California setting the cybersecurity standard
Posted on 05/31/2016 at 01:25 PM by John Lande
California has been a leader on developing cybersecurity standards for businesses. California was the first state to implement a data breach notice statute, and has been working to develop best practices for protecting consumer data.
As a result of its data breach statute, California has been able to collect a lot of data on data breaches that affect California residents. The California Attorney General recently released its 2016 report that provides data on data breaches affecting California residents. California analyzed 657 data breach notices from 2012 to 2015. The analysis revealed:
- Malware and hacking present the greatest threat, both in the number of breaches (malware and hacking accounted for 54% of breaches) and the number of records breached (malware and hacking accounted for 90% of records breached).
- Malware and hacking are a growing problem compared to other types of breach, increasing by 22% in the past four years, from 45% of breaches in 2012 to 58% in 2015.
- Six breaches of more than one million records were all malware or hacking related.
- The retail sector in particular struggles with malware and hacking, which comprises 90% of all retailer breaches.
- After the retail sector, the largest source of breaches was the financial services sector.
- Unlike the retail sector, breaches in the financial sector occurred most often because of employees and insiders. Many of the breaches were the result of unintentional errors like downloading malware, and abuse of privileges. This blog has previously covered how bank employees can be the source of breaches, and may even jeopardize insurance coverage.
The report also states the California Attorney General’s decision to adopt the Center for Internet Security’s (“CIS’s”) Critical Security Controls as a minimum standard to protect data in California. California law requires businesses to maintain “reasonable security procedures and practices” to protect information of California consumers. Businesses and banks that fail to follow the CIS standards will be liable under California law for violating California’s data protection statute.
The California Attorney General prepared a summary table of the recommended security controls with cross-references to CIS procedure number:
|Count Connections Know the hardware and software connected to your network. (CSC 1, CSC 2)|
|Configure Securely Implement key security settings. (CSC 3, CSC 11)|
|Control Users Limit user and administrator privileges. (CSC 5, CSC 14)|
|Update Continuously Continuously assess vulnerabilities and patch holes to stay current. (CSC 4)|
|Protect Key Assets Secure critical assets and attack vectors. (CSC 7, CSC 10, CSC 13)|
|Implement Defenses Defend against malware and boundary intrusions. (CSC 8, CSC 12)|
|Block Access Block vulnerable access points. (CSC 9, CSC 15, CSC 18)|
|Train Staff Provide security training to employees and vendors with access. (CSC 17)|
|Monitor Activity Monitor accounts and network audit logs. (CSC 6, CSC 16)|
|Test and Plan Response Conduct tests of your defenses and be prepared to respond promptly and effectively to security incidents. (CSC 19, CSC 20)|
The rest of the country has a tendency to follow California’s lead. After California passed its data breach statute almost every other state passed one as well. Even though the California data security standards will only apply in California, other states will likely observe California’s experience and adopt similar standards.
Many of the California data security standards are mirrored by federal standards. In fact, the California report even contains a table cross-referencing the CIS standards with other standards from NIST and the FFIEC. All businesses should be aware of California’s data security standards because they are likely examples of standards that will come to every state.
- John Lande
The material in this blog is not intended, nor should it be construed or relied upon, as legal advice. Please consult with an attorney if specific legal information is needed.
Questions, Contact us today.
The material, whether written or oral (including videos) that is posted on the various blogs of Dickinson Law is not intended, nor should it be construed or relied upon, as legal advice. The opinions expressed in the various blog posting are those of the individual author, they may not reflect the opinions of the firm. Your use of the Dickinson Law blog postings does NOT create an attorney-client relationship between you and Dickinson, Mackaman, Tyler & Hagen, P.C. or any of its attorneys. If specific legal information is needed, please retain and consult with an attorney of your own selection.