A growing number of state and federal laws require organizations to implement reasonable security safeguards to protect personal information. But what constitutes reasonable data security? This question has vexed organizations and spurred a considerable amount of litigation. On February 16, 2016, the California Attorney General’s Office released its 2016 Data Breach Report, which for the first time provides a listing of safeguards that the Attorney General views as constituting reasonable information security practices. Despite being focused on California, the Report’s recommendations are likely to have an impact far beyond the borders of the Golden State.
The Report analyzes trends and patterns in data gleaned from 657 data breaches reported to the office between 2012 and 2015 and provides organizations with a set of recommendations for mitigating the risks associated with data breaches. The Report’s statistics reveal a startling growth in both the size and complexity of data breaches affecting all industry sectors. During the covered period, 49.6 million records were compromised—a figure that exceeds the number of California residents by more than 10 million.
Defining a Reasonable Security Standard
California law requires organizations to implement “reasonable security procedures and practices . . . to protect personal information from unauthorized, access, destruction, use, modification, or disclosure.” The Report, in a striking effort to regulate-by-report, for the first time sets forth the California Attorney General’s expectations on what “reasonable security” means.
Implement the Applicable CIS Critical Security Controls
The Report states the California Attorney General’s view that the twenty controls defined by the Center for Internet Security’s Critical Security Controls (“Controls”) represent the “minimum level of information security” that all organizations handling personal data should meet. The Report posits a bright-line rule: “The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.” Although implementing the Controls does not guarantee organizations a safe harbor from enforcement actions, failing to document the approach taken for each of the twenty controls appears, in the eyes of the California Attorney General, to be an unreasonable security practice.
The Controls are notable for their prioritized and sequenced approach: the list starts with controls that either have demonstrated the greatest reduction in risk or must be completed before moving on to other steps. The first five controls are considered to be foundational elements of any cybersecurity program, reflecting the expectation that every organization should be able to demonstrate a comprehensive understanding of the technology assets at its disposal. And all of the controls are designed to be highly scalable to the needs of each organization. The Controls therefore provide not only a checklist of “minimum” safeguards, but also the outline of a process to help executives and cybersecurity professionals create a strategy for allocating the limited resources at their disposal to manage cyber risk.
The full list of controls are as follows:
- Inventory of Authorized and Unauthorized Devices
- Inventory of Authorized and Unauthorized Software
- Security Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- Continuous Vulnerability Assessment and Remediation
- Controlled Use of Administrative Privileges
- Maintenance, Monitoring, and Analysis of Audit Logs
- Email and Web Browsing Protection
- Malware Defenses
- Limitation and Control of Network Ports, Protocols, and Services
- Data Recovery Capability
- Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- Boundary Defense
- Data Protection
- Controlled Access Based on the Need to Know
- Wireless Access Control
- Account Monitoring and Control
- Security Skills Assessment and Appropriate Training to Fill Gaps
- Application Software Security
- Incident Response and Management
- Penetration Tests and Red Team Exercises
Implement Multi-Factor Authentication for Online Accounts
The Report states the California Attorney General’s view that usernames and passwords alone are not sufficient to protect personal and sensitive information. The Report therefore recommends that organizations “should make multi-factor authentication available on consumer-facing online accounts that contain sensitive personal information.” This requires prompting users not only for something they know (e.g., a username and password), but also something they have (e.g., a physical token that generates one-time passwords) or something they are (e.g., a fingerprint or retina scan).
Encrypt Personal Information on Portable Devices
The Report notes that physical breaches involving theft or loss of unencrypted data on electronic devices were the second most common type of breach. The Report urges organizations to implement “strong encryption” for personal information on laptops and other portable devices, and to consider full disk encryption on desktop computers when not in use.
The Report highlights two additional recommendations for businesses and policymakers:
Organizations Should Encourage Affected Individuals to Place a Fraud Alert on Their Credit Files
The Report notes that in the past year, the number of organizations offering identity theft protection or credit monitoring services to affected individuals has increased by over 20 percent, with positive effects. But both these services generally cost money and can be cumbersome. A credit alert, which informs merchants that there may be fraud on the account and prompts them to request additional verification of identity, is often equally effective—and it’s free.
State Policy Makers Should Collaborate to Harmonize State Breach Laws
Federal breach notification legislation, which would seek to address the challenges inherent in complying with a patchwork of varying state breach requirements, has been under consideration for years without passing Congress. The Report recognizes that, absent a federal law harmonizing state requirements, state policy makers can nonetheless take steps to harmonize state breach laws. The Report notes that such a measure “could reduce the compliance burden for companies, while preserving innovation, maintaining consumer protections, and retaining jurisdictional expertise.”
In the absence of definitive guidance from legislatures and regulators on what constitutes “reasonable security,” the Report demonstrates that state attorneys general and other enforcement bodies feel empowered to set their own standards. California has long been a trail-blazer in both privacy and cybersecurity enforcement, and other attorneys general may follow California’s lead in setting forth their own views. For companies seeking to develop a comprehensive cybersecurity program, while adherence to the Report’s recommendations will not guarantee a “safe harbor” even in California, incorporation of the Attorney General’s recommendations would support a compelling case that an organization meets the baseline requirements for “reasonable security” in every jurisdiction.