Under the current version of the California Consumer Privacy Act (CCPA), a business can raise a statutory defense to liability in a private cause of action, following a consumer data breach, if it can establish that it maintained a “reasonable” security program. During the November 2020 election, California voters will decide whether to approve the California Privacy Rights Act (CPRA) which amends the CCPA. If it passes, one of the proposed amendments is to CCPA, Section 1798.100, which could potentially increase the liability exposure that businesses who are subject to the CCPA owe to consumers by expressly requiring businesses to implement “reasonable security” measures to protect personal information. This potential requirement inevitably leads to the same question that remains unanswered within the CCPA’s statutory defense for a data breach – which uses the same standard – what is “reasonable” security?
Legal Obligations to Implement Reasonable Security Measures
The CPRA’s requirement to implement reasonable security specifically provides that: “A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.” The law referenced in the CPRA, Cal. Civ. Code 1798.81.5, predates the CCPA and already required a business that owns, licenses, or maintains personal information about a California resident to implement and maintain “reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”
However, the inclusion of this requirement within the CPRA would (if approved) expand the scope of personal information that must be accounted for under the security procedures. Under Cal. Civ. Code 1798.81.5, “personal information” is limited to (1) certain types of “sensitive” information (e.g., social security number, driver’s license number, account or credit or debit card number, etc.) when combined with an individual’s first name or first initial and last name; and (2) a username and password combination, whereas the CCPA broadly defines “personal information” as any information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
The requirement to implement reasonable security controls under state law is not limited to California. More than 20 states have included a requirement to implement reasonable security controls in their respective data breach notification laws. The exact requirements under each law varies from state-to-state, but the general rule, as in California, is that businesses that collect or use personal information about the residents of the state must implement reasonable security controls to protect the personal data from a data breach.
At the federal level, beyond the requirements under sector laws such as the Health Information Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA), the Federal Trade Commission (FTC) has utilized Section 5 of the FTC Act to bring actions against businesses that lacked adequate cybersecurity measures since as early as 2002. It is worth noting that in a recent case, LabMD, Inc. v. FTC, 891 F.3d 1286 (11th Cir. 2018), the court sided with LabMD and vacated the FTC’s order relating to LabMD’s alleged negligent failure to implement and maintain a reasonable data security program. However, that decision was based on the breadth of the FTC’s order and not the scope of the FTC’s ability to utilize the unfair trade practice prong under the FTC Act with respect to security programs. The LabMD case has not deterred the FTC from pursuing aggressive orders imposing obligations on businesses the FTC determines failed to maintain reasonable data security programs, as evidenced in the obligations imposed on Equifax in the Stipulated Order for Permanent Inj. and Monetary Relief, FTC v. Equifax, Inc., No. 1:19-cv-03297-TWT (N.D. Ga. Atlanta Div.). Under that order, Equifax is required to establish and implement a comprehensive information security program that requires, among other things, Equifax to design, implement, maintain, and document safeguards that control for the material internal and external risks Equifax identifies, including, but not limited to, safeguards related to:
- patch management policies;
- establishing and enforcing policies and procedures to ensure the timely remediation of critical and/or high-risk security vulnerabilities;
- maintaining an IT asset inventory that includes hardware, software and location of the assets;
- designing and implementing protections such as network intrusion protection, host intrusion protection and file integrity monitoring;
- designing, implementing and maintaining measures to limit unauthorized access to any network or system that stores, collections, maintains or processes personal information;
- implementing access controls across Equifax’s network;
- limiting user access privileges;
- implementing protections, such as encryption, tokenization or other at least equivalent protections for personal information Equifax collects, maintains, processes or stores;
- establishing and enforcing written policies, procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications and evaluate, assess or test the security of externally developed applications;
- establishing regular information security training programs to address internal or external risks identified by Equifax; and
- establishing a process for receiving and addressing security vulnerability reports.
From an international perspective, the European Union General Data Protection Regulation (GDPR) and other similar global laws require businesses that collect and use personal information to implement “reasonable security” rules. While the GDPR does provide some examples of what may constitute appropriate measures, it does not provide any concrete requirements that businesses must adhere to in order to comply with the law.
What is Reasonable Security?
