On February 16, 2016, California Attorney General Kamala Harris released guidance defining the minimum level of data security measures organizations should enact to comply with state laws governing the protection of personal information.  The guidance was part of the Attorney General’s report finding that there had been 657 reported breaches across all industries from 2012-2015 affecting over 49 million records of California residents.  Malware and hacking incidents accounted for more than half of the breaches, and the physical loss of unencrypted data was the second most common type of incident.  The Attorney General concluded that many of these incidents could have been prevented if organizations had taken reasonable security measures. 

California requires all businesses that collect personal information on California residents to use “reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction use, modification, or disclosure.”  In the newly released report, the California Attorney General interprets what “reasonable” data security is for the first time.  To establish a “minimum level of information security,” the Attorney General recommends that all organizations that collect or maintain personal information should adopt the Center for Internet Security’s Critical Security Controls.  The Center for Internet Security recommends 20 controls, many of which will be familiar to an organization, including maintaining an inventory of devices, installing malware defenses, and establishing access controls.  The Attorney General cautions that “[t]he failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.” 

Though phrased as “recommendations,” we would expect the California Attorney General to rely on these recommendations in determining whether to pursue an enforcement action.  California has been a leader in data privacy, and the Attorney General’s report could influence other states that have not yet interpreted “reasonableness.”

In addition to these controls, the Attorney General recommends using multifactor authentication for internal access to critical systems and data, and for external consumer-facing online accounts, such as shopping accounts or health care websites.  The Attorney General strongly recommends encrypting data in transit, particularly for the health care industry which has experienced a higher rate of physical loss of data than other sectors.  The Attorney General highlights the loss of unencrypted data by the health care sector as the “most striking[] and most disturbing” because health care organizations handle the most sensitive types of personal information, including social security numbers and medical information.

Finally, California requires organizations to send data breach notification letters to individuals affected by a breach, and the Attorney General recommends that organizations display information prominently in the notification letters about how individuals can place a fraud alert on their credit files and also that they encourage individuals to place the alert.

Reporter, Kerianne Tobitsch, New York, NY, +1 212 556 2310, ktobitsch@kslaw.com.