In February, California Attorney General Kamala Harris released a report analyzing 657 data breaches that were reported to the attorney general’s office from 2012 to 2015. The report contains numerous findings ranging from the causes of the reported data breaches to the types of data impacted. The attorney general found that the majority of reported data breach incidents resulted from security failures, and that a significant portion of the breaches “were the result of exploitation of known vulnerabilities for which there are known controls.” In an effort to reduce what the attorney general views as preventable data breaches, the report warns that the failure to implement specific controls constitutes a lack of reasonable security. This is the first time the attorney general or any California privacy regulator has suggested what data security measures are necessary to comply with California’s data protection law.
AG’s “Minimum Level” Requirement
Since 2004, California law has required organizations that collect personal information on California residents to implement reasonable security procedures and practices to protect the information. Although this requirement has been in place for more than a decade, California courts and regulators have yet to define what constitutes reasonable security procedures and practices. Unable to look to case law or regulators, organizations prior to the report had to consult materials from outside of California, such as Federal Trade Commission reports and enforcement actions, for guidance on how to implement a compliant data security program. The report therefore represents a significant development for organizations that collect and maintain personal information on California residents.
