Editor’s Note: This is the second in a continuing end-of-year series. Stay tuned for our next installment, discussing HIPAA compliance.
In the patchwork of state and federal law regulating the use and maintenance of personal confidential information, states play a significant role and can often be the most important regulator and law enforcement authority. Recent events have signaled changes in how states interpret and enforce their data privacy standards — and thus how the baseline for understanding what is protected, and what is expected of businesses, might be changing. California, which has been at the forefront of the development of state data privacy laws, remains an important bellwether.
In that respect, a significant development is California AG Kamala Harris’s release of a comprehensive data breach report in early 2016, to significant fanfare. The report included guidance on minimum privacy and security standards — which the report deemed a compliance “floor” — for custody of personal information by any entity in California collecting such information. The Attorney General’s first recommendation was drawn from the Center for Internet Security’s (“CIS”) Critical Security Controls. AG Harris’s report determined that the 20 CIS controls “define a minimum level of information security that all organizations that collect or maintain personal information should meet.” As understood by AG Harris and the industry at large, CIS Critical Security Controls are a concise, prioritized set of cyber practices created to stop today’s most pervasive and dangerous cyber attacks. CIS itself touts the baseline effectiveness of its standards. According to CIS, organizations that apply just the first 5 CIS controls can reduce their risk of cyberattack by around 85%; and implementing all 20 controls increases the risk reduction to around 94%.
Attorney General Harris did not simply suggest the CIS controls as a viable data security apparatus for California entities collecting and retaining information. Signifcantly, she instead presented the controls as sub-regulatory guidance. She noted that “the failure to implement the controls that apply to an organization’s environment constitutes a lack of reasonable security” (emphasis added). Those words carry legal heft. California Civil Code § 1798.81.5 requires all businesses that collect personal information on California residents to use “reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification or disclosure” (emphasis added). In her report, Attorney General Harris signaled that California businesses must now comply with the CIS controls, or risk an enforcement action or lawsuit under § 1798.81.5. (To date, the California Attorney General’s Office has not sued an entity for failure comply with the CIS controls.)
California’s incorporation of a national institute’s recommended standards as a baseline for data security measures potentially opens the door for other state Attorney’s General to follow suit. If more states adopt, for example, CIS standards, that could encourage the creation of a harmonized network of state data privacy and security standards, where business expectations might differ little from state to state. At least six other states (Florida, Utah, Arkansas, Nevada, Maryland and Rhode Island) have adopted statutes requiring entities that collect and retain personal information from consumers employ reasonable procedures or reasonable security measures to protect such information. That said, there is as of yet no case law in these states directing what types of measures satisfy this “reasonability mandate,” and little in the form of guidance from the Attorneys General of the respective states. 2017 might begin to flesh out the legal meaning of these concepts.
Business entities working across state lines would benefit from a more concrete and consistent definition of “reasonable procedures.” Currently, such business entities must speculate as to what “reasonable” means in any given state, and develop data privacy protections accordingly. This could lead to uncertainty and even confusion if businesses determine those standards differ greatly across state lines. Reliance on uniform national standards would be a prudent, but not necessarily sufficient way for businesses to satisfy the unstated requirements of these statutes. That will remain so until state Attorneys’ General illuminate a common path to compliance.
Anticipating this future, Attorney General Harris explicitly called for adoption of some uniform standards in her 2016 report. A key recommendation in her report was that state policy makers (including state Attorneys General) should collaborate in seeking to harmonize state breach laws on some key dimensions. According to Attorney General Harris, such an effort could preserve innovation, maintain consumer protections, and retain jurisdictional expertise. A result of a collaborative effort to harmonize state breach laws would be to “minimize the number of patches” in the patchwork of state laws and give businesses a clearer path to compliance. The CIS Controls provide a functional platform for harmonization. Indeed, the National Governor’s Association lauded the Controls as far back as 2013. The Association recommendation states “turn to the Critical Security Controls for a baseline of effective cybersecurity practices” and that the controls “provide states with a security framework that can strengthen their cyber defenses and ultimately protect information, infrastructure, and critical assets.” While California is the first state to incorporate the CIS controls into formal guidance, continued calls for uniformity and standardization in state data privacy requirements indicate more states are likely to follow.