Delving Into California’s Data Security Report

Posted by Mark Greisiger

CaliforniaA Q&A with Tanya Forsheit of BakerHostetler

In February California Attorney General Kamala Harris released her state’s data breach report and outlined “reasonable” security measures that companies should employ to avoid enforcement actions. I talked to litigator Tanya Forsheit about the AG’s recommendations and how companies should address them.

What does Attorney General Harris’ office consider “reasonable” data security?
It actually gets fairly complex. Attorney General Harris has outlined a set of controls that were part of the standards that come from the Center for Internet Security (formerly known as the SANS Top 20). There are 20 controls—really, buckets of controls—for the minimum level of information security that the AG maintains all organizations are expected to meet. The 20 buckets include:

    • Inventory of Authorized and Unauthorized Devices
    • Inventory of Authorized and Unauthorized Software
    • Secure Configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
    • Continuous Vulnerability Assessment and Remediation
    • Controlled Use of Administrative Privileges
    • Maintenance, Monitoring and Analysis of Audits
    • Email and Web Browser Protection
    • Malware Defenses
    • Limitation and Control of Network Ports, Protocols and Services
    • Data Recovery Capability
    • Secure Configurations for Network Devices such as Firewalls, Routers and Switches
    • Boundary Defense
    • “Data Protection”
    • Controlled Access Based on the Need to Know
    • Wireless Access Control
    • Account Monitoring and Control
    • Security Skills Assessment and Appropriate Training to Fill Gaps
    • Application Software Security
    • Incident Response and Management
    • Penetration Tests and Red Team Exercises

There’s no one-size-fits-all recommendation, and some of these buckets won’t apply to some companies.

There’s also a chart that maps these controls to other standards, such as ISO 27002 and HIPAA, among others. None of these controls will come as a surprise to any organization that is already engaged in best practices with respect to information security. However, each organization will implement different controls associated with their specific level of risk—how much data they’re handling, how they’re handling it, and so forth. There’s no one-size-fits-all recommendation, and some of these buckets won’t apply to some companies.

Do you think the emphasis on the minimal number of safeguard controls that must be in place is too simplistic? Might a plaintiff lawyer argue that “reasonable” will, as you suggest, depend on the size and scope of the organization?

I do think it’s a bit of an oversimplification to say 20 controls, but at the same time each bucket has flexibility within it. I would expect to actually see a defense lawyer using the “reasonable” argument and would expect to see a plaintiff lawyer construing this as a one-size-fits-all recommendation, but then I am a bit biased toward defense lawyers. This is not a legal test yet, and certainly plaintiffs might look at this and try to convince the court that it is one. Either way, this is one of the most specific articulations we have seen from a regulator in terms of a security standard and we can expect that other states will piggy back on it.

Would having these controls in place provide safe harbor for a company?

No, you are not immune if you claim to have all of these controls in place because they are flexible. In reality, you might not have the level of encryption or training to be truly effective. Certainly being able to demonstrate that you have been implementing the controls helps, but just saying it on paper is not enough.

Might the ability to document these reasonable practices help a company in court in a post-breach defense?

Absolutely. That documentation and the ability to demonstrate the effectiveness of the controls can certainly be valuable for legal defensibility.

What else should companies be doing to respond to this guidance?

I would say that companies should especially focus on the training issue as well as considering two-factor authentication for consumer accounts.

For most organizations, it doesn’t really change much of what they’re probably already doing. However, it does give us more certainty about the AG’s expectations and what we can expect from other states eventually. It’s really a guide to help promote collaboration and cooperation between AGs and companies.

In summary…

We would like to thank Tanya, a regular speaker at NetDiligence conferences and an expert on a slew of security/privacy legal topics. We think it’s important to underscore that implementing this list of 20 safeguards is no walk in the park. It appears a modest list on the surface, but to Tanya’s point it’s actually a complex and granular undertaking. For example, there could be dozens of sub-steps to implementing and satisfying each of these 20 high-level controls. We hope clients will proceed with caution.