On Tuesday, February 16, 2016, the California Attorney General's Office released its Data Breach Report, analyzing the 657 data breaches reported to the Attorney General's office from 2012 to 2015. According to the report, the majority of the reported breaches were the result of security failures. Based on these findings, the Attorney General's report makes recommendations to organizations and, for the first time, addresses what constitutes "reasonable security measures" to protect personal information under California law.
Findings from Reported Data Breaches
Based on reported data, more than 49 million records pertaining
to Californians were affected by data breaches between 2012 and
2015. Although the number of reported breaches remained constant
from 2014 to 2015, the number of records at risk increased
dramatically from 4.3 million in 2014 to more than 24 million in
2015.
More than half of the reported data breaches resulted from malware
and hacking, but a significant number resulted from physical
theft/loss (22 percent), errors (17 percent), or misuse by internal
personnel (7 percent). Social Security numbers, health information,
and financial information continue to be the types of data involved
in most data breaches. The Attorney General predicts that cyber
criminals will increasingly look to obtain Social Security numbers
as retailers continue to transition away from magnetic stripe
readers to chip-enabled payment cards.
Recommendations Regarding Reasonable Security Measures
The Data Breach Report is especially significant because it
provides, for the first time, guidance from the Attorney General on
what the California Department of Justice views as reasonable
security measures under California law.1 In the view of
the Attorney General, organizations should, at minimum, implement
the Center for Internet Security's Critical
Security Controls (the "Controls"). The Data Breach
Report adopts these Controls as the "minimum level of
information security" that all organizations must meet and
states that "the failure to implement all the Controls that
apply to an organization's environment constitutes a lack of
reasonable security."2
The Center for Internet Security's Controls include the
following 20 controls:
- Inventory of Authorized and Unauthorized Devices
- Inventory of Authorized and Unauthorized Software
- Security Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations, and Servers
- Continuous Vulnerability Assessment and Remediation
- Controlled Use of Administrative Privileges
- Maintenance, Monitoring, and Analysis of Audit Logs
- Email and Web Browsing Protection
- Malware Defenses
- Limitation and Control of Network Ports, Protocols, and Services
- Data Recovery Capability
- Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
- Boundary Defense
- Data Protection
- Controlled Access Based on the Need to Know
- Wireless Access Control
- Account Monitoring and Control
- Security Skills Assessment and Appropriate Training to Fill Gaps
- Application Software Security
- Incident Response and Management
- Penetration Tests and Red Team Exercises
In addition to adopting the Controls, the report recommends that
organizations use multifactor authentication not only to protect
critical systems and data but also for consumer-facing online
accounts. Many online consumers fail to create unique passwords for
each account, making it easier for cyber thieves to hack into
multiple accounts. Multifactor authentication, such as sending a
passcode to the user's cell phone, would decrease such a
risk.
The report further recommends that organizations, particularly
health care organizations, use strong data encryption to protect
personal information in transit. More than half of the breaches in
the health care sector resulted from the failure to encrypt such
information.
The report recommends placing fraud alerts on consumers' credit
files when Social Security numbers or driver's license numbers
are breached.
Finally, the report also recommended that "State policy makers
should collaborate in seeking to harmonize state breach laws on
some key dimensions. Such an effort could preserve innovation,
maintain consumer protections, and retain jurisdictional
expertise.
Although the Data Breach Report's findings are not surprising,
its recommendations, particularly the adoption of the Center for
Internet Security's Critical Security Controls, represent a
significant development for organizations seeking to comply with
California's data protection requirements.
California was the first state to enact data breach notification
regulations, and the report's recommendations as to what
constitutes "reasonable security" are likely to be
adopted by other states. By defining "reasonable
security," the California Attorney General is also sending a
strong signal that we are going to see increased enforcement of
California's data security statute.
The full Data Breach Report can be found here.
Footnotes
1 Cal. Civ. Code § 1798.81.5 (b) requires businesses that collect personal information on California residents to use "reasonable security procedures and practices" to protect that information.
2 Kamala Harris, Attorney General California Department of Justice: California Data Breach Report February, 2016, at 30.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.