With some exceptions, the laws referenced above do not contain prescriptive steps that a company must take to achieve reasonable security. For greater insight into what the future regulators in California may be looking for, a good resource is the 2016 “California Data Breach Report.” There, the California Attorney General stated that the 20 controls, listed in the Center for Internet Security’s (CIS) Critical Security Controls, identify the minimum level of information security that all organizations that collect or maintain personal information should meet and that an organization’s failure to implement all of the controls constitutes a lack of reasonable security. Those controls are:
- inventory of authorized and unauthorized devices;
- inventory of authorized and unauthorized software;
- security configurations for hardware and software on mobile devices, laptops, workstations and servers;
- continuous vulnerability assessment and remediation;
- controlled use of administrative privileges;
- maintenance, monitoring and analysis of audit logs;
- email and web browsing protection;
- malware defenses;
- limitation and control of network ports, protocols and services;
- data recovery capability;
- secure configurations for network devices such as firewalls, routers and switches;
- boundary defense;
- data protection;
- controlled access based on the need to know;
- wireless account control;
- account monitoring and control;
- security skills assessment and appropriate training to fill gaps;
- application software security;
- incident response and management; and
- penetration tests and red team exercises.
Other examples of security mandates, found in state data breach notification laws, include Nevada’s data breach notification law, which prescribes specific security measures that must be employed by businesses that accept payment cards: (1) comply with the current version of the Payment Card Industry Data Security Standard (PCI DSS) (which dictates specific security controls that such a business must utilize); or (2) if the PCI DSS does not apply to the business, refrain from transferring any personal information outside the business’s secure system unless the information is encrypted. Another example is Alabama’s data breach notification law, the last data breach notification law enacted in the United States, which provides that reasonable security measures are those that are practicable for the covered entity to implement and maintain, including consideration for all of the following:
- designation of an employee or employees to coordinate the covered entity’s security measures to protect against a breach of security;
- identification of internal and external risks of a breach of security;
- adoption of appropriate information safeguards to address identified risks of a breach of security and assess the effectiveness of such safeguards;
- retention of service providers, if any, that are contractually required to maintain appropriate safeguards for sensitive personally identifying information;
- evaluation and adjustment of security measures to account for changes in circumstances affecting the security of sensitive personally identifying information; and
- keeping the management of the covered entity, including its board of directors, if any, appropriately informed of the overall status of its security measures.
Businesses in some sectors, such as finance and healthcare, are subject to laws and regulations that prescribe information security controls that covered businesses must employ beyond a blanket requirement to implement “reasonable security”, such as the cybersecurity requirements applicable to financial services companies that are regulated or licensed by the New York State Department of Financial Services (NYFDS). Under those regulations, covered businesses must conduct periodic risk assessments of their information systems sufficient to inform the design of the business’s cybersecurity program and utilize those risk assessments to ensure the business develops, implements and maintains an appropriate security infrastructure that includes, but is not limited to:
- maintenance of a cybersecurity program that fulfills core cybersecurity functions: (a) identifying and assessing internal and external cybersecurity risks that may threaten the security or integrity of nonpublic information stored on the business’s information systems; (b) using defensive infrastructure and implementing policies and procedures to protect the business’s information systems and the nonpublic information stored on those information systems from unauthorized access, use or other malicious acts; (c) detecting cybersecurity events; (d) responding to identified or detected cybersecurity events to mitigate any negative effects; (e) recovering from cybersecurity events and restoring normal operations and services; and (f) fulfilling applicable regulatory reporting obligations;
- implementation and maintenance of written policies setting forth the business’s policies and procedures for the protection of its information systems and nonpublic information stored on those systems and addressing several key areas, including: (a) information security; (b) data governance and classification; (c) asset inventory and device management; (d) access controls and identity management; (e) business continuity and disaster recovery planning and resources; (f) systems operations and availability concerns; (g) systems and network security; (h) systems and network monitoring; (i) systems and application development and quality assurance; (j) physical security and environmental controls; (k) customer data privacy; (l) vendor and third party service provider management; (m) risk assessment; and (n) incident response;
- designation of a Chief Information Security Officer that is responsible for overseeing and implementing the business’s cybersecurity program and enforcing its cybersecurity policies;
- annual penetration testing of the business’s information systems and bi-annual vulnerability assessments reasonably designed to identify publicly known cybersecurity vulnerabilities in the business’s information systems;
- development and maintenance of systems that include audit trails designed to detect and respond to cybersecurity events;
- limitation of user access privileges to information systems that provide access to nonpublic information and periodic review of such access privileges; and
- provision of regular cybersecurity awareness training for all personnel.
The Roadmap to Reasonable Security
While the CIS Controls (relied upon by the California Attorney General) and various data breach notification laws provide a good foundation, they are likely an incomplete roadmap for all businesses looking to ensure they have truly implemented reasonable security controls. Developing and implementing a security program must be a holistic endeavor that takes into consideration the types of data a business uses, the particular risks posed to it, both at a company level and an industry level, how the business functions and its own prized assets. Merely following a checklist is unlikely to take all of these elements and many others into account when implementing an overall security program.
