Yesterday, we reviewed the staggering numbers in California Attorney General Kamala Harris’ 2016 Data Breach Report.

In addition to providing a comprehensive analysis of four years of data breaches, the report provides what is an answer to the vexing question of what her office considers to be “reasonable security.”

The Report contains the following recommendations for organizations that collect or maintain personal information on how to reduce the risk of data breaches and mitigate the resulting harm:

  1. Recommendation No. 1: Meet, as a minimum level of security, the 20 controls in the Center for Internet Security’s Critical Security Controls (the “Controls”). An excerpt of the Controls is attached as Appendix B to the report and the full set of the current Controls can be found here. The Center for Internet Security’s Critical Security Controls are a set of 20 cybersecurity defensive measures meant to “detect, prevent, respond to, and mitigate damage from cyber attacks.”  The California information security law as well as other state and federal information security laws (e.g., the Massachusetts data protection law, the Gramm Leach Bliley Act for the financial services sector, the Health Insurance Portability and Accountability Act for the health care sector) require covered organizations to implement and maintain “reasonable” and/or “appropriate” administrative, technical, and physical safeguards for personal information. The report makes it very clear that “the failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security”.
  2. Recommendation No. 2: Use multi-factor authentication not only to protect critical systems and data, but also on consumer-facing online accounts containing sensitive personal information (e.g., online shopping accounts, health care websites and patient portals, and web-based email accounts).
  3. Recommendation No. 3: Consistently use strong encryption to protect personal information on laptops and other portable devices and consider it for laptop computers. The report recommends that health care organizations in particular implement this recommendation given the type of personal information involved and the fact that more than 55% of the breaches in the health care sector resulted from a failure to encrypt personal information (compared to just 16% of data breaches in all other industry sectors).
  4. Recommendation No. 4: Encourage individuals affected by a data breach involving Social Security numbers or driver’s license numbers to place a fraud alert on their credit files by making this option more prominent in the data breach notices.

If your organization has not evaluated its security controls using a framework such as the Center for Internet Security’s Critical Security Controls and you experience a data breach, you may find yourselves on the wrong side of next year’s report.   There is no time like the present to start to conduct that kind of internal gap analysis and risk assessment.