California Reels from the Impact of a Massive Data Breach

Data-breach report indicates IT infrastructure to prevent data loss is lacking statewide.

Identity theft and credit card fraud are high on the list of citizens’ concerns. In the digital age, many people worry about where all of their personal data goes and who has access to it.

The assumption is that there are security protocols in place at companies and state agencies that handle personal data. Because these entities are entrusted with sensitive information, there should be operational structure to protect and preserve these treasures.

The Role of Security Infrastructure

A 2012 StateTech article evaluated some of the most effective approaches to data-loss prevention:

Data-loss prevention (DLP) systems help keep tabs on an organization’s sensitive data by building an inventory and then maintaining control over the flow of information both inside and outside of the network.

Adopting a data-loss prevention strategy for an organization requires selecting appropriate data identification strategies and then building a monitoring environment that can effectively watch for identified data that is being used in violation of an organization’s security policies.

An effective DLP environment will prevent data loss from happening and ensure that there is a strategy in place to close any gaps. Trapped in the river of Big Data, companies and state agencies need to make infrastructure watertight.

As it turns out, many companies and state agencies in California may have failed at this very basic approach to cybersecurity.

A Broken Halo of Protection

Because of a new state law requiring data-breach reporting, Californians learned this week just how much personal data was lost in 2012. California Attorney General Kamala D. Harris announced a worrisome report that indicates 2.5 million Californians were put at risk.

Lulled into a false sense of security, Californians fell victim to security loopholes. According to the report, more than half of the breaches could have been prevented through encryption at all points in the distribution channel.

For citizens interested in protecting themselves in the future, this key finding is quite telling:

More than half of the breaches (55 percent) were the result of intentional intrusions by outsiders or by unauthorized insiders. The other 45 percent were largely the result of failures to adopt or carry out appropriate security measures.

Sensitive data was mistreated from the point of entry all the way through the various tiers of data transfer. The state government has been relegated to being the messenger because of a lack of comprehensive legislation that could have prevented a breakdown of this magnitude.

Strategy to Restore Trust

Attorney General Harris made strong recommendations for taking steps to protect citizens’ personal data in the future. She advises companies and state agencies to strengthen security controls and increase notice accessibility.

On a larger scale, the California state legislature is set to consider new laws to further protect data. One such law, SB-46, was introduced this year by California Sen. Ellen Corbett.

This law addresses the circumstances under which an individual is to be notified of a data breach. Typically, legal loopholes occur when a law does not include an updated or inclusive definition of terms.

SB-46 revises the statewide definition of “personal information.” A user name or an email address in combination with a password are now included with the traditional elements, such as name, social security number, and credit or debit card number.

The inclusion of a digital presence closes security gaps that may have caused a lack of reporting in the past. The law broadens the protection coverage to access of online accounts.

The entire data-breach report can be found on the Office of the Attorney General website.

Jul 03 2013