Another potential downside of following a checklist is that a checklist indicates there are steps that lead to a final point. This can lead to a reasonable security program turning into a weak security system over time. A good example of this was the breach suffered by CardSystems Solutions, a credit card processing company that suffered a breach in 2005 that exposed 40 million debit and credit card accounts. That breach occurred less than a year after CardSystems Solutions received certification of its compliance with PCI DSS. Investigation into the breach revealed several key failures of the CardSystems Solutions security program, including: (1) storing personal information in a vulnerable format for up to 30 days; (2) not adequately assessing the vulnerability of its web application and computer network to commonly known or reasonably foreseeable attacks and did not implement simple, low cost and readily available defenses to such attacks; (3) failing to use strong passwords to prevent hackers from gaining control over computers on its computer network and access to personal information stored on the network; (4) not using readily available security measures to limit access between computers on its network and between those computers and the internet; and (5) failing to employ sufficient measures to detect unauthorized access to personal information or to conduct security investigations.
It’s also important to keep in mind that checklists like the CIS Controls are typically focused on allocation of Information Security resources. However, security is not the sole province of the Information Security team. According to the Cybersecurity Unit of the U.S. Department of Justice, as set out in their Best Practices for Victim Response and Reporting of Cyber Incidents report published in 2018, the first best practice to take before a cyber intrusion or attack occurs is to educate senior management about the threats, recommending that senior management receive regular briefings about existing and emerging cyber threats and appropriate risk management strategies. Another best practice identified in the report is ensuring that the business’s legal counsel is familiar with technology and cyber incident management, not only because decisions made during a cyber incident can later have legal consequences (e.g., litigation related to the impact of the breach on consumers as well as a business’s compliance with data breach notification laws in connection with the breach, potential breaches of confidentiality and other agreements with third parties, etc.), but also because there are legal issues that can arise prior to a cyber incident, such as the legal implications involved in instituting threat detection and data loss prevention programs (e.g., employee monitoring, software licensing and hosted services restrictions, etc.) and the propriety of choosing one type of cyber insurance over another.
Thus, businesses should consider not only using checklists, such as the CIS Controls as a guide, but also should consider adopting and adhering to a lifecycle approach for reasonable security that continuously evaluates the current risks against the controls in place and that quickly adapts its processes to address new vulnerabilities as they arise. In developing such a lifecycle, businesses should, depending on their size, complexities and information security risks, consider taking the following actions:
- Ensuring internal security policies provide clear direction on the handling and use of the business’s assets, systems and data and that such policies are enforced across all levels of the business;
- Conducting frequent (at least annual) security training for all personnel, with training customized for appropriate departments to ensure all personnel are aware of the potential threats posed to the business and understand their role in protecting the business’s assets, systems and data;
- Providing a secure system that addresses all components of the system, including, but not limited to, internet access, internal network access, remote access, email, network services, asset management, virus and malware scanning, anti-phishing and physical security;
- Creating an incident response team comprised of representatives from multiple business units, including, but not limited to, senior leadership, IT, InfoSec, Legal, PR and others to respond to and remediate attacks suffered by the business as well as monitor other attacks and vulnerabilities suffered by others;
- Following a security-by-design approach when developing applications, systems, networks and other information technology resources;
- Reviewing potential attack points with system developers and admins;
- Ensuring that all internal and external infrastructure is hardened, appropriately configured and protected with appropriate access controls;
- Testing existing applications, systems, networks and other information technology resources at regular intervals for new and known vulnerabilities;
- Conducting regular vulnerability scanning utilizing well know tools;
- Engaging third parties to conduct penetration testing and other attacks against the business’s applications, systems, networks and other information technology resources to test the effectiveness of the business’s controls against outside-in attacks;
- Monitoring for attacker’s that are already within the business’s network and looking for things that might be missed through traditional vulnerability scanning;
- Engaging in internal threat hunting to try to find attackers in the business’s network; and
- Frequently gathering threat intelligence data about new attack techniques and threat vectors and using that intelligence to further improve the business’s security controls.
The foregoing is not a comprehensive list of all measures a business can, or should, take in implementing reasonable security controls. New information security techniques and ideas are continuously evolving and some existing techniques may not be appropriate for a business now, but could be appropriate in the future. However, considering these and other information security techniques, and implementing the techniques that are appropriate for the business, are key to developing, implementing and continuous monitoring of reasonable security controls.