The California Attorney General, Kamala D. Harris, has released a report detailing the data breaches that have affected Californians since 2012. The California Data Breach Report analyzes 657 data breaches that affected the records of over 49 million Californians, with substantial year-to-year increases. In 2015 alone, 178 breaches put over 24 million records at risk; that means 1 in 3 Californians were affected by a data breach in a single year.
California has been one of the States at the forefront of creating and enforcing data breach security legislation. California was the first state to have its own data security breach notification law, in 2002, and most subsequent laws have followed their lead. Last revised in 2015, the California Breach Notification Statute has the most expansive definition of “personal information,” strict requirements for notification letters, and limitations on the definition of encrypted information, which receives safe harbor under the notification requirement.
The new California Data Breach Report reveals that the majority of data breaches happen from sloppy security practices. AG Kamala D. Harris notes:
“In the last four years, nearly 50 million records of Californians have been breached and the majority of these breaches resulted from security failures. Furthermore, nearly all of the exploited vulnerabilities, which enabled these breaches, were compromised more than a year after the solution to patch the vulnerability was publicly available. It is clear that many organizations need to sharpen their security skills, trainings, practices, and procedures to properly protect consumers."
The report reveals that many data breaches that affected Californians were the result of cyber attacks by data thieves, many taking advantage of known security weaknesses, but also from the loss or theft of equipment containing unencrypted data (particularly prevalent in healthcare) and from the unintentional and intentional actions of insiders.
Another report recently tied the increase in cyberattacks to the rise of endpoint devices, with exploited mobile devices accounting for one third of cyber security incidents. With as much as 45% of corporate data held on endpoint devices, which lack even the most basic endpoint protections like encryption (only used on 29% of mobile devices), authentication and access controls, it’s clear that organizations need greater visibility into what data is held on the endpoint and how well it is protected, at all times.
At Absolute, we are proud to be pioneering a new way for organizations to gain visibility into data on the endpoint. We recently launched Absolute Endpoint Data Discovery (EDD), as part of Absolute DDS, which provides persistent visibility into devices and the data they contain. Using Absolute EDD, you can define the important data you want to track, showing you endpoints that contain this data, helping you identify devices and users accessing sensitive information against corporate policy.
If suspicious activity is detected, a customer can determine if any sensitive data is at risk and take appropriate measures to protect it. Additionally, it allows an organization to determine the severity of an endpoint security incident and apply an appropriate response based on the level of risk associated with the data stored on the device. With detailed reporting, you can supply definitive proof that no data was breached, meeting the compliance requirements in California - and everywhere else.