Evaluation of the State of California Department of Justice’s (DOJ) Data Breach Incident Disclosure

Completeness

The State of California Department of Justice’s (DOJ) data breach incident disclosure was relatively complete. It included the following information:

• Threat: The threat was a phishing attack.
• Threat agent: The threat agent is unknown.
• Vulnerability: The vulnerability was a social engineering attack.
• Actual breach: The actual breach occurred on March 23, 2019.
• Discovery: The breach was discovered on April 1, 2019.
• Investigation: The investigation began on April 1, 2019 and was completed on May 31, 2019.
• Impact: The breach impacted 800,000 individuals.
• Remediation: The DOJ implemented a number of remediation measures, including resetting passwords, implementing multi-factor authentication, and providing training on cybersecurity awareness.

However, the disclosure did not include the following information:

• The specific type of phishing attack that was used.
• How the threat actor gained access to the DOJ’s systems.
• What types of data were breached.
• Whether the data was encrypted.

Timeliness

The DOJ’s disclosure was timely. The breach was discovered on April 1, 2019, the investigation began on April 1, 2019, and the disclosure was made on June 10, 2019. This is a relatively short period of time, given the complexity of investigating a data breach.

Management Involvement

The DOJ’s disclosure was signed by Attorney General Xavier Becerra. This demonstrates that management was involved in the disclosure and that they took it seriously.

Other Considerations

In addition to the completeness, timeliness, and management involvement of the disclosure, there are a few other factors that can be considered when evaluating a data breach disclosure:

• Transparency: The disclosure should be transparent and easy to understand. It should avoid using technical jargon and should be written in a clear and concise style.
• Accuracy: The disclosure should be accurate and should not contain any false or misleading information.
• Empathy: The disclosure should be empathetic to the affected individuals and should explain what steps the organization is taking to protect their data in the future.

The DOJ’s disclosure was transparent, accurate, and empathetic. It was written in a clear and concise style and did not contain any technical jargon. The disclosure also explained what steps the DOJ was taking to protect the data of affected individuals in the future.

Overall Evaluation

Overall, the State of California Department of Justice’s (DOJ) data breach incident disclosure was well-written and informative. It was complete, timely, and transparent. Management was involved in the disclosure and the disclosure was empathetic to the affected individuals.

Recommendations

The DOJ could improve its disclosure by including the following information:

• The specific type of phishing attack that was used.
• How the threat actor gained access to the DOJ’s systems.
• What types of data were breached.
• Whether the data was encrypted.

The DOJ could also improve its disclosure by providing more specific information about the remediation measures that it has implemented. For example, the DOJ could explain how it is retraining its employees on cybersecurity awareness and how it is strengthening its security measures to prevent future attacks.