California Attorney General Kamala Harris released a report this week with staggering facts about data security, and everyone in the state and around the nation should take note. More than 2.5 million Californians, according to the report, had personal information put at risk by private companies and public agencies in 2012 alone.
Even more shocking is that more than half the information could have been protected through the simple process of encryption. In this increasingly digitized world, the rules, laws and protections around electronic information need to be bolstered to match the analog world that is drifting into the past at a rapid rate.
More and more, people are putting their entire lives online — banking, cloud storage, shopping, et al. The online activities are themselves helpful to many people both in convenience and increased productivity. But as companies add services online, they also are storing more of everyone's vital information, such as credit cards, bank account numbers, birth dates, addresses and, in some cases, Social Security numbers. When in the wrong hands, this information can lead to such crimes as identity theft.
Luckily, in California there is a good chance that you will at least know if your information has been compromised. In 2003, a bill authored by then-Assemblyman Joe Simitian, a Peninsula Democrat, mandated that companies and state agencies that had data breaches notify the affected people. In 2012, Simitian, then in the state Senate seat he currently holds, authored a bill that required that the same companies and agencies notify the state Attorney General's Office if the breach affects more than 500 people.
Harris has taken the information provided to her office in 2012, analyzed it and made recommendations about how private companies and public entities can increase security for private information and, according to her office, “make it easier for consumers to recover from the loss or theft of their personal information, and call for law enforcement agencies to more aggressively target breaches involving unencrypted personal information.”
Some of the steps seem simple and logical, and they would not be difficult for companies or agencies to implement. For instance, simply encrypting data that is moved out of a company's network could have protected 1.4 million Californians' personal information.
Stories have emerged in recent years about personal data left on company laptops that lacked a password. When those computers were stolen from employees, the data of untold numbers of people were put at risk.
There are strict laws that prevent companies or agencies from improperly storing or discarding paper documents that contain important information. But in some ways, companies and agencies are doing the same thing, only in digital form. People are willing and able to use digital resources that companies offer them, but there needs to be more assurance that the information they are handing over will be kept safe and secure.
There will always be some data breaches, in the same way there are robberies and burglaries; no property, real or digital, will ever be 100 percent secure. But this report from Harris' office shows that many companies and government agencies have a long way to go in safeguarding everyone's valuable information.