Reasonable Data Security Defined by California Attorney General
Last week, California Attorney General, Kamala D. Harris, issued the California Data Breach Report (Report). The Report provides an analysis of the data breaches reported to the California AG from 2012-2015.
The Report details that nearly 50 million records of Californians have been breached and the majority of these breaches resulted from security failures. In fact, the Report explains that nearly all of the exploited vulnerabilities, which enabled the breaches, were compromised more than a year after the solution to address the vulnerability was publicly available. According to Ms. Harris, “It is clear that many organizations need to sharpen their security skills, trainings, practices, and procedures to properly protect consumers.”
Under California law, “A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” This requirement is important as the Report specifically states an organization’s failure to implement all of the 20 controls set forth in the Center for Internet Security’s Critical Security Controls (The Controls) constitutes a lack of reasonable security.
The Report goes on to discuss numerous findings and provide an analysis of the breach types, data types, and industry sectors impacted. The Report concludes with recommendations which include:
Reasonable Security: The Standard of Care for Personal Information. Implementation of The Controls mentioned above as a minimum level of information security (available as at Appendix A to the Report).
Multi-Factor Authentication. Organizations should make multi-factor authentication available on consumer-facing online accounts that contain sensitive personal information. This stronger procedure would provide greater protection than just the username-and-password combination for personal accounts such as online shopping accounts, health care websites and patient portals, and web-based email accounts.
Encryption of Data in Transit. Organizations should consistently use strong encryption to protect personal information on laptops and other portable devices, and should consider it for desktop computers. This is a particular imperative for health care, which appears to be lagging behind other sectors in this regard.
Fraud Alerts. Organizations should encourage individuals affected by a breach of Social Security numbers or driver’s license numbers to place a fraud alert on their credit files and make this option very prominent in their breach notices. This measure is free, fast, and effective in preventing identity thieves from opening new credit accounts.
Harmonizing State Breach Laws. State policy makers should collaborate to harmonize state breach laws on some key dimensions. Such an effort could reduce the compliance burden for companies, while preserving innovation, maintaining consumer protections, and retaining jurisdictional expertise.
While the Report, and California’s existing law, are focused on protecting the personal information of California residents, it is important to remember California has continuously been at the forefront of data security legislation. In fact, California was the first state to enact a data breach notification law in 2003, and since that time 46 other states have followed suit. As such, it would not be surprising if other states consider the recommendations in the Report and implement similar requirements.