We all know why selecting appropriate data security standards is difficult. No two business are the same. Different businesses have different assets to protect and different bank accounts to tap. Different sized businesses have different resources and different exposures. They cannot all be reasonably expected to meet the same standards. In addition, cyber threats and cyber environments constantly change, so a standard chosen now may not help next month. Forcing businesses into a one-size-fits-all standard will bankrupt many of them.
And yet, the California Attorney General’s office just took a public position on security that either shows a dangerous ignorance of how security is implemented in the real world, or a merciless antipathy toward California retailers and other businesses. In California's Annual Breach Report (2016), Ms. Harris’ office defines “reasonable security” for the first time as a broad standard for California business, and defines it with a severe, lofty set of standards that are patently unrealistic for most businesses to meet. The AG’s office has taken an aspirational ceiling and claimed it to be a “reasonable” floor.
The chosen standard is the Center for Internet Security’s Critical Security Controls widely acknowledged by data professionals as “so aggressive that they're going to be impossible to implement for many organizations.” The 20 primary controls that must be implemented to qualify as “reasonable” under the AG’s rules include over 100 sub-controls that must be taken to implement the controls. The Attorney General's report states that these controls “represent a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all controls that apply to an organization’s environment constitutes a lack of reasonable security.” (emphasis supplied.)
And to satisfy their AG at least, California businesses must be able to demonstrate compliance with ALL of the controls "that apply to an organization’s environment” BEFORE a data breach occurs, or the company is PER SE liable for negligence in protecting data. This may leave many companies with the rational thought that ignoring the standard may be more sensible than bankrupting the business to meet it.
It is not hard to see how the plaintiffs’ bar will use this report. If a breach occurs for failure to implement a control that did not seem necessary, cost justified, or not of high enough priority to implement at the time, then that measure will be judged, in hindsight, to be one that applied to the “organization’s environment” and should have been in place. Liability is thereby established.
When standards are set too high to be practical, we know that affected parties will ignore them and be worse off (and their customers worse off) than if the standards had been workable and efficient. That is exactly what the California AG risks here.
The set of rules chosen were the Center for Internet Security’s Critical Security Controls, about which the Center for Internet Security states, "This is not a one-size-fits-all solution, in either content or priority.” And yet, with the new official stamp of “reasonable minimum standards” approval, these difficult to satisfy standards will be used by plaintiff’s lawyers and regulators as minimum standards for every business suffering a data breach. It is even likely that courts, not being experts in the moving target that is adequate data security, will apply these controls as a “reasonable standard,” holding companies to an unrealistic set of requirements.
As lawyers we ask, where did the California Attorney General get the authority to proclaim new legal standards? How could she do so without following any of the rules that define the statutory, regulatory or judicial processes for making new legal or regulatory standards? The report itself highlights a sharp disconnect between what it seeks to do and what it acknowledges it can do. The report's disclaimer that follows its title page says the report is provided "for informational purposes." It may not be construed "as policy of the State of California." Furthermore, the report's mandates are prefaced as "recommendations." But in its substantive provisions, the report seeks to define the "ethical and legal obligations" under California law by announcing what constitutes a "minimum level of informational security," that apply to "all organizations that collect or maintain personal information," absent which an entity has not fulfilled its legal obligation to provide "reasonable [data] security."
All companies need to institute an information security program, and should look to best practices like those published by NIST, CIS, the Cloud Security Alliance and ISO 27001.2. Those with business in California should review the CIS controls and see if they can both meet the new standard, and carefully document what they are doing and why.