OAKLAND, Calif. (Legal Newsline) - Businesses and government have always had a shared obligation to protect consumers from cyber attacks and breaches of personal data, but California Attorney General Kamala Harris took the issue a step further recently by outlining what level of electronic security is reasonable for a business to take.
Attorney Thomas Smedinghoff, who specializes in information law and employers’ electronic activities, told Legal Newsline that what California is trying to do is to put some concrete guidelines forward on what constitutes reasonable security.
“If you’re not at least doing that, you’re not doing the minimum necessary for security,” Smedinghoff said.
He added that while California’s announcement doesn’t constitute a statute, failure to comply with it could trigger an enforcement action after a data breach.
Harris’ announcement last month coincided with the release of a comprehensive report about security breaches reported to her office over the past four years. The report contains 20 points businesses should address in order to protect customer data. These include taking inventory of authorized and unauthorized electronic devices and ensuring controlled use of administrative privileges, as well as email and Internet browser protection, penetration tests and malware defenses.
Smedinghoff, who works for Locke Lord LLP in Chicago, noted that companies that do not follow these guidelines in the future could have a tougher time defending themselves against class action lawsuits brought by customers in the wake of privacy breaches. Thus, this could leave a business more vulnerable to legal claims, though the state has not specifically said it will go after businesses that lack minimum security standards.
How costly it may be for California businesses to implement the minimum level of cyber security will vary, Smedinghoff explained, because different types of businesses collect different types of data. But he did emphasize that businesses need to make data security a priority now.
“Laws and courts and regulators are saying you better start to focus on this,” he said.
To comply with the new California standards, businesses need to perform a risk assessment and then develop a security program that addresses those risks.
Smedinghoff noted that, as an example, putting up a firewall might keep hackers from breaking into databases and stealing personal information, but a firewall would be ineffective if a key problem involved the activities of a dishonest employee, who would already have access to the system.
“All businesses have two basic legal obligations with respect to security: reasonable security for data and to disclose security breaches,” he said.
Without those, defending against civil claims filed in the wake of a security breach can be problematic. He noted that other states also have been clarifying policies on what “reasonable security” means, including Illinois and Massachusetts.
Smedinghoff noted that document put out by the National Institute of Standards and Technology in 2014 also dovetails with cyber security recommendations in the California report.
The California cyber security report states that retail businesses are most vulnerable to cyber attacks. Those industries accounted for 24 percent of breaches over the last four years, while the financial industry had the second largest share of security breaches, at 18 percent.