percent of all the breaches covered in the report. "We always find retail a higher probability than other industries for a material data breach of 1,000 records or more," Ponemon said.

Health Care breaches ranked third in the AG's report, making up 15 percent of the breaches. "Medical records are very valuable on the black market right now because they're a treasure trove of information," Ponemon noted.

While there have been concerns raised by business about public reporting of data breaches, Neohapsis' Hazdra believes reports like the one from the California AG can have a positive influence on businesses.

"Knowing organizations are being impacted and what that impact is helps business leaders decide how to go forward with security and encryption and protecting customer data," Hazdra said.

The AG's report is a good first effort, said John M. Simpson, director of Consumer Watch's Privacy Project. "Any time you do something the first time, there may be some flukes in what happened," he said in an interview. "So it's hard to generalize who's the most sloppy with data from one report."

But he added: "This is an important step to shine a light like this on the problem, and it may prompt some better data management practices by companies when they see their names in reports like this."

Read more about data protection in CSOonline's Data Protection section.

Join the CSO newsletter!

Error: Please check your email address.

Tags reportdata breachesapplicationssoftwareprivacy policydata protectionCalifornia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John P. Mello

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place