Insights

California Attorney General Calls for Greater Data Protection, and Recommends Adoption of Chip and Pin Payment Card Technology

California Attorney General Calls for Greater Data Protection, and Recommends Adoption of Chip and Pin Payment Card Technology

Data breaches are on the rise—and so is government enforcement action and data breach litigation. Retailers are not the only ones at risk; data breaches are affecting a growing number of industries. In addition to recent privacy enforcement actions from the Federal Trade Commission and now the Federal Communications Commission, the increased frequency and severity of data breaches continue to draw attention from state attorneys general.

In October 2014, California Attorney General Kamala D. Harris released "The California Data Breach Report." The report analyzes data breach statistics involving California residents. The report also offers targeted recommendations to companies looking to prevent, or respond to, data breaches.

Report Findings

  • In 2013, 167 data breaches were reported to the California attorney general.
  • More than 18.5 million California residents were involved in breaches in 2013, a 600 percent increase over data breaches in 2012. (Note, however, that the data is skewed by two very large incidents.)
  • Although the retail sector reported the most breaches in 2013 (26 percent of total breaches), the finance/insurance sector (20 percent) and health care sector (15 percent) followed closely behind.
  • A wide variety of other sectors reported breaches, including government, education, hospitality, and professional services.
  • More than half of total breaches in 2013 were caused by malware and hacking (53 percent).
  • Twenty-six percent of all data breaches were attributable to physical loss or theft of an electronic device.
  • Eighteen percent of all reported breaches were caused by "miscellaneous errors" (for example, insecure disposal of confidential information).
  • Four percent of total breaches were caused by "misuse" (such as when an insider makes unauthorized use of privileges or resources).
  • Social Security numbers were the most frequently compromised records in 2013.

Retail Industry Recommendations

According to the report, in the retail sector, 84 percent of data breaches were the result of malware and hacking. The report advises California retailers to act quickly to update their point-of-sale terminals so that they are chip-enabled and to install the software needed to operate this technology. The report also urges retailers and financial institutions to work together to protect debit cardholders in retailer breaches. Retailers are encouraged to devalue payment card data by encrypting the data from the point of capture until completion of transaction authorization. Similarly, retailers are urged to employ tokenization to devalue payment card data during online and mobile payment transactions. By using such tokens, payment data stolen from one institution cannot be used to make a future payment or counterfeit a stolen credit card.

Health Care Recommendations

In the health care sector, physical loss or theft of data poses the greatest challenge, with 70 percent of breaches reportedly caused by lost or stolen hardware or portable media containing encrypted data. The report urges the health care sector to focus on strong encryption to protect medical information on laptops, portable devices, and even desktop computers.

No Specific Recommendations for the Financial Sector

The report notes that the financial sector accounts for the largest share of "miscellaneous error" data breaches (30 percent) but makes no specific recommendations for how to address them. However, financial institutions should be mindful of the attorney general's advice to work alongside retailers to protect debit cardholders in retailer breaches. Federal financial services regulators, however, have issued varying data security guidelines and requirements for the financial sector. There are also increasing calls by state regulators for financial institutions to increase their efforts in protecting consumer data from cyber theft, and to more effectively conduct cybersecurity oversight of dependent third-party providers.

Taking Action Post-Breach

In the event of a breach, the California attorney general advises companies to respond promptly and notify affected individuals without unreasonable delay. The report also emphasizes that breach notices should be "readable" by the average American consumer, using plain, straightforward language and avoiding technical or legal jargon. Companies should have a data breach plan prepared in advance to facilitate a prompt and appropriate response.

In light of the rising frequency of data breaches, companies operating in California should review the attorney general's report and carefully consider its recommendations.

Lawyer Contacts

For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com.

Katherine S. Ritchey
San Francisco
+1.415.875.5728
ksritchey@jonesday.com

Mauricio F. Paez
New York
+1.212.326.7889
mfpaez@jonesday.com

Gregory P. Silberman
Silicon Valley
+1.650.739.3954
gpsilberman@jonesday.com

Michael G. Morgan
Los Angeles
+1.213.243.2432
mgmorgan@jonesday.com

Olivia C. White, an associate in the Silicon Valley Office, assisted in the preparation of this Alert.

Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our website at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.