Professional Documents
Culture Documents
February 2016
1
Joanne McNabb, CIPP/US/G, CIPT
Director, Privacy Education & Policy
joanne.mcnabb@doj.ca.gov
www.privacy.ca.gov
2
AGs Privacy Unit
Enforces Constitutional privacy right and civil
privacy statutes
Empowers individuals with information and
strategies
Encourages businesses to adopt privacy-
respectful practices
Advises the AG on privacy matters
3
2016 Data Breach Report
4 years of breaches
affecting >500 CA
residents (2012-2015)
657 breaches
49+ million records
of CA residents
breached
4
California Data Breach Report
KEY FINDINGS
5
Type of Breach 2012-2015
120
100
Physical
Number of Breaches
40
20
0
2012 2013 2014 2015
6
Breaches by Type 2012-2015
100%
90% Breaches 657 breaches affecting
>500 CA residents
80% Records
60% 54%
40%
22%
20% 17%
6% 4% 7%
0.4%
0%
Malware & Physical Theft or Errors Misuse
Hacking Loss
7
Breaches by Industry 2012-2015
60%
Breaches 657 breaches affecting
Records >500 CA residents
42%
40%
25% 26%
18% 19%
20% 16%
14%
11%
7% 5% 5% 5%
3% 2% 1% 1%
0%
8
Health Care vs. Other Sectors
2012-2015
75%
Health Care
61% Other Sectors
54%
50% 657 breaches affecting
>500 CA residents
25% 20%
16% 16% 16%
10%
6%
0%
Physical Theft or Malware & Hacking Errors Misuse
Loss
9
California Data Breach Report
RECOMMENDATION ON
REASONABLE SECURITY
10
Federal & CA Info Security Laws
Gramm-Leach Bliley Act Safeguards Rule
(financial services)
HIPAA Security Rule (health care)
COPPA (childrens information)
State laws, including Civ. Code 1798.81.5, and
UCL (Bus. & Prof. Code 17200)
Also FTC and state AG enforcement actions and
guidance, industry self-regulation, contractual
obligations, etc.
11
Basic Legal Concept:
Reasonable Security
For example: a business that owns, licenses,
or maintains personal information about a
California resident shall implement and
maintain reasonable security procedures and
practices appropriate to the nature of the
information, to protect the personal
information from unauthorized access,
destruction, use, modification, or disclosure.
Cal. Civ. Code 1798.81.5(b)
12
Reasonable Security Is a Process
Identify assets
and data
Monitor
Assess risks
effectiveness
13
Security Controls
Physical, Technical, Administrative
Authoritative Standards for Controls
NIST Special Publication 800-53
NIST Cybersecurity Framework
ISO/IEC 27002:2013
CIS Critical Security Controls
14
CIS Critical Security Controls:
A Reasonable Floor
The 20 controls in the Center for Internet
Securitys Critical Security Controls define a
minimum level of information security that all
organizations that collect or maintain personal
information should meet. The failure to
implement all the Controls that apply to an
organizations environment constitutes a lack
of reasonable security.
15
CIS Critical Security Controls
Maintained by Center for Internet Security:
non-profit, cybersecurity readiness and
response
Developed by experts from private & public
sectors; updated periodically
High-payoff actions, starting point for
comprehensive security program
Map to major security laws, other standards
Scalable for organizations of different sizes
16
CIS Critical Security Controls
17
CIS Critical Security Controls
19
ID Experts Webinar Series
At ID Experts, we protect millions of consumers with our identity protection
software and services and have a 100 percent success record for identity
recovery. We are trusted by thousands of organizations to manage cyber
and other risks with our data breach response services. We are the largest
provider of identity protection products to the federal government. We
serve customers in healthcare, government, insurance, financial services,
and higher education. Visit www2.idexpertscorp.com.