Consumer Federation of California

Electronic data breaches put the personal information of 2.5 million Californians at risk in 2012, according to a new report released Monday by Attorney General Kamala Harris.

State law requires businesses and government agencies to notify consumers when a data breach might have put their personal information at risk. A bill passed in 2012 also requires companies to report a breach to the attorney general when more than 500 consumers’ information has been accessed.

The report’s description of 131 breaches of consumer information marks the first time the information has been made available to the public. California law requires companies to report breaches of information whether the breach was malicious or unintentional.

The report details when each breach occurred and what private information was affected. The list of organizations that experienced data breaches in 2012 includes the California Department of Health Care Services, the state Department of Child Supportive Services, American Express and State Farm Insurance.

The retail industry reported the greatest number of breaches, followed by financial institutions and insurance providers.

“Data breaches are a serious threat to individuals’ privacy, finances and even personal security,” Harris said in a statement. “Companies and government agencies must do more to protect people by protecting data.”

Harris recommended companies use encryption and tighter security measures to protect consumer information in the future.

By increasing their security and protecting their customers, Harris said businesses will “reduce the likelihood that companies will be defrauded by an identity thief, promote consumer confidence in industry, and, most importantly, build consumer trust.”

John M. Simpson, director of privacy for Consumer Watchdog, commended Harris for “shining a light” on the problem and disclosing this information to the public voluntarily.

“There’s been a philosophy on the part of these companies to keep this all quiet,” Simpson said. “To me, the consumer’s trust is built when someone says, ‘OK, this breach has happened, and these are the steps we are going to take.’ If you sweep it under the rug, that’s no good for the consumers.”

Harris also suggested that companies make the notification letters they send to consumers who have had their personal information accessed easier to understand. A company must notify their customers if their name and driver’s license number, credit or debit card information, bank account, social security number, medical information or health insurance information has been put at risk.

In the report, Harris also supported Senate Bill 46 by Sen. Ellen Corbett, D-San Leandro, which would require companies to notify users if a data breach compromises their username and password combination.