[BreachExchange] California Data Breach Report Defines “Reasonableness” Standard for Data Protection

Tue Mar 8 21:17:50 EST 2016

http://www.jdsupra.com/legalnews/california-data-breach-report-defines-72426/

Nearly three in five Californians were victims of a data breach in 2015,
according to a report released by state Attorney General Kamala D. Harris.
The report adopts minimum standards of ''reasonable security'' for personal
information collected and maintained by any organization subject to the
California information security statute.

The report unequivocally states that ''securing information is the ethical
and legal responsibility of the organizations with which individuals
entrust their personal information.'' The strongest protection, the report
notes, is to limit the personal information collected and retained.
Entities cannot suffer a breach of data that they do not have. The report
describes and analyzes the data breaches reported to the Attorney General
(AG) from 2012 to 2015 and makes recommendations to businesses to mitigate
the occurrence and effects of such breaches.

>From 2012 to 2015, the AG received reports on 657 data breaches, affecting
more than 49 million records of Californians in a variety of industries.
The report indicates that the greatest threats to data were posed by
malware and hacking. All six reported breaches implicating more than 1
million records were from malware and hacking. Physical breaches, resulting
from theft or loss of unencrypted data on electronic devices, came in a
distant second. Third were breaches caused by errors, predominantly
erroneous delivery (of e-mail, for example), and inadvertent exposure of
personal information online.

Particularly troubling is the finding that Social Security numbers and
medical information—some of the most sensitive personal information—were
more often compromised during breaches than other, less significant data
types. Social Security numbers were the data type most often breached,
involved in nearly half of all breaches. The data breaches affected retail,
financial, health care, and small businesses.

What are ''reasonable security procedures and practices''?

Under California’s information security statute, organizations are required
to use ''reasonable security procedures and practices…to protect personal
information from unauthorized access, destruction, use, modification, or
disclosure.'' Federal laws also require ''reasonable'' or ''appropriate''
security measures for specific types of data.

Businesses should base their data security efforts on the adoption of a
risk-management process that includes identifying information assets and
implementing effective security controls.

The report expressly identifies the Center for Internet Security's Critical
Security Controls (Controls), formerly known as the SANS Top 20, as ''the
minimum level of information security that all organizations that collect
or maintain personal information should meet.'' The AG will now view the
''failure to implement all such Controls that apply to an organization's
environment as constitut[ing] a lack of reasonable security.''

The report describes that the Controls are the priority actions that should
be taken as the starting point of a comprehensive program to provide
reasonable security. The Controls provide the type of prioritized guidance
that cost-conscious executives are seeking when determining where best to
invest their limited technology budgets. They include controls and specific
actions to implement them (sub-controls). Organizations can implement the
controls by adopting the sub-controls that fit the size, complexity, and
criticality of their systems, as well as the nature of their data.

The report noted that a significant portion of the breaches tracked by the
AG's Office over the past four years involved the exploitation of known
vulnerabilities for which there are known controls. Therefore, adopting the
Controls will significantly reduce the risk and impact of some of the most
common cyberattack methods. The Center for Internet Security provides
specific guidance and resources for implementing the Controls, including
detailed explanations and actions (sub-controls), as well as procedures and
tools for implementation.

Additional recommendations in the Report include:

using multi-factor authentication on consumer-facing online accounts that
contain sensitive personal information, such as online shopping accounts,
health care websites and patient portals, and web-based e-mail accounts;
consistently using strong encryption to protect personal information on
laptops and other portable devices (and possibly on desktop computers),
particularly in the health care sector where 55 percent of the breaches
resulted from failures to encrypt; and
encouraging individuals affected by a breach of Social Security numbers or
driver’s license numbers to place a fraud alert on their credit files and
making this option very prominent in their breach notices.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160308/1fc369da/attachment.html>