Mar 152016

California Data Breach Report Gets Specific on “Reasonable” Information Security

Colleen Theresa Brown and Vivek K. Mohan
, , , ,

This February, the California Attorney General released the “California Data Breach Report,” summarizing developments from 2012-2015.  Drawing from 657 reports filed with the California AG impacting 49 million records, the report is notable for its “recommendations.”  These recommendations are ostensibly non-binding guidance that may nonetheless serve as the basis for the AG’s understanding of what constitutes “reasonable” data security in future investigations and enforcement actions.

The report sets forth the AG’s view that the Center for Internet Security’s Critical Security Controls “define a minimum level of information security that all organizations that collect or maintain personal information should meet.  The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.”  The Critical Security Controls, which are copyrighted by the Center for Internet Security, are listed in Appendix A of the AG’s report through a license from the Center for Internet Security.  The so-designated reasonable security standards are available for purchase for commercial purposes at the Center for Internet Security website.  They address topics such as wireless access controls, application software security, secure configurations for network devices, continuous vulnerability assessment and remediation, penetration tests and incident response and management.

The report goes on to recommend that organizations use multi-factor authentication (an increasingly common suggestion from regulators such as the SEC) as well as encryption.  Notably, the report conflates the legally significant difference between encryption for “data at rest” and “data in motion,” or “transit”.

Accordingly, organizations are effectively on notice that the California AG will evaluate the sufficiency of data security protections in the context of the Center for Information Security framework.  Such evaluations can be particularly pointed in the aftermath of a data breach, and given the scope of California’s  data breach notification law, many entities may wish to evaluate how their program compares sooner than later.

Colleen Theresa Brown

Washington, D.C.

cbrown@sidley.com

Vivek K. Mohan

vmohan@sidley.com

You might also like
FCC Proposes Updated Data Breach Reporting Requirements, Comment Period Ongoing

On January 6, 2023, the Federal Communications Commission (the Commission) released a unanimously adopted Notice of Proposed Rulemaking, “In the Matter of Data Breach Reporting Requirements” (Proposed Rule).  The Commission sought comments through February 22, 2023 on the Proposed Rule which will update its current data breach reporting rule. Reply comments are due on or before March 24, 2023.

Illinois Supreme Court Clarifies Accrual for Illinois Biometric Privacy Act Claims

For the second time in two weeks, the Illinois Supreme Court clarified the scope of the Illinois Biometric Privacy Act (BIPA) — this time in Cothron v. White Castle. The court, in a 4–3 decision, held that BIPA claims accrue each time biometric data is collected or transmitted, and not just the first time.1

New FTC Guidance for Mobile Health Apps

Healthcare providers, health plans, and technology companies that use mobile health apps to access, collect, share, use, or maintain information related to an individual’s health should take note of the recently issued Federal Trade Commission (FTC) Mobile Health App Interactive Tool. The purpose of the tool is to help mobile health developers determine the federal regulatory, privacy, and security laws and regulations that may apply to the use of a consumer’s health information, such as information related to diagnosis, treatment, fitness, wellness, or addiction. While the tool should not be considered legal advice and cannot guarantee compliance with legal requirements, it can help healthcare providers, health plans, and technology companies issue-spot to manage risk in this heavily regulated space.