Nearly three in five Californians were victims of a data breach in 2015, according to a report released by state Attorney General Kamala D. Harris. The report adopts minimum standards of ''reasonable security'' for personal information collected and maintained by any organization subject to the California information security statute.

The report unequivocally states that ''securing information is the ethical and legal responsibility of the organizations with which individuals entrust their personal information.'' The strongest protection, the report notes, is to limit the personal information collected and retained. Entities cannot suffer a breach of data that they do not have. The report describes and analyzes the data breaches reported to the Attorney General (AG) from 2012 to 2015 and makes recommendations to businesses to mitigate the occurrence and effects of such breaches.

From 2012 to 2015, the AG received reports on 657 data breaches, affecting more than 49 million records of Californians in a variety of industries. The report indicates that the greatest threats to data were posed by malware and hacking. All six reported breaches implicating more than 1 million records were from malware and hacking. Physical breaches, resulting from theft or loss of unencrypted data on electronic devices, came in a distant second. Third were breaches caused by errors, predominantly erroneous delivery (of e-mail, for example), and inadvertent exposure of personal information online.

Particularly troubling is the finding that Social Security numbers and medical information—some of the most sensitive personal information—were more often compromised during breaches than other, less significant data types. Social Security numbers were the data type most often breached, involved in nearly half of all breaches. The data breaches affected retail, financial, health care, and small businesses.

What are ''reasonable security procedures and practices''?

Under California’s information security statute, organizations are required to use ''reasonable security procedures and practices…to protect personal information from unauthorized access, destruction, use, modification, or disclosure.'' Federal laws also require ''reasonable'' or ''appropriate'' security measures for specific types of data.

Businesses should base their data security efforts on the adoption of a risk-management process that includes identifying information assets and implementing effective security controls.

The report expressly identifies the Center for Internet Security's Critical Security Controls (Controls), formerly known as the SANS Top 20, as ''the minimum level of information security that all organizations that collect or maintain personal information should meet.'' The AG will now view the ''failure to implement all such Controls that apply to an organization's environment as constitut[ing] a lack of reasonable security.''

The report describes that the Controls are the priority actions that should be taken as the starting point of a comprehensive program to provide reasonable security. The Controls provide the type of prioritized guidance that cost-conscious executives are seeking when determining where best to invest their limited technology budgets. They include controls and specific actions to implement them (sub-controls). Organizations can implement the controls by adopting the sub-controls that fit the size, complexity, and criticality of their systems, as well as the nature of their data.

The report noted that a significant portion of the breaches tracked by the AG's Office over the past four years involved the exploitation of known vulnerabilities for which there are known controls. Therefore, adopting the Controls will significantly reduce the risk and impact of some of the most common cyberattack methods. The Center for Internet Security provides specific guidance and resources for implementing the Controls, including detailed explanations and actions (sub-controls), as well as procedures and tools for implementation.

Additional recommendations in the Report include:

  • using multi-factor authentication on consumer-facing online accounts that contain sensitive personal information, such as online shopping accounts, health care websites and patient portals, and web-based e-mail accounts;

  • consistently using strong encryption to protect personal information on laptops and other portable devices (and possibly on desktop computers), particularly in the health care sector where 55 percent of the breaches resulted from failures to encrypt; and

  • encouraging individuals affected by a breach of Social Security numbers or driver’s license numbers to place a fraud alert on their credit files and making this option very prominent in their breach notices.

Attorneys in Ballard Spahr's Privacy and Data Security Group regularly work with companies on implementing and documenting controls to protect the data they collect and process, and assist in handling information security incidents and developing incident response plans.

Copyright © 2016 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.