[BreachExchange] Are California’s New Data Security Standards a Recipe for Liability?

Audrey McNeil audrey at riskbasedsecurity.com
Tue Apr 12 19:30:56 EDT 2016


http://blogs.wsj.com/law/2016/04/12/are-californias-new-data-security-standards-a-recipe-for-liability/

An effective shield against cyber-attacks or a recipe for lawsuits? Those
are two ways of looking at new data security standards endorsed by the
California attorney general’s office.

California law requires businesses to use “reasonable security procedures
and practices…to protect personal information from unauthorized, access,
destruction, use, modification, or disclosure.”

California Attorney General Kamala Harris defined “reasonable security” in
a February report that analyzes recent data breaches and makes policy
recommendations.

Companies operating in the state that collect or maintain personal
information should at a minimum follow a set of security guidelines known
as “Critical Security Controls,” the report says. The guidelines were
developed several years ago by a consortium of cybersecurity experts and
are licensed for commercial use by the Center for Internet Security, a
non-profit group outside of Albany, N.Y.

The guidelines consist of 20 “controls,” or recommended practices, and more
than 100 “sub-controls.” One sub-control, for example, advises companies to
deploy two separate browser configurations to each system: one that
disables the use of all plugins and the other allowing for more browser
functionality on approved sites.

“A failure to implement all the Controls that apply to an organization’s
environment constitutes a lack of reasonable security,” the attorney
general’s report says. The report doesn’t make precisely clear how “an
organization’s environment” is defined.

Theodore F. Claypoole, a data privacy lawyer at Womble Carlyle Sandridge &
Rice LLP in North Carolina, says the CIS guidelines are an “excellent
tool,” but one he fears will become a hammer wielded by plaintiffs’ lawyers.

A client alert he co-authored titled “Cyber Security IMPOSSIBLE” is blunt
with its criticism:

"It is not hard to see how the plaintiffs’ bar will use this report. If a
breach occurs for failure to implement a control that did not seem
necessary, cost justified, or not of high enough priority to implement at
the time, then that measure will be judged, in hindsight, to be one that
applied to the “organization’s environment” and should have been in place.
Liability is thereby established.

"When standards are set too high to be practical, we know that affected
parties will ignore them and be worse off (and their customers worse off)
than if the standards had been workable and efficient. That is exactly what
the California AG risks here. . ."

Law Blog has reached out to the California attorney general’s office for
comment.

Brian de Vallance, CIS’s vice president for policy and outreach, says the
guidelines aren’t one-size-fits-all. “We’re not saying do all 20 if you’re
a mom-and-pop operation,” he told Law Blog. “It’s less onerous than it
sounds.”

The attorney general’s report suggests much the same. “The controls are
intended to apply to organizations of all sizes and are designed to be
implementable and scalable,” it states.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160412/2c0ebd8d/attachment-0001.html>


More information about the BreachExchange mailing list