California Data Breach Report Gets Specific on “Reasonable” Information Security

This February, the California Attorney General released the “California Data Breach Report,” summarizing developments from 2012-2015.  Drawing from 657 reports filed with the California AG impacting 49 million records, the report is notable for its “recommendations.”  These recommendations are ostensibly non-binding guidance that may nonetheless serve as the basis for the AG’s understanding of what constitutes “reasonable” data security in future investigations and enforcement actions.

The report sets forth the AG’s view that the Center for Internet Security’s Critical Security Controls “define a minimum level of information security that all organizations that collect or maintain personal information should meet.  The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.”  The Critical Security Controls, which are copyrighted by the Center for Internet Security, are listed in Appendix A of the AG’s report through a license from the Center for Internet Security.  The so-designated reasonable security standards are available for purchase for commercial purposes at the Center for Internet Security website.  They address topics such as wireless access controls, application software security, secure configurations for network devices, continuous vulnerability assessment and remediation, penetration tests and incident response and management.

The report goes on to recommend that organizations use multi-factor authentication (an increasingly common suggestion from regulators such as the SEC) as well as encryption.  Notably, the report conflates the legally significant difference between encryption for “data at rest” and “data in motion,” or “transit”.

Accordingly, organizations are effectively on notice that the California AG will evaluate the sufficiency of data security protections in the context of the Center for Information Security framework.  Such evaluations can be particularly pointed in the aftermath of a data breach, and given the scope of California’s  data breach notification law, many entities may wish to evaluate how their program compares sooner than later.