California Attorney General Defines Reasonable Security

Some businesses have complained that the FTC has not been clear about what is required in order to be in compliance of section 5 of the FTC act and avoid being fined.

California, usually a leader in the privacy arena, has begun to put some detail to those requirements, at least for businesses that have customers in California.  After California implemented SB 1386, the defining privacy law in the U.S., other states followed over the next few years.  This is likely to be the case with this decision.

Kamala Harris, the California Attorney General, released a report this month on data breach impact in California between 2012 and 2015.

The report goes into some detail on the types of breaches, types of businesses, number of records breached and related information.  Retail was the leading breached business type, followed by financial and healthcare.

She then goes on to talk about reasonable security and the fact that the California information security statute requires businesses to use “reasonable security procedures and practices”.

She explains her definition of reasonable security as follows:

  1. The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.
  2. Organizations should make multi-factor authentication available on consumer-facing online accounts that contain sensitive personal information. This stronger procedure would provide greater protection than just the username-and-password combination for personal accounts such as online shopping accounts, health care websites and patient portals, and web-based email accounts.
  3. Organizations should consistently use strong encryption to protect personal information on laptops and other portable devices, and should consider it for desktop computers. This is a particular imperative for health care, which appears to be lagging behind other sectors in this regard.

The CIS 20 is an almost 100 page document, so I am not going to try and summarize it here, but it addresses inventory, configuration, continuous vulnerability assessment, controlling admin users, data recovery, need to know, wireless, account monitoring, incident response and penetration testing, among other things.

And, I would agree with her – organizations that take on the CIS 20 seriously are likely to be way more secure than the average company.

On the other hand, doing this is a serious undertaking and likely affects many aspects of your business.

One other thought.  The California Information Security Law (AB 1950) also REQUIRES a company to enter into CONTRACTS with its sub-contractors to also implement these same controls.

What we don’t know yet is what the AG plans to do about this.  For example, the California law does not say that you are required to use reasonable security only in the event that your systems are breached.  This means that the AG could go after businesses for not implementing reasonable security, even if they have not been breached.  While I think this is unlikely, she certainly would get a lot of press if she decided to make an example of someone.

It seems more likely that, in the event of a breach and after investigation, her office discovers that a breached organization was not implementing her definition of reasonable security that she might go after a business.

Bottom line is this –

If you are located in California, have customers located in California or do business with a business located in California, you now have some pretty clear guidelines for what you need to do.

The AG’s report is available here.

The CIS 20 controls are available here.

Information on CA AB 1950 can be found here.

Leave a Reply

Your email address will not be published.