Electronic data breaches put the personal information of 2.5 million Californians at risk in 2012, according to a report released Monday by Attorney General Kamala Harris.
State law requires businesses and government agencies to notify consumers when a data breach might have put their personal information at risk. A bill passed in 2012 also requires companies to report a breach to the attorney general when more than 500 consumers' information has been accessed.
The report's description of 131 breaches of consumer information marks the first time the information has been made available to the public.
California law requires companies to report breaches of information whether the breach was malicious or unintentional.
The report details when each breach occurred and what private information was affected. The list of organizations that experienced data breaches in 2012 includes the California Department of Health Care Services, the state Department of Child Supportive Services, American Express and State Farm Insurance.
The retail industry reported the greatest number of breaches, followed by financial institutions and insurance providers.
"Data breaches are a serious threat to individuals' privacy, finances and even personal security," Harris said in a statement. "Companies and government agencies must do more to protect people by protecting data."
Harris recommended companies use encryption and tighter security measures to protect consumer information in the future. If the companies that reported breaches in 2012 had implemented these measures, Harris said, 1.4 million fewer people would have had their information compromised.
John M. Simpson, director of privacy for Consumer Watchdog, commended Harris for "shining a light" on the problem and disclosing this information to the public voluntarily.
"There's been a philosophy on the part of these companies to keep this all quiet," Simpson said. "To me, the consumer's trust is built when someone says, 'OK, this breach has happened, and these are the steps we are going to take.' If you sweep it under the rug, that's no good for the consumers."
Harris also suggested that companies make the notification letters they send to consumers who have had their personal information accessed easier to understand.
A company must notify its customers if their name and driver's license number, credit or debit card information, bank account, Social Security number, medical information or health insurance information has been put at risk.
AT A GLANCE
The 131 data breaches reported to the attorney general's office for 2012 included half a dozen state agencies.
• California Department of Health Care Services
• California Department of Corrections and Rehabilitation
• Privacy Office, California Correctional Health Care Services
• California Department of Social Services
• California Department of Justice/CATCH
• Department of Child Supportive Services
Contact Annalise Mantz, Bee Capitol Bureau, (916) 326-5545 or [email protected]