Kamala Harris made history yesterday as the first woman, first Black American, and first American of South Asian descent to assume the office of Vice President of the United States. Harris has been a household name in her home state of California and across the nation for a variety of reasons, but few people realize that the former prosecutor, state attorney general, and US Senator has had a profound impact on cybersecurity.
During her time in the Senate, Harris introduced or co-sponsored bills aiming to enhance election security, increase penalties for economic espionage, and tighten cybersecurity at U.S. Ports. She called out the growing significance of cyber attacks during her own run for president, warning of a “war without blood”. Her biggest impact on cybersecurity, however, came during her two terms as California Attorney General.
As the state’s top prosecutor, Harris formed an eCrime Unit and tried first-of-their-kind cases involving social media stalking and revenge porn. More significant, though, were three Data Breach Reports issued in 2012, 2014, and 2016. Each report analyzed hundreds of data breaches and provided specific recommendations to help businesses secure sensitive information. Her final report, issued in 2016, has had a lasting and profound impact on the way we approach cybersecurity.
What is “Reasonable Security”?
The California Consumer Privacy Act (CCPA), which went into effect on January 1, 2020, requires businesses to institute “reasonable security procedures” to safeguard personally identifiable information (PII) collected on the state’s consumers. The law also gives consumers the right to sue a business that fails to meet this standard and suffers a breach as a result. What the law does not do is define reasonable security or provide guidance on how to implement it.
Without a concrete set of guidelines, businesses were left scratching their heads as far how to comply with the statute. One person’s version of “reasonable” security might look completely unreasonable to someone else.
In the 2016 Data Breach Report released by the CA Office of the Attorney General (OAG), Harris took a stab at defining the nebulous concept:
“The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.”
– CA Attorney General Kamala Harris, 2016 Data Breach Report
The 20 controls Harris refers to – colloquially known as the CIS Top 20 – are a set of best practices to protect data and thwart the most common cyberattacks. They’re designed to provide the biggest “bang for your buck” and include common sense measures like malware defenses, secure configuration of computers, and controlled use of administrative privileges.
Even better, the CIS Top 20 are clear and actionable. The individual sub-controls contain direct instructions like “Address Unapproved Software”, “Change Default Passwords”, and “Ensure Regular Automated Backups”. The video below provides a closer look at one example control:
Harris also made a variety of other recommendations in her 2016 report, including the use of multi-factor authentication (MFA). It’s too soon to say whether or not this guidance will be the gold standard for what “reasonable security” means. Each circumstance is different, and there may be cases where it’s “reasonable” to even exceed the CIS Top 20 controls. But by providing the first concrete recommendations for business owners to follow, Harris removed a great deal of uncertainty and confusion and gave us a strong, actionable place to start from.
These are things that every organization should be doing, and if you’re not, you are failing to live up to the burden of “reasonable” security. To give a real-world example, if you’re collecting data like social security numbers without using firewalls and anti-virus software, you’re likely opening yourself up to significant liability under the CCPA and other statutes.
How We Can Help You Meet the CIS Top 20
Like the former CA Attorney General, We’re big fans of the CIS Top 20, and that’s why we’ve developed two of our premier offerings with these critical controls in mind. Our Cybersecurity Assessments are designed to give you an idea of how your organization currently measures up to the CIS Top 20 and identify any gaps that should be addressed. It’s a great way to get an overall picture of your cybersecurity posture.
Our Small Business Cyber Defense Package directly implements many of the top 20 controls, including DNS Filtering, centrally managed malware defenses, and automated backups. We also address controls that are especially challenging for small businesses, such as monitoring audit logs for signs of suspicious activity.
Whether you’re looking to comply with the CCPA or just improve your overall security posture, the CIS Top 20 is a great way to start. If you’d like help implementing these controls at your organization, please don’t hesitate to contact us!