Jessica M. Karmasek Jul. 3, 2013, 6:00pm

SAN FRANCISCO (Legal Newsline) -- California Attorney General Kamala Harris, in a report released Monday, said 131 data breaches were reported to her office last year and 2.5 million residents had personal information "put at risk" through an electronic data breach.

The attorney general's report found that 1.4 million Californians would have been protected if companies had encrypted data when moving or sending it out of network.

"Data breaches are a serious threat to individuals' privacy, finances and even personal security," Harris said in a statement. "Companies and government agencies must do more to protect people by protecting data."

In 2003, California was the first state to pass a law mandating data breach notification, which requires businesses and state agencies to notify residents when their personal information is compromised in security breach.

In 2012, companies and state agencies subject to the law were required for the first time to report any breach that involved more than 500 Californians to the Attorney General's Office.

Harris said companies should encrypt digital personal information when moving or sending it out of their secure network.

In addition, the attorney general said companies should review and tighten their security controls on personal information, including training employees and contractors.

Companies also should make the breach notices they send easier to read, Harris said.

According to the attorney general's report, the average reading level of the notices submitted in 2012 was 14th grade -- or college level -- much higher than the average U.S. reading level of eighth grade.

Recipients need to be able to understand the notices so they can take action to protect their information, Harris said.

The attorney general also recommended that legislators consider expanding state law to require notification of breaches using passwords.

Harris pointed to Senate Bill 46, sponsored by state Sen. Ellen Corbett, which would require notification of a breach involving a username or email address, in combination with a password or security question and answer that would permit access to an online account.

Click here to view a list of all 131 breaches.

From Legal Newsline: Reach Jessica Karmasek by email at

More News