In February, the California Attorney General issued the “California Data Breach Report.” That report contained several recommendations, the most controversial of which related to the Center for Internet Security’s Critical Security Controls (the “CCS”). The report stated that “failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.” A failure to have “reasonable security” obviously has large legal ramifications for all companies employing or doing business with California residents, so presumably all such businesses will need to comply with the CCS-mandated controls or risk an enforcement action by the California Attorney General.
The problem is that the level of detail and sophistication required to implement all the CCS action items is beyond the reach of many small (and medium-sized) businesses. For example, here’s a subcontrol of one of the 20 controls from the CCS: “Deploy a SIEM (Security Information and Event Management) or log analytic tools for log aggregation and consolidation from multiple machines and for log correlation and analysis. Using the SIEM tool, system administrators and security personnel should devise profiles of common events from given systems so that they can tune detection to focus on unusual activity, avoid false positives, more rapidly identify anomalies, and prevent overwhelming analysts with insignificant alerts.”
How many small businesses know what this means? And if they do not know, and therefore are unable to comply, are they all lacking “reasonable security”?
In a webinar sponsored by ID Experts on May 4, a representative from the California Attorney General’s office (Joanne McNabb, Director of Privacy Education and Policy Office) clarified this “requirement” to comply with the CCS controls. She stated that, first, the CCS controls are not intended to be law. Furthermore, she stated that the CCS controls would not be used as a sort of checklist: companies will not be subject to an enforcement action solely because, for example, they were compliant with only 19 of the 20 controls. Instead, the Attorney General will continue making enforcement decisions based on whether companies are taking actions appropriate for their respective environments: is a particular company taking a systematic approach to control and mitigate known vulnerabilities? This is consistent with the California Data Breach Report, which uses the phrase “all the Controls that apply to an organization’s environment,” and suggests that adjustments can be made based on a company’s size, resources, and use of personal information.
But a statement in a webinar is unlikely to give companies much comfort. If the California Attorney General is indeed not equating failure to comply with all CCS controls with a lack of reasonable security (as is implied by the California Data Breach Report), she should provide more clear guidance, in an official publication, regarding how the CCS controls will be used to evaluate the security practices of companies employing or doing business with California residents. Perhaps additional guidance is on its way soon: in the webinar, the Attorney General’s representative indicated that workshops for small businesses related to the CCS controls would be offered this summer. Stay tuned!
If you have questions about the CCS controls or how to bring your company’s security practices in line with regulatory requirements, please contact us.