California Department of Justice Defines “Reasonable” Cybersecurity
On February 16, 2016, the California Department of Justice (CDOJ) released the California Data Breach Report 2012-2015 (the Report), which provides analysis of approximately 657 data breaches reported to the CDOJ between 2012 and 2015. The Report should be of particular interest to any company doing business in California, or that collects or maintains personal information of California residents. The Report defines compliance with the 20 security controls promulgated in “The CIS Critical Security Controls for Effective Cyber Defense,” the October 2015 report issued by the Center for Internet Security (CIS), as the “floor” for “reasonable” cybersecurity and data protection. The Report and CIS publication can be a tool for companies to calibrate their cybersecurity protocols. It also may be a forerunner for similar proclamations of reasonableness by other states and a genesis for additional regulations.
“Reasonable” cybersecurity measures are a minimum benchmark that companies should seek to achieve as the standard of care for the maintenance and protection of personal information. Under California’s information security statute, Cal. Civ. Code § 1798.81.5, all businesses that collect personal information on California residents must use “reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure” (emphasis added). Federal security laws and related regulations, including the Gramm Leach Bliley Act and the Health Insurance Portability and Accountability Act (HIPAA), invoke similar concepts of “reasonable” data security.
Yet, determining what cybersecurity measures are “reasonable” can be a somewhat challenging (and sometimes frustrating) experience for companies. As noted by the CIS, the volume of available technology, information, and oversight has become “a veritable ‘Fog of More’,” whereby competing options, priorities and opinions “can paralyze or distract an enterprise from vital action.” Judicial decisions have not been helpful either. In FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015), for instance, the United States Court of Appeals declined to require that the FTC defines with “ascertainable certainty” what cybersecurity measures are reasonable and required. Not long after the decision, however, the lawsuit settled in which Wyndham Worldwide agreed to comply with PCI data security standards. Since then, some have viewed the Payment Card Industry Data Security Standard (PCI DSS) as a gauge of what cybersecurity measures the FTC deems “reasonable.” The CDOJ Report expands the list of examples of what may be deemed “reasonable.”
The Report identifies data security standards published by the National Institute of Standards and Technology (NIST) in Special Publication 800-53, and standard ISO/IEC 27002:2013, published by the International Organization for Standardization, as “foundational.” The Report also identifies the CIS publication as a means to cut through the “Fog of More” by providing companies “a relatively small number of prioritized, well-vetted and supported security actions that organizations can take to assess and improve their current security state.” According to the CDOJ, the 20 security controls identified by CIS “constitutes a minimum level of security – a floor – that any organization that collects or maintains personal information should meet.”
The controls can be broken down into a set of policies and actions. They are:
- Inventory, track and secure all connections and software, including all hardware and personal devices that connect to your company’s network, and ensure that software and browsers are not vulnerable to attacks whereby malware and backdoor programs can be installed into your company’s system;
- Manage and control configurations for operating systems and applications. Default configurations are intended for ease of deployment and use, not for security;
- Control users by establishing and securing administrative privileges, and establishing access to network areas on a need-to-know basis;
- Update continuously with software updates and security patches, and monitor for security advisories and threat bulletins. Understanding and managing system vulnerabilities has become a continuous activity, requiring significant time and attention;
- Protect key assets with proper tools and procedures. A company should ensure that its web browsers are updated to protect itself against malware, and that appropriate processes are undertaken for backing up critical data and allowing its timely recovery. Without access to trustworthy data recovery capability, it may be difficult to remove all aspects of a hacker’s presence in the company’s network. A company should also undertake procedures to protect its data through use of encryption, integrity protection, and data loss prevention (DLP) techniques;
- Implement Defenses against malware and boundary intrusions with automated and rapid software updating at points of possible attacks, and adopt multi-layered boundary defenses by relying on firewalls, DMZ perimeter networks, and proxies;
- Block Access to vulnerable entry points through use of port scanning tools, by limiting and controlling wireless access and entry ports, and managing the security life of software as vulnerabilities are discovered and disclosed;
- Train Staff by providing security training to employees and vendors who have access to your company’s network and data;
- Monitor Activity on network accounts and review network audit logs to prevent hackers from being able to hide the presence of malware and their activities on compromised devices, and close inactive accounts; and
- Test and Prepare by creating a cybersecurity incident response plan, assembling a response team, and by running exercises to test your company’s security and ability to respond quickly to a data breach or other cyber attack.
In addition to identifying the CIS’s controls as a “floor” for reasonable cybersecurity, the CDOJ made the following additional recommendations for companies collecting or maintaining data on California residents:
- Organizations should make multi-factor authentication available on consumer-facing online accounts that contain sensitive personal information. This stronger procedure would provide greater protection than just the username-and-password combination for personal accounts such as online shopping accounts, healthcare websites and patient portals, and web-based email accounts.
- Organizations should consistently use strong encryption to protect personal information on laptops and other portable devices, and should consider it for desktop computers. This is a particular imperative for healthcare, which appears to be lagging behind other sectors in this regard.
- Organizations should encourage individuals affected by a breach of Social Security numbers or driver’s license numbers to place a fraud alert on their credit files and make this option very prominent in their breach notices. This measure is free, fast, and effective in preventing identity thieves from opening new credit accounts.
WHERE DO WE GO FROM HERE?
Both the CDOJ’s Report and the CIS’s Critical Security Controls publication provide valuable tools for companies reviewing their cybersecurity measures and protocols. However, the CDOJ’s determination that the CIS’s security controls are the “floor” of “reasonable” data security is noteworthy. Agencies in other states may draw similar conclusions, raising the standard for data security. However, the devil is in the details. The CIS itself recognized that its report is not “a one-size-fits-all solution, in either content or priority.” A company must understand its business, data systems, networks and infrastructures, and also what adverse events could significantly impact its ability to conduct its business and operations. A review of a company’s cybersecurity protocols also should be undertaken with the assistance of outside counsel familiar with cyber and privacy laws. Counsel can advise the company on its legal obligations and the appropriate standards of care it needs to achieve. Use of counsel also may shield the results of any such review and analysis of existing cybersecurity protocols under the protections of attorney-client privilege and attorney work product.
For additional information, contact Josh Mooney (firstname.lastname@example.org | 215.864.6345) or another member of the Cyber Law and Data Protection Group.