It is important for organizations in California to take more steps to safeguard their data. For Covered Entities & their Business Associates, in addition to the HIPAA Omnibus Final Rule, California legislation requires a higner burden of reporting data breaches.
10 years ago, California was the first state to pass a data breach notification law (California Civil Code Sections 1798.29(a) and 1798.82(a)). 2012 was the first year in which organizations who issue certain types of data breaches were also required to notify the office of the Attorney General.
This California legislation requires a business or state agency to notify any California resident whose unencrypted personal information, as defined, was acquired, or reasonably believed to have been acquired, by an unauthorized person. This California legislation also requires any person or business that is required to issue a security breach notification to more than 500 California residents as a result of a single breach of the security system to also electronically submit a single sample copy of that security breach notification, excluding any personally identifiable information, to the Attorney General.
On Monday, July 01, 2013, California Attorney General Kamala Harris released a first-of-its-kind data breach report that includes statistics, recommendations and assessments based on breaches that were reported to the Attorney General’s office during the 2012 calendar year. The most notable/alarming finding is that in 2012, 2.5 million California residents had personal information compromised in connection with a data breach.
In total, 131 data breaches were reported by 103 different entities, with the average breach incident involving 22,500 individuals. According to the Breach Report, more than half of the breaches involved social security numbers and more than half were the result of intentional acts by an unauthorized individual. California is the first state to compile a comprehensive review of reported breaches and the results paint a clear picture that organizations need to take steps to secure their data.