Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Despite encryption carrot, California companies chose risky stick

John P. Mello | July 4, 2013
State Attorney General report reveals some businesses reluctant to scramble data to protect it

Millions of Californians wouldn't need to worry about the risk to their personal data if some businesses took a little more care in protecting it.

That's what California's Attorney General, Kamala D. Harris, concluded in the state's first data breach report released earlier this week.

The analysis of data breaches reported to the AG's office last year found that the data of some 2.5 million residents of the Golden State was put at risk by the 131 breaches covered in the 40-page report.

It also found that 1.4 million Californians would have been protected if companies had encrypted data when moving or sending the data out of the company's network.

More than a quarter of the breaches reported to the AG (28 percent) occurred because of lost or stolen media or hardware, or misdirected emails containing unencrypted confidential information, the report said.

Some 89 percent of those breaches involved Social Security numbers, which enable new account and account takeover fraud -- the types of identity theft that are the most costly to resolve, it noted.

If the data had been encrypted, the report said, it was very likely all of those incidents would not have required notification and would not have exposed over 1 .4 million victims to the risk of harm.

"It's surprising that despite the high likelihood that a company anywhere -- not only in California -- could suffer a data breach, the rate of encryption appears to be pretty low," Larry Ponemon, founder and chairman of the Ponemon Institute, told CSOonline.

The value of encryption was implicitly recognized when California passed its data breach reporting law in 2003. In the measure, the state exempted from the reporting requirement breaches involving encrypted data.

"In spite of the carrot of the breach notification law's encryption exemption, organizations are subjecting too many Californians to a risk that is eminently avoidable," the report said.

More than half the breaches reported to the AG (55 percent) resulted from intrusions from either insiders, outsiders or outsiders posing as insiders. And 45 percent of the breaches occurred due to companies failing to adopt or implement security measures.

Encryption is a security measure typically ignored, said Scott Hazdra, principal security consultant with Neohapsis. "There is a cost per record breached that a company suffers but frequently they don't take that into account when they look at the cost of preventative measures," Hazdra said in an interview.

"There's a short-sightedness from a business perspective," he said, "and an interest in the short-term bottom line."

Some of the findings in the California report are similar to those in other data breach studies, Ponemon noted. For example, the average size of a data breach in California is around 19,000 records, which is consistent with studies performed by Ponemon.


1  2  Next Page 

Sign up for Computerworld eNewsletters.