Problems with the California AG’s Reporting on Data Breaches
On my way towards digging into the California Consumer Privacy Act (“CCPA”), I wanted to first look at California’s Breach Notification Law (“CalBNL”). CalBNL was the first data breach notification law in the US (and the world), and, in effect became the model for other states (California’s law passed in 2002 and the last two states — South Dakota and Alabama — finally implemented their own versions not until 16 years later in 2018!). It is also probably one of the tougher state laws out there in terms of notification requirements. This blog will discuss some major problems I found with it, and again, this is law that is the best we got!
One thing I liked and will focus on in this blog post is that the CalBNL not only requires a business to notify individual California residents if their personal data has been impacted by a breach of that business, but if the breach exposed the personal data of more than 500 Californians, then the business must also report that they were breached to the California Attorney General (AG) and send the AG office an example notification letter.
I thought that sounded great, because it could mean we can now have a central repository of breaches, and given that California has the largest population in the US and any good size breach would definitely have 500 California residents impacted, it would be the "gold standard" breach repository. This would have many benefits …
For the consumer … you would have “one stop shopping” to see if any companies you do business with and who stores and processes your personal data may have been hacked. This has a lot of value to consumers in that they may not have gotten a notification for one of the breaches (e.g. the business did not send you one for whatever reason or you threw the letter out as junk mail or it was emailed to you and ended in a spam folder etc.). Armed with knowledge of which entities that you do business with have been hacked, this may motivate you to contact a credit bureau and get a credit report, or sign up for an Identity Theft service that typically a hacked business will pay for. Or knowing that a given site was hacked and a key element of the hacked information were usernames and passwords, this could prompt you to change your password on other sites that you share the same username/password combination with (yes, a bad practice, but a very common practice).
For security professionals and other businesses … if the repository also captures information about the breach such as attack vectors taken by the hacker, the businesses’ industry, the tech stack that was attacked, the number of records compromised, etc., the AG could publish reports that could help businesses better defend themselves. e.g. if law firms are really being hit with ransomware as of lately, it can help those in the industry to be on their guard for that type of attack. As I said in a prior blog post, having a great breach repository would give us a heat map on where we would need shore up our defenses. It would also give us a true sense of the size and scope of the problem, so we can prioritize our spending accordingly. Ironically, we have national reporting of domestic crime, terrorism, etc., yet for something that impacts both our national security and the financial security and privacy of our citizens we don’t have something comparable.
This sounds on paper like a great asset, and certainly beats not having anything, but unfortunately it appears the Cal AG’s security data breach reporting has some major problems.
Problem #1 – Clearly A Lot of Businesses that Have Been Hacked are Not Self-Reporting
This is the biggest problem I spotted. What I first did was "trust but verify" the list of breaches found on the Cal AG’s repository of data security breaches and compared it to the notable "headline" breaches we heard about over the last few months.
So I simply googled “top 2020 security breaches," came upon this web page listing some notable 2020 breaches, and was curious if the businesses and breaches listed on this page show up on the Cal AG breach reporting. I looked at the list of breaches on that page and grabbed the first 10 that would likely have 500+ California residents:
Landrys. Company has 650 restaurants (e.g. Bubba Gump and Rainforest Café) including in California. Credit card info stolen.
Peekaboo Moments aka Bithouse. Mobile app (e.g. Baby’s First Step). Email addresses and links to photos were stolen.
Hanna Andersson. Children’s clothing retailer that had credit card information stolen. Six stores in California
Microsoft. Customer support database with 280 million customer records.
THSuite.com. An ERP app for medical marijuana dispensaries. We got plenty of those in California.
Estee Lauder. 440 million records were exposed.
Fifth Third Bank. Customer records stolen. They have a number of branches in California.
MGM Resorts. Over 10 million customer records stolen.
Carnival Cruise Lines. Customer information potentially stolen by unauthorized access.
J-Crew. Customer account info hacked.
So of the 10 I picked, how many are in the Cal AG breach repository? … It appears just 2 of these breaches — only Hanna Andersson and Carnival Cruise Lines showed up in the Cal AG system. 20%. Not Microsoft with 280 million customer records.
Other well-known data breaches over the years do not show up at all. E.g. Facebook had a major breach via Cambridge Analytica, but if you search “Facebook” there apparently has never been a breach reported by Facebook to the Cal AG.
In fact, if you look at the trend line of breaches logged in the AG’s system, the trend lines of breaches are going over down the last 3 years. [Note I had to manually create this by counting the breaches per year, more on that later.] From 2017 it went from 316 to 264 in 2018 to 208 in 2019 (and only 33 breaches reported YTD in 2020 — what??).
Source: compiled from data found at
https://oag.ca.gov/privacy/databreach/list
This does not parallel the blue line in the graph below showing breaches in the US staying about the same on annual basis over the last 3 years (i.e. not dropping like California AG data shows).
