In late February, California’s attorney general Kamala Harris released a breach report that you can find here. The report requires companies conducting business in the state of California to use “reasonable security procedures and practices…to protect personal information from unauthorized, access, destruction, use, modification, or disclosure.”
Essentially, the reasonable security protocol’s she’s referring to are essentially the SANS top 20 security controls. However, Ms. Harris expanded on the 20 security controls and emphasized that consumers should have the option to employ Multi-Factor authentication for system access, and use strong encryption of all customer data. In the event that there is a data breach, she went on to say that the business that had been breached should provide fraud alert services to affected parties.
Even if you don’t conduct any business in the state of California, I believe that it’s just a matter of time before other states follow California’s example and establish similar requirements – so your business should really start planning for that accordingly. I know, I know – add it to the list. If you were looking for a irrefutable reason to justify additional security-related project funding, this is report is heaven sent. However, if your budget can’t grow, re-prioritizing security initiatives will likely be hell.
What a nice surprise (what a nice surprise). Bring your alibis…