March 17, 2016

Authors:

Travis Brennan
Shareholder
(949) 725-4271
Tbrennan@sycr.com

Katie Beaudin
(949) 725-4074
Kbeaudin@sycr.com

sycr.com

California Finally Speaks on What Constitutes

Reasonable Data Security Measures
Californias information security law requires businesses that own,
license, or maintain personal information about Californians to use
reasonable security procedures and practices to protect that
information. Cal. Civ. Code 1798.81.5. For the past several years,
Californias Attorney General has been very vocal about data security
and increasingly active in related enforcement, but had never officially
spoken about what constitutes reasonable security procedures and
practicesuntil now. On February 16, 2016, the Attorney Generals
Office released its 2016 Data Breach Report (the Report), concerning
data breaches affecting California residents between 2012 and 2015.
The Reports recommendations bring some welcome clarity by
specifying, for the first time, a minimum baseline of data security
measures for all companies under the information security law.

The Report singles out the 20 controls in the Center for Internet
Securitys Critical Security Controls (the Controls) as the minimum
level of information security that all organizations that collect or
maintain personal information should meet. In fact, the Report
virtually enshrines these standards into law, making clear that failure
to implement all the Controls that apply to an organizations
environment constitutes a lack of reasonable security. The Report
summarizes the Controls as follows:
(a) Know the hardware and software connected to your network;
(b) Implement key security settings;
(c) Limit user and administrative privileges;
(d) Continuously assess vulnerabilities and patch holes to stay
current;
(e) Secure critical assets and attack vectors;
(f) Defend against malware and boundary intrusions;
(g) Block vulnerable access points;
(h) Provide security training to employees and vendors with access;
(i) Monitor accounts and network audit logs; and

(j) Conduct tests of your defenses and be prepared to respond

promptly and effectively to security incidents. 1

The challenge now is for companies to adopt the Controls in a manner

appropriate to their environment without relying on them as a
compliance guarantee. While California is at the vanguard of data
security regulation compared to many jurisdictions, companies must
remain mindful of the existing patchwork of other laws and
regulations that may be applicable to their business, which include
federal laws such as the Health Insurance Portability and
Accountability Act, the Federal Trade Commission Act, the GrammLeach-Bliley Act, and the Fair Credit Reporting Act. At the same time,
commercial reasonableness remains one of the golden rules of data
security, and the starting point of building any data security program
must be the facts on the ground, and not the Controls, or any other
standards. Companies must first identify the specific types of
personal information at issue, the relevance of each type to the
companys business, unique risks that the companys operations pose
to that information, and the scope of resources that can reasonably be
devoted to safeguarding the information.

Data security compliance, and plans for investigating suspected data

breaches, should be standard components of risk management, and
require direction from legal counsel and guidance from technical
experts. In identifying specific data security benchmarks applicable to
all companies, the Attorney Generals Report is an important
milestone in data protection and privacy, which continues to emerge
as one of the most important intersections of law and technology for
the 21st century.
Travis Brennan
(949) 725-4271
tbrennan@sycr.com

Katie Beaudin
(949) 725-4074
kbeaudin@sycr.com

This publication is provided for your convenience and does not constitute legal advice. It
is prepared for the general information of our clients and other interested persons. This
publication should not be acted upon in any specific situation without appropriate legal
advice.
1

An official description of each control is available at https://www.cisecurity.org/criticalcontrols/download.cfm.

COPYRIGHT 2016 STRADLING YOCCA CARLSON & RAUTH, P.C.

PAGE 2