For the first time, “Reasonable Security” was defined by a legal authority when California Attorney General, Kamala Harris, released a document entitled “The California Data Breach Report February, 2016. Before this document was released, it was my position that “reasonable procedures” for security was proportional to the data being secured, and the size of an organization. It was my belief that a website selling custom T-Shirts had a lower bar to security than a Fortune 500 company. Having now read this report, there is no proportionality to the level of security among E-Commerce sites, all of which will be held by California (and certainly many other states) to the same level of “Reasonable Security”.
Certainly, I agreed that customer data needed strict security. Previously, I would have said that a website selling customized T-Shirts needed to encrypt any customer data and have a professional firewall in place. However, California has made no attempt to relate cyber defense in proportion to the data held or a company’s size. Below are excerpts from the report, and a list of Critical Security Controls for Effective Cyber Defense.
“Reasonable Security
Securing data is challenging, with technology evolving rapidly, business practices relying increasingly on the collection and use of personal information, and sophisticated cyber criminals waging an escalating battle. Yet securing information is the ethical and legal responsibility of the organizations with which individuals entrust their personal information. The legal obligations to secure personal information include an expanding set of laws, regulations, enforcement actions, common law duties, contracts, and self-regulatory regimes. California’s information security statute requires businesses to use “reasonable security procedures and practices…to protect personal information from unauthorized, access, destruction, use, modification, or disclosure.” Federal laws, including the Gramm Leach Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA), contain general security requirements for the financial services and healthcare industries. Authoritative security standards describe the measures that organizations should take to achieve an appropriate standard of care for personal information.”
“Recommendation 1:
The 20 controls in the Center for Internet Security’s Critical Security Controls define a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.”
(Just so I am clear, by stating that not having these 20 controls in place constitutes a lack of reasonable security, your site just became liable for a huge fine. Further, never forget, if it is not in writing it didn’t happen. You will need to keep records of all your actions and training.)
“Formerly known as the SANS Top 20, the Controls are now managed by the Center for Internet Security (CIS), a non-profit organization that promotes cybersecurity readiness and response by identifying, developing, and validating best practices. The Controls were originally developed by federal agencies in 2008 and since then have been the product of a public-private partnership that includes cyber security experts from government and the private sector in the U.S., as well as around the world.
“The CIS Critical Security Controls for Effective Cyber Defense”
CSC 1 Inventory of Authorized and Unauthorized Devices
CSC 2 Inventory of Authorized and Unauthorized Software
CSC 3 Secure configurations for Hardware and Software on Mobile Devices, Laptops, Workstations and Servers
CSC 4 Continuous Vulnerability Assessment and Remediation
CSC 5 Controlled Use of Administrative Privileges
CSC 6 Maintenance, Monitoring, and Analysis of Audit Logs
CSC 7 Email and Web Browser Protection
CSC 8 Malware Defenses
CSC 9 Limitation and Control of Network Ports, Protocols, and Services
CSC 10 Data Recovery Capability
CSC 11 Secure Configurations for Network Devices such as Firewalls, Routers, and Switches
CSC 12 Boundary Defense
CSC 13 Data Protection
CSC 14 Controlled Access Based on the Need to Know
CSC 15 Wireless Access Control
CSC 16 Account monitoring and Control
CSC 17 Security Skills Assessment and Appropriate Training to Fill Gaps
CSC 18 Application Software Security
CSC 19 Incident Response and Management
CSC 20 Penetration Tests and Red Team Exercises
If you would like to review the entire report it can be found here: https://oag.ca.gov/breachreport2016
Please feel free to call me to discuss the implications of this report to your specific websites.