California Breach Notice Report Threatens Enforcement and More Legislation
July 2013 saw the release of California Attorney General Kamala D. Harris' “Data Breach Report 2012.” This is her initial report on data breaches and reflects the first breach notices received after the requirement to provide notices to the attorney general took effect. While much of the report consists of statistical summaries of the 131 reports received (from 103 entities), the report clearly is designed to send messages. Businesses holding covered information on California residents could be directly affected, but others should take note as well, because California's statutes and polices on breach notification have significantly influenced the requirements adopted by many other jurisdictions.
The attorney general makes five numbered recommendations. Two of those expressly threaten enforcement or call for additional legislation, and others hold the seeds of future demands.
Expanded Encryption Sought
The California breach notice statutes producing the notices in question contain an exception to the notice requirement where covered data are encrypted. So the notices analyzed involved unencrypted data. The report states that 28% of the reported beaches “were the result of lost or stolen media or hardware or misdirected email containing unencrypted personal information” and “exposed over 1.4 million victims to the risk of harm.” The attorney general sees this as the “result of deficient data management policies or practices,” in particular the “failure to encrypt sensitive data when it is in transit on portable devices or in emails.”
The attorney general declares that her office “will make it an enforcement priority to investigate breaches involving unencrypted personal information” and will “encourage our allied law enforcement agencies” to do so also. The report notes that California Civil Code Section 1798.81.5 imposes a duty on a “business that owns or licenses personal information about a California resident” to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” Several categories of businesses, including covered entities governed by the HIPAA privacy and security rules, are exempted.
While the report does not describe the enforcement theories that the attorney general contemplates, presumably they include that the failure to encrypt that led to a breach notice reflected non-compliance with the duty to have in place reasonable security procedures and practices. Section 1798.84 (c ) provides that any “business” which has violated the statute “may be enjoined.” Because the remedies specified by section 1798.84 are expressly “cumulative” of any other remedies “available under law,” the attorney general might assert that additional sanctions apply as well.
In addition to enforcement promises, the attorney general's report recommends that the California legislature “consider requiring the use of encryption to protect personal information in transit.” That recommendation is not further explained.
Expanded Breach Notification
The other express recommendation for legislation calls for an amendment to the California breach notification statute to require notification of “breaches of online credentials, such as user name and password.” The accompanying discussion clarifies the recommended amendment as encompassing breaches where “online credentials (user ID or email, in combination with password or security question and answer)” are involved.
This recommendation does not purport to arise from analysis of the 131 breach notices but, instead, is based on “intrusions at Sony, Yahoo, The New York Times and Twitter” occurring during recent years that “have targeted passwords and other account credentials for more than one million people.” The stated concern is that criminals use stolen credentials to get “access to the accounts” and also, “because most consumers do not use unique passwords for all their accounts, a takeover of one can result in access to all.” The report does not discuss how the attorney general concluded from such incidents that the breach notice obligation should be expanded in the precise manner that she recommends.
Three other recommendations encourage covered businesses and government agencies to take additional steps. While these are not coupled with express enforcement threats, or requests for additional legislation, they may signal the possible emergence of such initiatives in the future.
Tighten Security Controls
The report recommends that covered businesses and government agencies review and tighten their security controls protecting personal information, while noting that “the best protection is to limit the collection and retention of personal information.” Among the 2012 breach notices, the sectors most frequently suffering intrusions were the “retail sector” followed by “finance and insurance.” The attorney general recommends that they implement “better protections for point-of-sale terminals and the payment card processing network.”
To guard against the theft of online credentials, companies should, the attorney general recommends, consider “multifactor authentication to protect sensitive systems and strong encryption to protect user IDs and passwords in storage.” Also suggested is “using system-enforced strong passwords.” The report stresses, in addition, the importance of “regular training on an organization's policies and procedures for the employees, contractors, and other agents who handle personal information.” This latter recommendation is premised on the speculation that “many” of the 22 breaches resulting from “procedural failures” were “likely the result of ignorance or noncompliance with organizational policies.”
Improve Notice Readability
The attorney general's office analyzed “70 randomly selected notices” to determine their Flesch-Kincaid Grade-level score using “Microsoft Office Word 2007's built-in readability calculating function” and found “an average reading level of 14th grade” (presumably college sophomore). It then reports that the average reading level of the U.S. population is “equivalent to eighth grade.” To make notices “more accessible,” notice drafters should use “shorter sentences, familiar words and phrases, the active voice,” and “headers for key points and smaller text blocks.”
The report states threateningly that the “law requires that the notices be written in plain language,” implying that one day an enforcement action may assert that an insufficiently dumbed-down notice does not meet that standard. Critically, the report, while suggesting that a 14th grade reading level may be too high, provides no guidance concerning what grade level notice drafters should set as their goal.
“Mitigation Products” and “Security Freeze” Information
The report expresses heightened concern about breaches that expose social security numbers and driver's license numbers, because these enable criminals to commit “new account” fraud, where the “victim's personal information is used to open new credit card or other accounts.” Seventy-five of the noticed breaches involved such numbers. This is viewed as one of the most serious types of identity theft because the criminal will use an address other than the victim's address, with the consequence that the victim may not learn of the fraud for a long time, until she is denied credit or contacted by a debt collector.
The report asserts that new account fraud “increased by 50 percent in 2012.” The accompanying note cites a proprietary study by Javelin Strategy & Research to the effect that it “increased from 0.82 percent of adults in 2011 to 1.22 percent in 2012” and cost $10 billion.
In that context, the attorney general recommends that those providing notice of breach involving social security numbers or driver's license numbers “offer protective measures to victims.” This partly reflects that such measures were not offered in 22 of the 75 reported breaches involving such numbers. The recommended protective measures include “credit monitoring or ‘identity theft protection' service” and a “security freeze.” The latter, available under California law, and in many other jurisdictions, is said to inhibit most potential creditors from opening new accounts and is thought by the attorney general to be “the strongest protection available” against the most prevalent types of new account identity theft.
Perhaps significantly, while the report recommends that businesses and government agencies be required to take additional protective measures and voluntarily undertake others, it presents no analysis of the direct or indirect costs that would be involved in their doing so. For example, if every business were to double its training on “policies and procedures for the employees, contractors, and other agents who handle personal information,” that would have direct costs in terms of providing the training and indirect costs in the sense that employee time spent being trained is not being used to accomplish the employee's productive tasks. If such training reduced breaches by 5%, would it have been a good investment? Perspectives on such matters will have to come from sources other than the attorney general's report.