“California Attorney General Endorses the Center for Internet Security’s (CIS) Critical Security Controls as the ‘Minimum Level’ of ‘Reasonable Security’ Measures”
Safe and Sound 03/07/16 By Jennifer L. Rathburn and Samuel A. Magnuson
In mid-February, the California Attorney General Kamala D. Harris released a Data Breach Report1 analyzing the 657 data breaches that have been reported to her office since 2012. That was the year California began requiring businesses and government agencies to notify the Attorney General’s Office of breaches affecting more than 500 California residents. In addition to summarizing the impact of these data breaches, the Report is significant because the Attorney General recommends the Center for Internet Security’s Critical Security Controls (CIS Controls) as the baseline for implementing “reasonable security” measures under California law.2 In fact, the Attorney General states in the Report that “failure to implement all the [CIS] Controls that apply to an organization’s environment constitutes a lack of reasonable security.”
The CIS Controls, formerly know as the SANS Top 20, are a list of 20 security measures built from attack data that are intended to prevent and mitigate against cyber attacks and other types of data breaches.3 The CIS Controls have been highlighted by various agencies and organizations as an important toolkit for data protection. For example, the National Institute of Standards and Technology (NIST) cited the CIS Controls as one of its “informative references” in preparing its 2014 NIST “Framework for Improving Critical Infrastructure Cybersecurity.”4 For businesses and organizations collecting data of California residents, the Attorney General’s message is loud and clear: Implement the applicable CIS Controls.
Also, the fact that the Attorney General is using the CIS Controls as the baseline for “reasonable security” measures under California law may have an impact on organizations nation-wide. Why? California was the first state to enact a state data breach notification law back in 2003, and since then 47 states and the District of Columbia have followed suit. So, it seems likely that other states may adopt the California Attorney General’s recommendation that the implementation of the CIS Controls should be the baseline for security measures that an organization must implement to protect personal data.
Also of note, the Attorney General indicates in the Report that implementation of certain CIS Controls would have prevented many of the “physical” data breaches in the health care sector that resulted from the theft or loss of laptops and other devices containing unencrypted data. Therefore, the Attorney General specifically encourages health care organizations to use “strong encryption” on laptops and other portable devices, as these organizations are “particularly vulnerable” to physical breaches of personal information, such as patient medical records. According to the Report, while the numbers in California have improved since 2012, the health care sector is still “lagging behind” other sectors in encrypting data to prevent breaches due to the theft or loss of electronic devices.
2 Under California law, businesses that collect personal information of California residents must use “reasonable security procedures and practices” to protect that information. SeeCal. Civ. Code § 1798.81.5(b).