California Takes a Hard Look at Data Breaches

July 31, 2013 by Michael Bruemmer

Recently, California’s Attorney General Kamala Harris released a first-of-its-kind report, detailing the 2012 data breaches from her state. The report has generated strong conversation throughout the industry, as it rightly should, in the name of transparency. This move comes as she continues to push companies in her state to improve their security practices.

What caught my eye as I read was not just the details of the incidents, but the recommendations Attorney General Harris included in her report. One of the underlying themes of her report is that companies should be aware of their security vulnerabilities and prepare for and mitigate those risks.1 A recent Ponemon Report2 revealed that the majority of companies surveyed believe a data breach has, or will cause the loss of customers and partners for their organization. This effect on customer confidence – paired with the growing threat of data breaches – should influence how organizations are managing client relations. There are two key recommendations that stood out as I look at how companies can mitigate customer concerns and reputational impact – the need to improve the readability of notifications and the need to provide customers with tools to protect their reputation and limit the potential damage in the aftermath of an incident.

It seems Attorney General Harris wants to see notices that people can understand. Companies should embrace this not just because of this regulatory nudge, but also for the potential benefit to customer retention a consumer-centric response provides. Organizations need to put themselves in their customers’ shoes  when crafting the notification letter, selecting a call center and providing an identity theft product.

When a customer receives a notification letter, the information needs to be clear and understandable by the audience. Answering key concerns and providing clear next steps for any remediation. Ensuring key questions are answered helps to communicate that the company has the situation under control:

  • What information was compromised?
  • Why did it happen?
  • What kind of lifeline do I have to know my information is OK?

One approach is to go beyond just the letter and provide people with an outlet to voice concerns. An  option could be creating a call center and have them up to speed by the time the first customer opens a notification letter providing impacted customers a channel to quickly remedy any concerns. This center can either be developed internally or by working with third-party experts. This approach enables a company to efficiently provide details about steps being taken to mitigate potential customer concerns and how the company plans to prevent future incidents moving forward.

Beyond just delivering a notice, Attorney General Harris’ report also points out the need to provide a remedy to customers. For those concerned about the potential for fraud, it is important to have the right tools available to help them understand what they need to do – whether that is cancelling a medical card or activating credit monitoring. In fact, one in four consumers who receive a breach notice becomes a victim of identity theft.3 Companies may want to consider providing those impacted by a data breach with tools to protect themselves, such as identity protection with credit monitoring and ongoing fraud resolution support. Companies may also want to evaluate the segment for high risk groups such as minors or those with a thin credit file and map their offerings to meet the needs of the breach population.

While this report is the first of its nature, the transparency it provides consumers may drive other states to further look at how they evaluate and report on the data breach incidents in their own states.

To read the complete report, please click here.


  1. Data Breach Report 2012, California Department of Justice
  2. 2013 Is Your Company Ready for a Big Data Breach, Ponemon Institute
  3. 2013 Identity Fraud Survey Report, Javelin Strategy & Research

Legal Notice: The information you obtain herein is not, nor intended to be, legal advice. We try to provide quality information but make no claims, promises or guarantees about the accuracy, completeness or adequacy of the information contained. As legal advice must be tailored to the specific circumstances of each case and laws are constantly changing, nothing provided herein should be used as a substitute for the advice of competent legal counsel.