Removing Barriers Blog

2015 California Data Breach Report Released
Posted February 18, 2016 by CUNA Advocacy

This week, California Attorney General Kamala Harris released a report analyzing the data breaches reported in California from 2012 to 2015. California was the first state to enact a data breach notification law, which took effect in 2003. Since then, 46 other states, have enacted similar laws. Alabama, New Mexico and South Dakota are the only states without a data breach notification law.

According to the California Data Breach Report 2015, nearly 50 million records of Californians have been breached during the referenced time period and the majority of those breaches resulted from security failures. The report found that breaches occurred in all parts of the economy, including retailers, financial institutions, healthcare providers and government agencies. In response to a number of breaches in 2013, the 2014 version of the report encouraged the prompt adoption of EMV technology. The current report points out that card issuing financial institutions have upgraded their cards, with 98 percent of total payment cards in the U.S. now bearing chips and notes that, “Retailers have more work to do in upgrading their terminals to accept cards bearing chips.” The report further provides that data breaches can be expected, “Until all retail terminals are chip-enabled and the magnetic stripe can be eliminated from cards.”

The report also finds that the retail industry has seen the largest share of breaches throughout the four-year period, averaging 25% of all California breaches, while the finance sector, which includes insurance, represented only 18% of the breaches. The Anthem breach in 2015 inflated the finance sector’s percentage; without that breach, the finance sector’s share would drop to 6%.

In analyzing the data found from financial institution breaches, there were fewer instances of hacking and malware – the dominant type of breach – compared to all other sectors. Breaches resulting from errors by insiders, however, were more than twice as common as in other sectors (31 percent versus 14 percent). The financial sector also experienced nearly three times as many breaches caused by insiders abusing their access privileges: 14 percent compared to five percent in all others. The type of data most commonly involved was social security numbers.

Among the recommendations in the report is a request that states collaborate on the key provisions of data breach laws to maintain consumer protection and ease the compliance burdens on organizations.