OLYMPIA — Today Washington state Attorney General Bob Ferguson released his second annual Data Breach Report. His report finds that between July of 2016 and July of this year, data breaches affected nearly 3 million Washingtonians — more than six times the number impacted in the previous 12 months period.
The report focuses exclusively on significant data breaches that affected 500 or more Washingtonians. During the last fiscal year, 78 data breaches individually affected at least 500 Washingtonians — twice the number of significant breaches reported to the Attorney General the previous fiscal year.
The release of the new Data Breach Report follows recent news that credit-monitoring company Equifax suffered a data breach, compromising the personal information of 143 million people nationwide. The Equifax breach happened after the dates covered by this year’s report.
“Data breaches are a serious threat to our personal and financial security, and the more information consumers have, the better they can protect themselves,” Ferguson said. “My office will continue to serve as a watchdog to protect the people of Washington.”
The report also details the causes of the breaches. For the second year in a row, malicious cyber-attacks accounted for the largest share of the breaches. A quarter of the breaches resulted from unauthorized people — such as third-party vendors or employees — gaining access to information. A small number of breaches resulted directly from loss or theft of equipment or hardware.
Over the time period covered, governments were responsible for 3 percent of the breaches, but 52 percent of the compromised data consisted of government records. Ferguson’s report recommends government do a better job of securing data, including ensuring government contractors adequately secure personal consumer information.
Ferguson’s report also recommends businesses work to identify and resolve data breaches more quickly, and policymakers investigate whether to require swifter notice to the Attorney General and affected consumers after a breach.
In 2015, Attorney General Request legislation updated Washington’s data breach notification statute. Washington’s law now requires businesses and governments to notify the Attorney General’s Office after suffering breaches affecting the personal information of at least 500 Washingtonians.
Attorney General Ferguson has been working with a multistate group of state attorneys general to investigate and hold businesses accountable when their security measures fall short. For example, in May 2017, Target Corporation entered into a binding agreement to resolve an investigation by Washington and 46 other state attorneys general into the 2013 breach that compromised millions of consumers’ personal information. The agreement required Target to pay an $18.5 million dollar penalty to the states, provide free credit monitoring to impacted consumers, and take significant measures to further strengthen their data security.
More information about data breaches in Washington, including the individual data breach reports submitted to the AGO, is available at http://www.atg.wa.gov/data-breach-notifications. Information for businesses on reporting data breaches is available at http://www.atg.wa.gov/identity-theft-and-privacy-guide-businesses#Report.