On February 16, 2016, California Attorney General Kamala D. Harris released the California Data Breach Report 2012-2015 (the “Report”), which provided a comprehensive analysis of the data breaches reported to the Attorney General’s office during the covered years, as well as set forth concrete recommendation for minimum data security that would be considered “reasonable” under California law.

According to the Report, in the past four years, the Attorney General has received reports on 657 data breaches, affecting a total of over 49 million records of Californians. These breaches occurred in all sectors of the economy. The greatest threat to security, both in the number of breaches and the number of records breached, was presented by malware and hacking, followed by physical breaches, breaches caused by insider errors, and breaches caused by insider misuse. The most breached data types were Social Security numbers and medical information.

With malware and hacking being responsible for 356 (or 54 percent) of the 657 breaches, it is important to note that according Verizon’s Data Breach Investigations Report 2015, 99.9 percent of exploited vulnerabilities were compromised more than a year after the controls for the vulnerability had been publicly available.  The Report stated that if organizations choose to collect data and then neglect to secure their systems as to allow attackers to take advantage of uncontrolled vulnerabilities, the organizations are also culpable.

The Report stressed that businesses collecting personal data of Californians must employ strong privacy practices, such as have privacy policies that are easy to read and access, inform consumers about material changes to their data handling practices, and carefully design how data is collected, used, and shared. “Foundational to those privacy practices is information security,” the Report stated, “if companies collect consumers’ personal data, they have a duty to secure it.”

The Report provided the following recommendations to organizations on improving their data security:

  1. The Center for Internet Security’s (“CIS”) identifies 20 Critical Security Controls (“Controls” or “CSCs”). Organizations should determine which of those 20 controls apply to their environment and implement them. Failure to do so constitutes “a lack of reasonable security.”
  2. Organizations should make multi-factor authentication (as opposed to a simple username-and-password authentication) available on consumer-facing online accounts that contain sensitive personal information, such as online shopping accounts, health care websites and patient portals, and web-based email accounts.
  3. Organizations should consistently use strong encryption to protect personal information on laptops and other portable devices, and should consider it for desktop computers.
  4. Organizations should encourage individuals affected by a breach of Social Security numbers or driver’s license numbers to place a fraud alert on their credit files and make this recommendation prominent in their breach notices.

Perhaps the most important takeaway from these recommendations is that businesses collecting personal data of California residents should familiarize themselves with the CIS’s 20 Controls and ensure that their data security practices implement all those Controls that apply to their environment. Grouped by type of action, these Controls are summarized in the Report as follows:

  1. Count Connections: Know the hardware and software connected to your network. (CSCs 1 and 2).
  2. Configure Securely: Implement key security settings. (CSCs 3 and 11).
  3. Control Users: Limit user and administrator privileges. (CSCs 5 and 14).
  4. Update Continuously: Continuously assess vulnerabilities and patch holes to stay current. (CSC 4).
  5. Protect Key Assets: Secure critical assets and attack vectors. (CSCs 7, 10, and 13).
  6. Implement Defenses: Defend against malware and boundary intrusions. (CSCs 8 and 12).
  7. Block Access: Block vulnerable access points. (CSCs 9, 15, and 18).
  8. Train Staff: Provide security training to employees and vendors with access. (CSC 17).
  9. Monitor Activity: Monitor accounts and network audit logs. (CSCs 6 and 16).
  10. Test and Plan Response: Conduct tests of your defenses and be prepared to respond promptly and effectively to security incidents. (CSCs 19 and 20).

California has been now leading the data security discussion for over a decade. It was the first to enact a data breach notification law, which took effect in 2003, and it continuously updates its data breach statute to address the evolving state of technology and security threats, and to provide for greater privacy protections to its citizens. Many organizations prudently take the highest-common-denominator approach, in effect affording California-level protections to residents of all states. As such, multi-state organizations should closely examine the recommendations contained in the Report. Importantly, at the time when it is not easy to parse through the multitude of data security requirements and best practices, these recommendations provide a defined set of actions that, if properly implemented, may afford a safe harbor to organizations suffering a breach.