A growing number of state and federal laws require organizations to implement reasonable security safeguards to protect personal information. But what constitutes reasonable data security? This question has vexed organizations and spurred a considerable amount of litigation. On February 16, 2016, the California Attorney General’s Office released its 2016 Data Breach Report, which for the first time provides a listing of safeguards that the Attorney General views as constituting reasonable information security practices required by California law. Despite being focused on California, the Report’s recommendations are likely to have an impact far beyond the borders of the Golden State.

The Report analyzes trends and patterns in data gleaned from 657 data breaches reported to the office between 2012 and 2015 and provides organizations with a set of recommendations for mitigating the risks associated with data breaches. The Report’s statistics reveal a startling growth in both the size and complexity of data breaches affecting all industry sectors. During the covered period, 49.6 million records were compromised—a figure that exceeds the number of California residents by more than 10 million. The Report highlights the healthcare industry as being particularly vulnerable to breaches, noting that stolen or lost documents or digital devices containing unencrypted data accounted for a majority of the breaches suffered by the health sector.

If cybersecurity risks appear to be ubiquitous, some comfort may be taken in the fact that reasonable defenses are well known. The Report emphasizes a finding that has been made regularly in Verizon’s annual Data Breach Investigations Reports: 99.9 percent of exploited vulnerabilities were compromised more than a year after the fix for the vulnerability had been made publicly available.

Defining a Reasonable Security Standard

California law requires organizations to implement “reasonable security procedures and practices . . . to protect personal information from unauthorized, access, destruction, use, modification, or disclosure.” The Report, drawing on a rich dataset of reported breaches, for the first time sets forth the California Attorney General’s expectations, providing additional meaning to the “reasonable security” requirement.

Implement the Applicable CIS Critical Security Controls

The Report states that the twenty controls defined by the Center for Internet Security’s Critical Security Controls (“Controls”) represent the “minimum level of information security” that all organizations handling personal data should meet. The Report could not be clearer on this point: “The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.” Although implementing the Controls does not guarantee organizations a safe harbor from enforcement actions, failing to document the approach taken for each of the twenty controls appears to be an unreasonable security practice.

The Controls are notable for their prioritized and sequenced approach: the list starts with controls that either have demonstrated the greatest reduction in risk or must be completed before moving on to other steps. The first five controls are considered to be foundational elements of any cybersecurity program, reflecting the expectation that every organization should be able to demonstrate a comprehensive understanding of the technology assets at its disposal. And all of the controls are designed to be highly scalable to the needs of each organization. The Controls therefore provide not only a checklist of “minimum” safeguards, but also the outline of a process to help executives and cybersecurity professionals create a strategy for allocating the limited resources at their disposal to manage cyber risk.

The full list of controls are as follows:

  1. Inventory of Authorized and Unauthorized Devices
  2. Inventory of Authorized and Unauthorized Software
  3. Security Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
  4. Continuous Vulnerability Assessment and Remediation
  5. Controlled Use of Administrative Privileges
  6. Maintenance, Monitoring, and Analysis of Audit Logs
  7. Email and Web Browsing Protection
  8. Malware Defenses
  9. Limitation and Control of Network Ports, Protocols, and Services
  10. Data Recovery Capability
  11. Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
  12. Boundary Defense
  13. Data Protection
  14. Controlled Access Based on the Need to Know
  15. Wireless Access Control
  16. Account Monitoring and Control
  17. Security Skills Assessment and Appropriate Training to Fill Gaps
  18. Application Software Security
  19. Incident Response and Management
  20. Penetration Tests and Red Team Exercises

Implement Multi-Factor Authentication for Online Accounts

The data breaches highlighted in the Report demonstrate that usernames and passwords are failing to protect personal and sensitive information. The Report therefore states that organizations “should make multi-factor authentication available on consumer-facing online accounts that contain sensitive personal information.” This requires prompting users not only for something they know (e.g., a username and password), but also something they have (e.g., a physical token that generates one-time passwords) or something they are (e.g., a fingerprint or retina scan).

Use Strong Encryption

One of the most striking findings in the Report is the number of breaches that could have been prevented by encryption solutions that are affordable for small and large businesses alike—particularly in the healthcare sector, which the Report notes “appears to be lagging behind other sectors in this regard.” The Report urges organizations to implement “strong encryption,” including full disk encryption on mobile devices and desktop computers when not in use.

Additional Recommendations

The Report highlights two additional recommendations that go beyond defining what constitutes “reasonable security” under California law.

Organizations Should Encourage Affected Individuals to Place a Fraud Alert on Their Credit Files

The Report notes that in the past year, the number of organizations offering identity theft protection or credit monitoring services to affected individuals has increased by over 20 percent, with positive effects. But both these services generally cost money and can be cumbersome. A credit alert, which informs merchants that there may be fraud on the account and prompts them to request additional verification of identity, is often equally effective—and it’s free.

State Policy Makers Should Collaborate to Harmonize State Breach Laws

Federal breach notification legislation, which would seek to address the challenges inherent in complying with a patchwork of varying state breach requirements, has been under consideration for years without passing Congress. The Report recognizes that, absent a federal law harmonizing state requirements, state policy makers can nonetheless take steps to harmonize state breach laws. The Report notes that such a measure “could reduce the compliance burden for companies, while preserving innovation, maintaining consumer protections, and retaining jurisdictional expertise.”

***

California has long been a trail-blazer in both privacy and cybersecurity enforcement, so other states are likely to follow California’s lead. Thus the usefulness of the Report is not limited to organizations doing business in California. For example, even in states that do not provide more specific definitions of “reasonable security,” the Controls represent a widely respected resource to help design and implement a comprehensive cybersecurity program. Although adherence to the Controls will not guarantee compliance with all cybersecurity requirements even in California, it likely will provide a compelling case that an organization meets at least the baseline requirements for “reasonable security” in every jurisdiction.