In the first report of its kind, California's Attorney General, Kamala D. Harris, had revealed that 2.5 million people — roughly 6.5 percent of the state's population — were exposed by data breaches in 2012.
California has always been the go to state for innovative technologies. It's also the first state to have breach notification laws, such as AB 700 and SB 24. Forty-six other states have since followed with their own notification requirements, so perhaps these states will now follow California once again, and release their own breach reports.
While not as detailed as some of the studies released by data security vendors, the California Attorney General's breach report details all of the essential data, including the fact that of the 2.5 million people placed at risk due to a data breach, 1.4 million of them didn't need to be on the list. Specifically, the report states that those 1.4 million people would have been protected if only the "companies had encrypted data when moving or sending the data out of the [network]."
"Data breaches are a serious threat to individuals' privacy, finances and even personal security. Companies and government agencies must do more to protect people by protecting data," Attorney General Harris said in a statement.
The report coverers 131 incidents in all, with the average breach accounting for 22.500 people. The retail sector reported the most data breaches with 26 percent of the cases, followed by the finance and insurance sectors with 23 percent and healthcare with 15 percent. It's worth noting that more than half of the breaches involved intentional intrusions from the outside or intentional acts from insiders. The rest of the breaches, 45 percent, were largely due to failure "to adopt or carry out appropriate security measures," the report notes.
As mentioned, the report singles out those firms that didn't take precautions when it comes to protecting data, and focuses largely on encryption to make that point. In fact, the report says, 28 percent of the reported breaches in 2012 wouldn't have required notification if the data was encrypted at the time of the incident.
"Despite the incentive created by the breach notification laws exemption for encrypted data, many companies are still failing to use this effective security measure. Far too many people continue to be put at risk when companies do not encrypt data," the report adds.