Kamala Harris, California’s Attorney General (AG) shared key findings from the latest data breach report to a packed room on the Stanford campus this past Tuesday. It was an honour to see Harris in person, experience awe and participate in her seminar on cyber security and data breaches. Her team is setting the standards here in California, and the world is taking notice. Her California roots were on full display when she passionately took on the subject of privacy in today’s digitally connected world. <Image source Stanford.edu>
“178 breaches placed 24 million records of Californians at risk.”
“The financial sector showed the greatest susceptibility to breaches caused by insiders (employees, service providers), both through unintentional errors and intentional misuse of privileges.”
While the report had some interesting findings such as that there is an increased threat from insiders/users especially in the financial sector, the key takeaway was that there is too much personal data being collected by organisations and they will be legally and ethically responsible for protecting the data. The report states that nearly all of the exploited vulnerabilities, which enabled these breaches, were compromised more than a year after the solution to patch the vulnerability was publicly available. The state of California in some instances went beyond the typical enforcement and regulation path as in the case against Houzz, where the AG required the creation of Chief Privacy Officer to protect privacy.
“Malware and hacking present the greatest threat to data breaches.” These results from the report shouldn’t surprise anyone since both the user/employee and the endpoint remain the weakest links in cyber security.
Can cyber security learn from the epidemics?
Harris hit the nail on the head by comparing today’s cyber security issues to an epidemic and drew parallels to the approach taken by Public Health in handling viral infections. The first and foremost response should be containment, without the ability to identify the infection with accurate diagnosis methods, rushing to prevention by developing a vaccine/cure would be premature. Along the same lines, cyber security has to be “smart” and take a reasonable approach to protecting data. Many organisations can start by limiting the amount of data they collect from their application users. “Early detection saves lives” was the game changer for fighting breast cancer. Why not apply those learnings to fighting data breaches and change the mindset to “detection first” from “prevention first”? Furthermore, enterprises need to assume a breach is bound to happen and put measures in place to detect the breach as early as possible.
What is reasonable security?
California’s information security statute requires businesses to use “reasonable security procedures and practices…to protect personal information from unauthorised, access, destruction, use, modification, or disclosure.” The report recommends the bare minimum security controls as defined in the 20 controls mentioned in Center for Internet Security’s Critical Security Controls. Based on what kind of data is collected and/or processed by an organisation, the security controls will vary. Entities collecting PII/PHI data have a higher burden and many regulations to comply with and should seriously consider data protection as the top priority. In the case where a data breach does occur even after implementing reasonable security measures, knowing what data was compromised will significantly help the breach notification process. Regulatory bodies around the globe understand that cyber security is challenging, but businesses need to show their ethical commitment to protecting privacy beyond just following regulations.
While Kamala Harris and California continue to blaze the trail on cyber security legislation, just as they do on many other fronts, we at Imperva are excited to be part of the next frontier in cyber security leading the app and data protection charter.