What are "reasonable" information security practices?
On February 16, 2016, the California Attorney General released its "California Data Breach Report 2012-2015" (a copy of the Report is hosted on Mega.nz). Surprisingly, there hasn't been much discussion about the recommendations in the Report. Under California law,
[a] business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure."
California Civil Code § 1798.81.5 (b) (emphasis added). However, what qualifies as "reasonable security procedures and practices" was amorphous. The first recommendation in the Report would establish a "minimum standard of care" concerning a business's information security practices. Report at p. 27. It states:
The 20 controls in the Center for Internet Security's Critical Security Controls define a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all of the Controls that apply to an organization's environment constitutes a lack of reasonable security.
Report at p. 30. While this is a recommendation and not law, businesses should take heed of the Attorney General's announcement because some recommendations have become law and the AG's office investigates data breaches.
Thus, businesses that have personal information about California residents should confirm that their information security practices, at a minimum, are more comprehensive than the 20 controls. Going forward if a business's security practices do not meet the 20 controls and it suffers a data breach, then the AG's position by default should be that the business failed to implement "reasonable security procedures and practices."