Gregory Silberman, David Schecter and Jessica Sawyer
Gregory Silberman, David Schecter and Jessica Sawyer ()

In February, California Attorney General Kamala Harris released a report analyzing 657 data breaches that were reported to the attorney general’s office from 2012 to 2015. The report contains numerous findings ranging from the causes of the reported data breaches to the types of data impacted. The attorney general found that the majority of reported data breach incidents resulted from security failures, and that a significant portion of the breaches “were the result of exploitation of known vulnerabilities for which there are known controls.” In an effort to reduce what the attorney general views as preventable data breaches, the report warns that the failure to implement specific controls constitutes a lack of reasonable security. This is the first time the attorney general or any California privacy regulator has suggested what data security measures are necessary to comply with California’s data protection law.

AG’s “Minimum Level” Requirement

Since 2004, California law has required organizations that collect personal information on California residents to implement reasonable security procedures and practices to protect the information. Although this requirement has been in place for more than a decade, California courts and regulators have yet to define what constitutes reasonable security procedures and practices. Unable to look to case law or regulators, organizations prior to the report had to consult materials from outside of California, such as Federal Trade Commission reports and enforcement actions, for guidance on how to implement a compliant data security program. The report therefore represents a significant development for organizations that collect and maintain personal information on California residents.

As explained in the report, the attorney general selects the Center for Internet Security’s Critical Security Controls as the “minimum level of information security that all organizations that collect or maintain personal information should meet.” Formerly known as the SANS Top 20, the controls were created by a group of experts—including the National Security Agency, the U.S. Department of Energy, law enforcement organizations and top forensics and incident response organizations­—for the purpose of stopping known cyberattacks. The controls generally teach organizations to take an inventory of authorized hardware and software, secure network configurations, continuously assess vulnerability, maintain and monitor audit logs, limit the use of administrator privileges, install firewalls and other defenses and train employees to detect attacks. Critically, the attorney general warns that the “failure to implement all the [c]ontrols that apply to an organization’s environment constitutes a lack of reasonable security.”

The Impact of the Report Is Uncertain

Importantly, the attorney general did not state that a data security program that incorporates all of the controls is per se reasonable. Rather, the report explains that the controls act as a “starting point of a comprehensive program to provide reasonable security.” Thus, the report does not provide assurances that implementation of the controls will shield an organization from California Department of Justice enforcement actions and private litigation. Nor does the report provide conclusive guidance for small to mid-size businesses with greater budgetary restraints than large organizations. The report briefly addresses this issue by explaining that the controls are intended to apply to organizations of all sizes and that small businesses can adopt “subcontrols that fit the size, complexity, and criticality of their systems.” But the report does not provide a framework to assist the small business owner faced with the difficult decision of how to implement a legally compliant data security program that is also economically feasible.

While the report provides at least some guidance to organizations on how to implement a compliant data security program, there is significant uncertainty as to how the report will be viewed by the courts. The attorney general could have issued her recommendations in a formal opinion. California courts generally give great weight to formal attorney general opinions, but there is a lack of commentary or court decisions on the appropriate degree of deference, if any, to give to an attorney general report. The reported decisions that address this issue indicate that a lower degree of deference is appropriate. The degree of deference that courts provide to this report is thus an open question.

Regardless of the degree of deference given, the California Department of Justice and private plaintiffs will likely use the report’s recommendations to prove that a defendant organization that did not implement the controls violated California’s data protection law. In particular, we expect the California Department of Justice and private plaintiffs, at a minimum, to use the report to challenge those responsible for creating and administering an organization’s data security program on their knowledge and implementation of the controls, and we speculate that a central issue in the battle between experts on both sides will be the organization’s implementation of the controls. Therefore, organizations that do not incorporate all of the controls into their data security program may face potential litigation risk.

Another area of uncertainty is how the report will impact organizations engaged in the transfer of personal information. The data protection law requires organizations that disclose personal information to third parties that are otherwise exempt from the law to require by contract that the third party implement and maintain reasonable security measures. The law exempts various types of organizations, such as health care providers regulated by the Confidentiality of Medical Information Act, financial institutions subject to the California Financial Information Privacy Act, and covered entities governed by the medical privacy and security rules issued by the U.S. Department of Health and Human Services. Exempt organizations that receive personal information from non-exempt organizations may now be required to certify implementation of the controls as a precondition for their receipt of sensitive information from non-exempt organizations.

Greater Clarity Is Needed

By recommending adoption of the controls as the minimum for compliant data security programs, the attorney general has provided some meaningful guidance to large organizations with regard to the California Department of Justice’s interpretation of California’s data protection law. It is still unclear, however, whether the attorney general really believes a small to mid-size business must implement all of the controls regardless of whether doing so would be economically infeasible, or if some proportional subset of the controls would be sufficient. Moreover, it remains to be seen whether the attorney general’s recommendations, issued in an informal report rather than a formal opinion, will have a significant impact on privacy law in California and elsewhere. One thing is clear: The recommendations set forth in the report have defined IT security standards that companies doing business in California should carefully consider.