[BreachExchange] Cybersecurity 2017 – The Year In Preview: The Changing Face of State Law and Enforcement

[Audrey McNeil]

http://www.jdsupra.com/legalnews/cybersecurity-2017-
the-year-in-preview-31387/

In the patchwork of state and federal law regulating the use and
maintenance of personal confidential information, states play a significant
role and can often be the most important regulator and law enforcement
authority.  Recent events have signaled changes in how states interpret and
enforce their data privacy standards — and thus how the baseline for
understanding what is protected, and what is expected of businesses, might
be changing.  California, which has been at the forefront of the
development of state data privacy  laws, remains an important bellwether.

In that respect, a significant development is California AG Kamala Harris’s
release of a comprehensive data breach report in early 2016, to significant
fanfare.  The report included guidance on minimum privacy and security
standards — which the report deemed a compliance “floor” — for custody of
personal information by any entity in California collecting such
information.  The Attorney General’s first recommendation was drawn from
 the Center for Internet Security’s (“CIS”) Critical Security Controls.  AG
Harris’s report determined that the 20 CIS controls “define a minimum level
of information security that all organizations that collect or maintain
personal information should meet.”  As understood by AG Harris and the
industry at large, CIS Critical Security Controls are a concise,
prioritized set of cyber practices created to stop today’s most pervasive
and dangerous cyber attacks.  CIS itself touts the baseline effectiveness
of its standards.  According to CIS, organizations that apply just the
first 5 CIS controls can reduce their risk of cyberattack by around 85%;
and implementing all 20 controls increases the risk reduction to around 94%.

Attorney General Harris did not simply suggest the CIS controls as a viable
data security apparatus for California entities collecting and retaining
information.  Signifcantly, she instead presented the controls as
sub-regulatory guidance.  She noted that “the failure to implement the
controls that apply to an organization’s environment constitutes a lack of
reasonable security” (emphasis added).  Those words carry legal heft.
California Civil Code § 1798.81.5 requires all businesses that collect
personal information on California residents to use “reasonable security
procedures and practices appropriate to the nature of the information, to
protect the personal information from unauthorized access, destruction,
use, modification or disclosure”  (emphasis added).  In her report,
Attorney General Harris signaled that California businesses must now comply
with the CIS controls, or risk an enforcement action or lawsuit under §
1798.81.5.  (To date, the California Attorney General’s Office has not sued
an entity for failure comply with the CIS controls.)

California’s incorporation of a national institute’s recommended standards
as a baseline for data security measures potentially opens the door for
other state Attorney’s General to follow suit.  If more states adopt, for
example, CIS standards, that could encourage the creation of a harmonized
network of state data privacy and security standards, where business
expectations might differ little from state to state.  At least six other
states (Florida, Utah, Arkansas, Nevada, Maryland and Rhode Island) have
adopted statutes requiring entities that collect and retain personal
information from consumers employ reasonable procedures or reasonable
security measures to protect such information.  That said, there is as of
yet no case law in these states directing what types of measures satisfy
this “reasonability mandate,” and little in the form of guidance from the
Attorneys General of the respective states.  2017 might begin to flesh out
the legal meaning of these concepts.

Business entities working across state lines would benefit from a more
concrete and consistent definition of “reasonable procedures.”  Currently,
such business entities must speculate as to what “reasonable” means in any
given state, and develop data privacy protections accordingly.  This could
lead to uncertainty and even confusion if businesses determine those
standards differ greatly across state lines.  Reliance on uniform national
standards would be a prudent, but not necessarily sufficient way for
businesses to satisfy the unstated requirements of these statutes.  That
will remain so until state Attorneys’ General illuminate a common path to
compliance.

Anticipating this future, Attorney General Harris explicitly called for
adoption of some uniform standards in her 2016 report.  A key
recommendation in her report was that state policy makers (including state
Attorneys General) should collaborate in seeking to harmonize state breach
laws on some key dimensions.  According to Attorney General Harris, such an
effort could preserve innovation, maintain consumer protections, and retain
jurisdictional expertise.  A result of a collaborative effort to harmonize
state breach laws would be to “minimize the number of patches” in the
patchwork of state laws and give businesses a clearer path to compliance.
The CIS Controls provide a functional platform for harmonization.  Indeed,
the National Governor’s Association lauded the Controls as far back as
2013.  The Association recommendation states “turn to the Critical Security
Controls for a baseline of effective cybersecurity practices” and that the
controls “provide states with a security framework that can strengthen
their cyber defenses and ultimately protect information, infrastructure,
and critical assets.”  While California is the first state to incorporate
the CIS controls into formal guidance, continued calls for uniformity and
standardization in state data privacy requirements indicate more states are
likely to follow.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161123/caa511c2/attachment.html>