California Data Breach Report

February 2016

Office of the Attorney General

California Department of Justice

1
Joanne McNabb, CIPP/US/G, CIPT
Director, Privacy Education & Policy
joanne.mcnabb@doj.ca.gov
www.privacy.ca.gov

2
 AGs Privacy Unit
Enforces Constitutional privacy right and civil
privacy statutes
Empowers individuals with information and
strategies
Encourages businesses to adopt privacy-
respectful practices
Advises the AG on privacy matters

3
2016 Data Breach Report

4 years of breaches
affecting >500 CA
residents (2012-2015)
657 breaches
49+ million records
of CA residents
breached

4
California Data Breach Report

KEY FINDINGS

5
 Type of Breach 2012-2015
120

100
Physical
Number of Breaches

80 Malware & Hacking

Misuse
60
Errors

40

20

0
2012 2013 2014 2015

6
 Breaches by Type 2012-2015
100%
90% Breaches 657 breaches affecting
>500 CA residents
80% Records

60% 54%

40%

22%
20% 17%
6% 4% 7%
0.4%
0%
Malware & Physical Theft or Errors Misuse
Hacking Loss

7
 Breaches by Industry 2012-2015
60%
Breaches 657 breaches affecting
Records >500 CA residents
42%
40%

25% 26%
18% 19%
20% 16%
14%
11%
7% 5% 5% 5%
3% 2% 1% 1%
0%

8
 Health Care vs. Other Sectors
2012-2015
75%
Health Care
61% Other Sectors
54%
50% 657 breaches affecting
>500 CA residents

25% 20%
16% 16% 16%
10%
6%

0%
Physical Theft or Malware & Hacking Errors Misuse
Loss

9
California Data Breach Report

RECOMMENDATION ON
REASONABLE SECURITY

10
 Federal & CA Info Security Laws
Gramm-Leach Bliley Act Safeguards Rule
(financial services)
HIPAA Security Rule (health care)
COPPA (childrens information)
State laws, including Civ. Code 1798.81.5, and
UCL (Bus. & Prof. Code 17200)
Also FTC and state AG enforcement actions and
guidance, industry self-regulation, contractual
obligations, etc.

11
 Basic Legal Concept:
Reasonable Security
For example: a business that owns, licenses,
or maintains personal information about a
California resident shall implement and
maintain reasonable security procedures and
practices appropriate to the nature of the
information, to protect the personal
information from unauthorized access,
destruction, use, modification, or disclosure.
Cal. Civ. Code 1798.81.5(b)

12
 Reasonable Security Is a Process

Identify assets
and data

Monitor
Assess risks
effectiveness

Security Risk Implement

Management controls
Process

13
 Security Controls
Physical, Technical, Administrative
Authoritative Standards for Controls
NIST Special Publication 800-53
NIST Cybersecurity Framework
ISO/IEC 27002:2013
CIS Critical Security Controls

14
 CIS Critical Security Controls:
A Reasonable Floor
The 20 controls in the Center for Internet
Securitys Critical Security Controls define a
minimum level of information security that all
organizations that collect or maintain personal
information should meet. The failure to
implement all the Controls that apply to an
organizations environment constitutes a lack
of reasonable security.

15
 CIS Critical Security Controls
Maintained by Center for Internet Security:
non-profit, cybersecurity readiness and
response
Developed by experts from private & public
sectors; updated periodically
High-payoff actions, starting point for
comprehensive security program
Map to major security laws, other standards
Scalable for organizations of different sizes
16
 CIS Critical Security Controls

CSC 1 Inventory of Authorized and Unauthorized Devices

CSC 2 Inventory of Authorized and Unauthorized Software
CSC 3 Secure configurations for Hardware and Software on Mobile Devices,
Laptops, Workstations and Servers
CSC 4 Continuous Vulnerability Assessment and Remediation
CSC 5 Controlled Use of Administrative Privileges
CSC 6 Maintenance, Monitoring, and Analysis of Audit Logs
CSC 7 Email and Web Browser Protection
CSC 8 Malware Defenses
CSC 9 Limitation and Control of Network Ports, protocols, and Services
CSC 10 Data Recovery Capability

17
 CIS Critical Security Controls

CSC 11 Secure Configurations for Network Devices (Firewalls, Routers,

Switches)
CSC 12 Boundary Defense
CSC 13 Data Protection
CSC 14 Controlled Access Based on the Need to Know
CSC 15 Wireless Access Control
CSC 16 Account Monitoring and Control
CSC 17 Security Skills Assessment and Appropriate Training to Fill Gaps
CSC 18 Application Software Security
CSC 19 Incident Response and Management
CSC 20 Penetration Tests and Red Team Exercises
18
 Resources from CA AG
Business Privacy Resources
www.oag.ca.gov/privacy/business-privacy
California Data Breach Reports
www.oag.ca.gov/privacy/privacy-reports
Data Breach Reporting
www.oag.ca.gov/ecrime/databreach/reporting
Privacy Enforcement Actions, Laws, & Legislation
www.oag.ca.gov/privacy/privacy-enforcement-laws-legislation
CIS Critical Security Controls
www.cisecurity.org

19
 ID Experts Webinar Series
At ID Experts, we protect millions of consumers with our identity protection
software and services and have a 100 percent success record for identity
recovery. We are trusted by thousands of organizations to manage cyber
and other risks with our data breach response services. We are the largest
provider of identity protection products to the federal government. We
serve customers in healthcare, government, insurance, financial services,
and higher education. Visit www2.idexpertscorp.com.

If you are having a breach now, call 866-726-4271