On Tuesday, February 16, 2016, the California Attorney General's Office released its Data Breach Report, analyzing the 657 data breaches reported to the Attorney General's office from 2012 to 2015. According to the report, the majority of the reported breaches were the result of security failures. Based on these findings, the Attorney General's report makes recommendations to organizations and, for the first time, addresses what constitutes "reasonable security measures" to protect personal information under California law.
Findings from Reported Data Breaches
Based on reported data, more than 49 million records pertaining to Californians were affected by data breaches between 2012 and 2015. Although the number of reported breaches remained constant from 2014 to 2015, the number of records at risk increased dramatically from 4.3 million in 2014 to more than 24 million in 2015.
More than half of the reported data breaches resulted from malware and hacking, but a significant number resulted from physical theft/loss (22 percent), errors (17 percent), or misuse by internal personnel (7 percent). Social Security numbers, health information, and financial information continue to be the types of data involved in most data breaches. The Attorney General predicts that cyber criminals will increasingly look to obtain Social Security numbers as retailers continue to transition away from magnetic stripe readers to chip-enabled payment cards.
Recommendations Regarding Reasonable Security Measures
The Data Breach Report is especially significant because it provides, for the first time, guidance from the Attorney General on what the California Department of Justice views as reasonable security measures under California law. In the view of the Attorney General, organizations should, at minimum, implement the Center for Internet Security's Critical Security Controls (the "Controls"). The Data Breach Report adopts these Controls as the "minimum level of information security" that all organizations must meet and states that "the failure to implement all the Controls that apply to an organization's environment constitutes a lack of reasonable security."
The Center for Internet Security's Controls include the following 20 controls:
- Inventory of Authorized and Unauthorized Devices
- Inventory of Authorized and Unauthorized Software
- Security Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- Continuous Vulnerability Assessment and Remediation
- Controlled Use of Administrative Privileges
- Maintenance, Monitoring, and Analysis of Audit Logs
- Email and Web Browsing Protection
- Malware Defenses
- Limitation and Control of Network Ports, Protocols, and Services
- Data Recovery Capability
- Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- Boundary Defense
- Data Protection
- Controlled Access Based on the Need to Know
- Wireless Access Control
- Account Monitoring and Control
- Security Skills Assessment and Appropriate Training to Fill Gaps
- Application Software Security
- Incident Response and Management
- Penetration Tests and Red Team Exercises
In addition to adopting the Controls, the report recommends that organizations use multifactor authentication not only to protect critical systems and data but also for consumer-facing online accounts. Many online consumers fail to create unique passwords for each account, making it easier for cyber thieves to hack into multiple accounts. Multifactor authentication, such as sending a passcode to the user's cell phone, would decrease such a risk.
The report further recommends that organizations, particularly health care organizations, use strong data encryption to protect personal information in transit. More than half of the breaches in the health care sector resulted from the failure to encrypt such information.
The report recommends placing fraud alerts on consumers' credit files when Social Security numbers or driver's license numbers are breached.
Finally, the report also recommended that "State policy makers should collaborate in seeking to harmonize state breach laws on some key dimensions. Such an effort could preserve innovation, maintain consumer protections, and retain jurisdictional expertise.
Although the Data Breach Report's findings are not surprising, its recommendations, particularly the adoption of the Center for Internet Security's Critical Security Controls, represent a significant development for organizations seeking to comply with California's data protection requirements.
California was the first state to enact data breach notification regulations, and the report's recommendations as to what constitutes "reasonable security" are likely to be adopted by other states. By defining "reasonable security," the California Attorney General is also sending a strong signal that we are going to see increased enforcement of California's data security statute.
The full Data Breach Report can be found here.