BreachExchange mailing list archives
Are California’s New Data Security Standards a Recipe for Liability?
From: audrey () riskbasedsecurity com (Audrey McNeil)
Date: Tue, 12 Apr 2016 17:30:56 -0600
http://blogs.wsj.com/law/2016/04/12/are-californias-new-data-security-standards-a-recipe-for-liability/ An effective shield against cyber-attacks or a recipe for lawsuits? Those are two ways of looking at new data security standards endorsed by the California attorney generalâs office. California law requires businesses to use âreasonable security procedures and practicesâ¦to protect personal information from unauthorized, access, destruction, use, modification, or disclosure.â California Attorney General Kamala Harris defined âreasonable securityâ in a February report that analyzes recent data breaches and makes policy recommendations. Companies operating in the state that collect or maintain personal information should at a minimum follow a set of security guidelines known as âCritical Security Controls,â the report says. The guidelines were developed several years ago by a consortium of cybersecurity experts and are licensed for commercial use by the Center for Internet Security, a non-profit group outside of Albany, N.Y. The guidelines consist of 20 âcontrols,â or recommended practices, and more than 100 âsub-controls.â One sub-control, for example, advises companies to deploy two separate browser configurations to each system: one that disables the use of all plugins and the other allowing for more browser functionality on approved sites. âA failure to implement all the Controls that apply to an organizationâs environment constitutes a lack of reasonable security,â the attorney generalâs report says. The report doesnât make precisely clear how âan organizationâs environmentâ is defined. Theodore F. Claypoole, a data privacy lawyer at Womble Carlyle Sandridge & Rice LLP in North Carolina, says the CIS guidelines are an âexcellent tool,â but one he fears will become a hammer wielded by plaintiffsâ lawyers. A client alert he co-authored titled âCyber Security IMPOSSIBLEâ is blunt with its criticism: "It is not hard to see how the plaintiffsâ bar will use this report. If a breach occurs for failure to implement a control that did not seem necessary, cost justified, or not of high enough priority to implement at the time, then that measure will be judged, in hindsight, to be one that applied to the âorganizationâs environmentâ and should have been in place. Liability is thereby established. "When standards are set too high to be practical, we know that affected parties will ignore them and be worse off (and their customers worse off) than if the standards had been workable and efficient. That is exactly what the California AG risks here. . ." Law Blog has reached out to the California attorney generalâs office for comment. Brian de Vallance, CISâs vice president for policy and outreach, says the guidelines arenât one-size-fits-all. âWeâre not saying do all 20 if youâre a mom-and-pop operation,â he told Law Blog. âItâs less onerous than it sounds.â The attorney generalâs report suggests much the same. âThe controls are intended to apply to organizations of all sizes and are designed to be implementable and scalable,â it states. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160412/2c0ebd8d/attachment-0001.html>
Current thread:
- Are California’s New Data Security Standards a Recipe for Liability? Audrey McNeil (Apr 12)