Data Security is a Legal Obligation: Lessons from the California Data Breach Report
With an average of 15 data breaches per week, data security frequently tops headlines. California has led from the front by passing laws to protect consumer data, as it was the first state to pass and implement a breach notification law. Not only has California’s legislature taken data security seriously, but the state’s executive branch has also taken a proactive role. California’s Department of Justice includes a Privacy Enforcement and Protection Unit dedicated to enforcing privacy laws, and its Attorney General is leading the charge.
Last week, California Attorney General Kamala Harris released the California Data Breach Report, analyzing breaches reported to the California Attorney General (“AG”) from 2012-2015. The Report highlighted data breach trends and vulnerabilities, and it also emphasized recommendations for businesses that collect and retain personal information.
In the four-year period examined, nearly 50 million records of Californians had been breached, and the AG noted that the “majority of these breaches resulted from security failures.” She also observed that more could be done by industry, as nearly all vulnerabilities were compromised more than a year after the solution to patch the vulnerability was publicly available. Malware and hacking were the leading cause of breaches, followed by theft or loss of unencrypted data, breaches caused by human error (e.g. misdelivery of email), and breaches caused by intentional misdeeds by insiders. The Report provided that sensitive personal information was the biggest target of breaches, and it predicted that the theft of payment card data will decline as more retailers use chip-enabled payment cards. The retail industry was the top target of breaches in California, but the Report also emphasized that small businesses were also vulnerable to breaches.
The AG had these recommendations to the industry:
The AG emphasized that “California’s information security statute requires businesses to use ‘reasonable security procedures and practices . . . to protect personal information from unauthorized access, destruction, use, modification, or disclosure.’” (emphasis added).
Importantly, the AG opined on the minimum level of reasonable security, stating:
The 20 controls in the Center for Internet Security’s critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.
The Report recommended that multi-factor authentication be used by all organizations to help protect critical systems and sensitive data. She further called for businesses to make multi-factor authentication available on consumer-facing online accounts that contain sensitive personal information. The AG’s recommendations are in line with President Obama’s recent announcement of a new National Cybersecurity Awareness Campaign that will similarly emphasize the importance of multi-factor authentication.
Encryption of Data in Transit
The Report stressed the need for strong encryption for laptops and other portable devices. The AG advised businesses to also consider the use of encryption for desktop computers. The call to action is particularly strong for the health care industry, which the AG noted is lagging behind in information security.
The Importance of Fraud Alerts
For companies that experience data breaches, the AG recommended that data breach notices to those affected contain a prominent notice alerting consumers of the availability of credit file fraud alerts. Observing that such warnings are often buried in breach notices, the AG emphasized highlighting these warnings in a prominent fashion. The AG also observed that California law requires organizations to offer identity theft prevention and mitigation services where breaches involve Social Security numbers or driver’s license numbers.
Criticism of Proposed Federal Breach Notification Statute
The AG observed that, in practice, California’s data breach notification statute protects consumers nationwide, because where there are consumers from multiple states affected in a breach, California’s “highest standard tends to prevail” in breach notification compliance. It then criticized current efforts to pass a federal breach notification statute, observing that the proposed federal law would lower protections for consumers, as current drafts fall short of California’s standards. In response to the common cry from businesses concerned with having to comply with a “patchwork” of breach notification laws, she urged state policy makers to work together to harmonize the laws to simplify compliance.
If you collect or retain any personal information about California residents, you should carefully consider the recommendations in this Report. Indeed, this Report purports to delineate minimum information security requirements and emphasizes that failure to implement the minimum requirements constitutes a violation of California law. Given the continued emphasis on enforcement of privacy laws in California, businesses should assess their information security practices.