Data Breach Risks Exist Even Without a Website and Need “Reasonable Security”

In my last blog post, I discussed that “Reasonable Security” was now defined by a legal authority when California Attorney General, Kamala Harris, released a document entitled “The California Data Breach Report February, 2016. In that post, I focused on E-Commerce sites being hacked by bad actors on the Internet.

Today I want to discuss the risks all businesses or agencies face for any Personally Identifiable Data that is kept on their premises; whether on servers, laptops or phones; and whether connected to the Internet or not.

Data Breaches often occur because employees are not well trained in how to protect data, and that is much of what California has defined in their “Reasonable Security” Report. Further, while this is the California standard, all states now have Data Breach laws, and they will probably use this definition if you have a data breach.

Consider these areas of Data Breach occurrences, and how they can happen to you:
1. A lost or stolen lap top;
2. A lost or stolen thumb drive;
3. An untrained employee falls prey to a phishing scheme; or
4. A former or current disgruntled employee releasing data to harm their employer.

The legal obligations to secure personal information include an expanding set of laws, regulations, enforcement actions, common law duties, contracts, and self-regulatory regimes. California’s information security statute requires businesses to use “reasonable security procedures and practices…to protect personal information from unauthorized, access, destruction, use, modification, or disclosure.” Federal laws, including the Gramm Leach Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA), contain general security requirements for the financial services and healthcare industries. Authoritative security standards describe the measures that organizations should take to achieve an appropriate standard of care for personal information.”

“Recommendation 1:
The 20 controls in the Center for Internet Security’s Critical Security Controls define a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.”

(Just so I am clear, by stating that not having these 20 controls in place constitutes a lack of reasonable security, your site just became liable for a huge fine from every state’s Attorney General who has a citizen on the data breach list and to whom you must report the data breach. Further, you will be required to report the data breach to the FTC. Even if you are not fined, you will spend thousands of dollars in legal fees and I.T. consulting if you have a Data Breach. Further, never forget, if it is not in writing it didn’t happen. You will need to keep records of all your actions and training to comply with the definition of Reasonable Security.)

“Formerly known as the SANS Top 20, the Controls are now managed by the Center for Internet Security (CIS), a non-profit organization that promotes cyber security readiness and response by identifying, developing, and validating best practices. The Controls were originally developed by federal agencies in 2008 and since then have been the product of a public-private partnership that includes cyber security experts from government and the private sector in the U.S., as well as around the world.

“The CIS Critical Security Controls for Effective Cyber Defense”
CSC 1 Inventory of Authorized and Unauthorized Devices
CSC 2 Inventory of Authorized and Unauthorized Software
CSC 3 Secure configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
CSC 4 Continuous Vulnerability Assessment and Remediation
CSC 5 Controlled Use of Administrative Privileges
CSC 6 Maintenance, Monitoring, and Analysis of Audit Logs
CSC 7 Email and Web Browser Protection
CSC 8 Malware Defenses
CSC 9 Limitation and Control of Network Ports, Protocols, and Services
CSC 10 Data Recovery Capability
CSC 11 Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
CSC 12 Boundary Defense
CSC 13 Data Protection
CSC 14 Controlled Access Based on the Need to Know
CSC 15 Wireless Access Control
CSC 16 Account monitoring and Control
CSC 17 Security Skills Assessment and Appropriate Training to Fill Gaps
CSC 18 Application Software Security
CSC 19 Incident Response and Management
CSC 20 Penetration Tests and Red Team Exercises

If you would like to review the entire report it can be found here:

Please feel free to call me to discuss the implications of this report to your specific websites.