California has now weighed in on the definition of “reasonable” security and minimum security requirements for all businesses through the California Attorney General’s 2016 Data Breach Report.
The Report references the legal obligation to secure information, and adopts the views that “Security is a process,” that “Information security laws and regulations generally require a risk management approach,” and that “This means organizations must develop, implement, monitor, and regularly update a comprehensive information security program.”
More importantly, the Report adopts the Critical Security Controls for Effective Cyber Defense released by the Center for Internet Security (formerly known as the SANS Top 20) as the “minimum standard of care for personal information.” According to the Report, “The 20 controls in the Center for Internet Security’s Critical Security Controls define a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.” (Emphasis added.)
Presumably this view will guide their enforcement actions going forward and likely warrants the careful attention of entities seeking to maintain strong information security practices.