Source:
The reality is that the reporting of data breaches is driven by laws and regulations. Where those laws do not exist — or even when laws do exist but there is little to no motivation to enforce notification (e.g. large fines) — we find that breaches can easily be “swept under the rug.”
Clearly either the AG is not evangelizing and/or pursuing breached businesses to report, or, more likely, most businesses don’t feel the threat of either a private action by citizen or the AG taking action on them to bother reporting. Will see when we look at the CCPA if there is more “motivation” to get business to notify.
So how does the California breach notification numbers compare to EU where there is the "motivation" to report in the form of the GDPR? Remember, GDPR empowers Member State's supervisory authorities of this law to hand out large fines for not properly protecting personal data and/or not reporting breaches. Here is a snapshot courtesy of DLA Piper of various European countries in the first 1.5 years of GDPR and how many breaches that were reported in their respective countries:
Note in the same time period (May 25, 2018 to Jan 27, 2020) California only had 347 reported breaches. Compare this in the same time period to the Netherlands that had 40,000+ breaches (while having 40% of California’s population). Granted probably many reported breaches in the Netherlands no doubt involved less than 500 people, but even if breaches involving that number were 25% of the total breaches, we are talking a massive differential here.
Or take a country in the mid-range of the table above, say Poland. Poland has 38 million people. California has 39.5 million people, so equally sized. Poland had approximately 7500 reported breaches, while California had approximately 350. So Poland is reporting 21x the number of data breaches. Now again maybe many of the breaches are below 500 residents, but we are talking about such a staggering difference here.
This calls into question the potential serious under-reporting of data breaches in California. And I don’t think Poland has the same number of Internet companies that process personal data like we have here in California.
Ironically, California actually has one of the more stricter (if not strictest) state law for data breach notifications, so if businesses are ignoring the California law, they are also doing the same across the US. That's why I strongly believe we need a national breach notification law with some teeth even if it is just an initial step data towards better data protection and not a full blown GDPR-like federal law.
Problem #2 – The Cal AG Needs to Ask Hacked Businesses to Report More Useful Information
I consider this a minor problem and something that can be easily fixed.
Say a business “does the right thing” and wants to self-report a breach to the Cal AG. What they do is go to this form here to “Submit Data Security Breach.” Besides asking for a sample notification letter, the form does ask for some additional information specific to the breach itself, namely:
Type of Personal Information involved in the Breach — the form has selections for social security information, driver’s license, financial info, medical and health insurance but does NOT have selections of username/passwords (as called out by the law) OR recent additions to the law such as passport information and bio-metrics.
Brief Description of Breach
Number of individuals affected by Breach and number of Californians
Type of Breach — with the following options
So besides not fully capturing the types of data that California law considers personal data , it would be super-helpful if more data is requested in the form vs. just asking for a “brief description.” E.g. attack vectors used (phishing, ransomware, SQL injection, etc.), internal vs. external breach, what technology stack was targeted, how many actual records were compromised as a complement to how many individuals affected, etc.
Look, I understand that after a breach the security folks may not know exactly what happened, but I do think asking a few additional focused questions can be helpful and give us sense of how attackers are going about their nefarious work and what type of organizations are being targeted.
It would also be really great to require 60-90 days after the breach notification for businesses to submit a follow-on report that provides forensic detail, i.e. more details of the hack itself, and also require what post-breach mitigation steps are being taken.
Problem #3 — More Enforcement Resources are Needed
I think this is one is a big problem. The Cal AG website has nice reports from 2014-2016 summarizing the breach statistics, with even recommendations for businesses to better protect themselves, but since then even basic high-level summaries of breach statistics have not been published by the AG office. This, coupled with the decreasing numbers of breaches being reported, signals to me a potential focus shift to other areas over the last few years (and this clearly will be the case as the entire state government focuses on the Covid pandemic).
It does appear that “Version 2.0” of the CCPA, i.e. the ballot initiative California Privacy Rights Act (CPRA), adds enforcement as a key pillar of the proposed law. Specifically, the law would create the “California Privacy Protection Agency” that would be funded with $10 million from the State’s General Fund. As the backers of the CPRA note, “this funding would equate to roughly the same number of privacy enforcement staff as the FTC has to police the entire country (the FTC has 40 privacy professionals).”
That would be cool. California needs to send the clear message that we take data protection seriously. Clearly if a targeted and sophisticated attack occurs, the impacted business should not be liable if they took security serious and had been spending the time and money and effort to protect personal data. But for businesses that are lax in this regard, e.g. cut corners and were reckless with our personal data and/or did not have basic security policies or procedures in place, there should be a penalty to pay.
I will dig into the CPRA once I start tackling the CCPA in my next blog posts.