California Attorney General Releases Data Breach Report

California Attorney General Releases Data Breach Report

On Tuesday, February 16, 2016, the California Attorney General's Office released its Data Breach Report, analyzing the 657 data breaches reported to the Attorney General's office from 2012 to 2015. According to the report, the majority of the reported breaches were the result of security failures. Based on these findings, the Attorney General's report makes recommendations to organizations and, for the first time, addresses what constitutes "reasonable security measures" to protect personal information under California law.

Findings from Reported Data Breaches

Based on reported data, more than 49 million records pertaining to Californians were affected by data breaches between 2012 and 2015. Although the number of reported breaches remained constant from 2014 to 2015, the number of records at risk increased dramatically from 4.3 million in 2014 to more than 24 million in 2015.

More than half of the reported data breaches resulted from malware and hacking, but a significant number resulted from physical theft/loss (22 percent), errors (17 percent), or misuse by internal personnel (7 percent). Social Security numbers, health information, and financial information continue to be the types of data involved in most data breaches. The Attorney General predicts that cyber criminals will increasingly look to obtain Social Security numbers as retailers continue to transition away from magnetic stripe readers to chip-enabled payment cards.

Recommendations Regarding Reasonable Security Measures

The Data Breach Report is especially significant because it provides, for the first time, guidance from the Attorney General on what the California Department of Justice views as reasonable security measures under California law.[1] In the view of the Attorney General, organizations should, at minimum, implement the Center for Internet Security's Critical Security Controls (the "Controls"). The Data Breach Report adopts these Controls as the "minimum level of information security" that all organizations must meet and states that "the failure to implement all the Controls that apply to an organization's environment constitutes a lack of reasonable security."[2]

The Center for Internet Security's Controls include the following 20 controls:

  1. Inventory of Authorized and Unauthorized Devices
  2. Inventory of Authorized and Unauthorized Software
  3. Security Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
  4. Continuous Vulnerability Assessment and Remediation
  5. Controlled Use of Administrative Privileges
  6. Maintenance, Monitoring, and Analysis of Audit Logs
  7. Email and Web Browsing Protection
  8. Malware Defenses
  9. Limitation and Control of Network Ports, Protocols, and Services
  10. Data Recovery Capability
  11. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
  12. Boundary Defense
  13. Data Protection
  14. Controlled Access Based on the Need to Know
  15. Wireless Access Control
  16. Account Monitoring and Control
  17. Security Skills Assessment and Appropriate Training to Fill Gaps
  18. Application Software Security
  19. Incident Response and Management
  20. Penetration Tests and Red Team Exercises

In addition to adopting the Controls, the report recommends that organizations use multifactor authentication not only to protect critical systems and data but also for consumer-facing online accounts. Many online consumers fail to create unique passwords for each account, making it easier for cyber thieves to hack into multiple accounts. Multifactor authentication, such as sending a passcode to the user's cell phone, would decrease such a risk.

The report further recommends that organizations, particularly health care organizations, use strong data encryption to protect personal information in transit. More than half of the breaches in the health care sector resulted from the failure to encrypt such information.

The report recommends placing fraud alerts on consumers' credit files when Social Security numbers or driver's license numbers are breached.

Finally, the report also recommended that "State policy makers should collaborate in seeking to harmonize state breach laws on some key dimensions. Such an effort could preserve innovation, maintain consumer protections, and retain jurisdictional expertise.

Although the Data Breach Report's findings are not surprising, its recommendations, particularly the adoption of the Center for Internet Security's Critical Security Controls, represent a significant development for organizations seeking to comply with California's data protection requirements.

California was the first state to enact data breach notification regulations, and the report's recommendations as to what constitutes "reasonable security" are likely to be adopted by other states. By defining "reasonable security," the California Attorney General is also sending a strong signal that we are going to see increased enforcement of California's data security statute.


[1] Cal. Civ. Code § 1798.81.5 (b) requires businesses that collect personal information on California residents to use "reasonable security procedures and practices" to protect that information.

[2] Kamala Harris, Attorney General California Department of Justice: California Data Breach Report February, 2016, at 30.




Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.