Analysis: Calif. AG Report on Adopting Security ControlsCould Failure to Embrace 20 Critical Controls Pose Legal Threat to Enterprises?
A new report from California's attorney general says failure to implement the 20 critical security controls that define a minimum level of information security constitutes a lack of "reasonable security."
So, could failure to adopt these or similar controls pose a legal threat to organizations? Perhaps, under certain circumstances.
"The attorney general issuing guidance, by itself, doesn't set a legally binding duty on a company, but it certainly is indicative of what the AG thinks, and would likely be cited by the AG in cases the AG brought regarding data security," says privacy and data security attorney Andrew Serwin of the law firm Morrison & Foerster.
The controls California Attorney General Kamala Harris cited were developed seven years ago as the Consensus Audit Guidelines by a consortium of public-private IT security experts under the auspices of the think tank Center for Strategic and International Studies and the SANS Institute. The 20 critical security controls - now managed by the not-for-profit Center for Internet Security - is a prioritized list of specific and actionable steps aimed to mitigate the most pervasive and dangerous cyberattacks (see Public/Private Group Creates Plan to Protect Critical Infrastructures).
Complying with the Law
Harris didn't explicitly say the recommendations in the report had the force of law, but she suggested that following them would be what the law encourages. "This report clearly articulates basic steps that businesses and organizations must take to comply with the law, reduce data breaches and better protect the public and our national security," Harris said in a statement issued with the report.
The report also recommends organizations adopt multifactor authentication on consumer-facing online accounts and use strong encryption on laptops and mobile devices to protect individual privacy, "a particular imperative for healthcare, which appears to be lagging behind other sectors in this regard."
The attorney general said many breaches reported to her office "could have been prevented by taking reasonable security measures, and an organization that voluntarily chooses to collect and retain personal information takes on a legal obligation to adopt appropriate security controls."
California's Influence on InfoSec
What California does regarding enforcing data privacy and online privacy laws matters beyond its borders. As the nation's most populous state, many national businesses operate or are based there. California is a trend leader in IT security law; in 2002, it became the first state to enact a data breach notification law.
"California has been the state to watch, and many other states have taken lessons from California's pronouncements and issuances and have mimicked those pronouncements," says privacy and cybersecurity lawyer Lisa Sotto of the law firm Hunton & Williams. "It's absolutely a state that is ahead of the curve on data privacy and data security issues. We have to sit up and take notice when the California AG makes this sort of a statement."
Sotto characterizes Harris' pronouncement as warranting significant attention. "We now understand where she thinks the bar is set, and she, presumably, will be initiating investigations against companies that fall below that bar," Sotto says.
The California AG's report points out that the legal obligation to secure information is contained in an expanding set of laws, regulations, enforcement actions, common law duties, contracts and self-regulatory regimes. California has an information security statute that requires all businesses that collect personal information on California residents to use "reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction use, modification or disclosure."
Detecting Breaches Rapidly
A review of 658 data breaches over the past four years by the California attorney general suggests that many could have been prevented or at least detected and corrected more rapidly had the basic security measures in the controls been implemented.
Harris and other legal experts are not saying that organizations must adopt the 20 critical security controls. Yet, not doing so could be deemed as failing to take proper steps to safeguard protected personal information when determining damages in a lawsuit in the eyes of jurors and judges after reviewing expert testimony. After all, in determining damages, a court could hold an organization liable if it does not follow standard industry practices.
"What one expert would say is reasonable isn't always agreed upon, and can also depend upon the sensitivity of the information, the damage to consumers, if any, and other factors," Serwin says.