Attorney General Kamala Harris (D) of California recently released a report on data breaches, including suggestions for legislative action, warnings about her office's enforcement priorities, and recommendations for data companies' best practices that the survey, opinion and marketing research profession need to read. With the scope of California's data security law set to change with the likely passage of S.B. 46 this fall, researchers need to ensure they're protecting their data, but also prepared to respond to any potential data security breach. Poignantly, the AG endorses the concept in S.B. 46 in her report.
Among the AG's recommendations are:
1. "Companies should encrypt digital personal information when moving or sending it out of their secure network."
- 27 percent of the breaches in the AG's report, "affecting a total of over 1.4 million Californians, involved lost or stolen digital data or misdirected emails in which the personalinformation was unencrypted."
- The AG "will make it an enforcement priority to investigate breaches involving unencrypted personal information"
- The AG also encourages legislation "requiring the use of encryption to protect personal information in transit."
2. "Companies and agencies should review and tighten their security controls on personal information, including training employees and contractors."
3. "Companies and agencies should improve the readability of breach notices."
- "The 14th-grade average reading level of the notices is significantly higher than the U.S. average reading level of eighth grade."
- This concern aligns with the Federal Trade Commission (FTC) focus on making privacy policies more useful and understandable to consumers, and legislation which would amend California's Online Privacy Protection Act to require simplistic "tweetable" privacy policies.
4. "Companies and agencies should offer mitigation products or provide information on security freezes to victims of breaches involving Social Security numbers or driver’s license numbers."
In addition to this report, the California AG also offers a recommended data security best practices report, released in January 2012.
This information is not intended and should not be construed as or substituted for legal advice. It is provided for informational purposes only. It is advisable to consult with private counsel on the precise scope and interpretation of any laws/regulation/legislation and their impact on your particular business.