Kamala HarrisData breaches at major retailers Target and Neiman Marcus during last year’s holiday shopping season affected more than 100 million people and focused new attention on the need to protect person information stored online.

While it’s clear that tough data breach legislation must be enacted, California Attorney General Kamala Harris is taking action to improve cybersecurity in the state before new laws are passed. Today she released recommendations to California businesses to help protect against and respond to the increasing threat of malware, data breaches and other cyber risks.

In addition Harris is leading an investigation by state attorneys general into the Target and Neiman Marcus breaches, Don Thompson of the Associated Press reported:

Harris’ office also disclosed that California is leading a multistate investigation into the massive holiday season consumer data theft at discount retailer Target Corp. and luxury retailer Neiman Marcus, breaches that left tens of millions of customers at risk. More than 7 million Californians were affected by the Target breach alone, Special Assistant Attorney General for Law and Technology Jeff Rabkin said.

The U.S. Justice Department is taking the lead in trying to identify the culprits, who are suspected to be based overseas, while the multistate investigation focuses on whether the retailers share blame because they lacked the necessary precautions to prevent the thefts. The state investigation also will explore whether Target and Neiman Marcus acted properly as soon as they learned of the problem, Rabkin said in a telephone interview.

The guide, Cybersecurity in the Golden State, offers suggestions focused on small to mid-sized businesses, which are particularly vulnerable to cybercrime and often lack the resources to hire cybersecurity personnel. In 2012, 50 percent of all cyber attacks were aimed at businesses with fewer than 2,500 employees and 31 percent were aimed at those with less than 250 employees, Harris said.

Key recommendations for small business owners include:

  • Assume you are a target and develop an incident response plan now.
  • Review the data your business stores and shares with third parties including backup storage and cloud computing. Once you know what data you have and where it is, get rid of what is not necessary.
  • Encrypt the data you need to keep. Strong encryption technology is now commonly available for free, and it is easy to use.
  • Follow safe online practices such as regularly updating firewall and antivirus software on all devices, using strong passwords, avoiding downloading software from unknown sources and practicing safe online banking by only using a secure browser connection.

In 2003 California was the first state to pass a data breach notification. In 2012 the law was amended to require any breach that involved more than 500 Californians be reported to the attorney general.

The 170 breaches reported to the attorney general’s office in 2013 represent a 30 percent increase over the 131 identified the year before, according to figures provided to The Associated Press. Among entities reporting breaches in 2012 were American Express Travel Related Services Co., Kaiser Permanente and several state government agencies, including the departments of Public Health and Social Services.

Given the current data breach laws Harris is taking meaningful action. But, what’s ultimately needed is a law that would make her best practice recommendations legal mandates. We need a California Financial Information Privacy Act that would:

  • Change breach notification standards to be immediate.
  • Set limits on the time data can be retained. And limits on what information can be collected and retained.
  • Write minimum-security standards into the law so that they are no longer voluntary.
  • Most importantly: create a private right of action. Put a price tag on retailers’ mistreatment of our private financial information.

Until there is a real price to pay, Target, Neiman Marcus and other retailers will continue to make us targets.

Posted by John M. Simpson, Consumer Watchdog’s Privacy Project Director.