Attorney General Kamala Harris (D) of California recently released a report on data breaches, including suggestions for legislative action, warnings about her office's enforcement priorities, and recommendations for data companies' best practices that the survey, opinion and marketing research profession need to read. With the scope of California's data security law set to change with the likely passage of S.B. 46 this fall, researchers need to ensure they're protecting their data, but also prepared to respond to any potential data security breach. Poignantly, the AG endorses the concept in S.B. 46 in her report.

Among the AG's recommendations are:

1. "Companies should encrypt digital personal information when moving or sending it out of their secure network."

  • 27 percent of the breaches in the AG's report, "affecting a total of over 1.4 million Californians, involved lost or stolen digital data or misdirected emails in which the personalinformation was unencrypted."
  • The AG "will make it an enforcement priority to investigate breaches involving unencrypted personal information"
  • The AG also encourages legislation "requiring the use of encryption to protect personal information in transit."

2. "Companies and agencies should review and tighten their security controls on personal information, including training employees and contractors."

3. "Companies and agencies should improve the readability of breach notices."

4. "Companies and agencies should offer mitigation products or provide information on security freezes to victims of breaches involving Social Security numbers or driver’s license numbers."

In addition to this report, the California AG also offers a recommended data security best practices report, released in January 2012.

Of course, California is only one jurisdiction among many. The laws can change (Texas' just did) and some states' regulations can be quite extensive (like Massachusetts). MRA members should review the issue brief on all the states' data security breach notification laws and get up to speed. Broader practices should also be reviewed, such as your organization's data retention policies, the handling of cloud computing, and what you're promising in your privacy policy.

This information is not intended and should not be construed as or substituted for legal advice. It is provided for informational purposes only. It is advisable to consult with private counsel on the precise scope and interpretation of any laws/regulation/legislation and their impact on your particular business.