A New Definition of ‘Reasonable Security’

Despite all the precautions and preventative measures businesses take to fight cyber-attacks, businesses in all industries nationwide are finding themselves cyber-attack victims. This year, the U.S. has seen major security incidents at both Verizon Communications and MedStar Health—two large organizations that gather and hold a significant amount of customer and patient personal information.

In Verizon’s case, hackers accessed, stole, and attempted to sell a customer database containing records for 1.5 million customers; hackers also offered to sell general information about Verizon’s security vulnerabilities to interested parties. MedStar, however, suffered from a ransomware attack in which malware infected the organization’s network and demanded a bitcoin payment to restore the network to working order. Because MedStar refused to pay the ransomware fee, this attack forced the organization to disable its network for days and then restore it from system backups.

It remains to be seen just how much time and money both Verizon and MedStar will use to fully repair the damage done by their cyber-attacks; however, according to an IBM 2015 Cost of Data Breach study, the average cost of a data breach is $3.8 million. Fortunately, for billion dollar companies like Verizon and MedStar, $3.8 million, while certainly a large cost, is not likely to be life-threatening. For the majority of American businesses, though, that amount of money could be catastrophic.

To lessen the likelihood of catastrophic breaches resulting from cyber-attacks, the state of California has passed a new law that redefines the meaning of “reasonable security.” This new law dictates that all businesses residing in the state now have a legal obligation to protect their customers’ information in accordance with the standards set by The Center for Internet Security (CIS). These standards, known as the Critical Security Controls for Effective Cyber Defense, or CIS 20, provide 20 different technology and policy security controls to which businesses nationwide should adhere to protect themselves from cyber-attacks and better identify and counter such attacks. In California, however, adherence to these standards is no longer optional—it’s the law.

And if history is any barometer, it’s only a matter of time until other states will be legally obligated to do the same: California has a history of setting into motion laws that eventually spread across the nation. California Civil Code § 1798.81.5(b) states, “A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”

The CIS 20 include recommendations on basic cyber controls including how to inventory authorized and unauthorized devices and software, set administrative privileges and e-mail and web browser protections as well as approaches for more advanced cyber areas. These areas include controlling network ports, configuring network devices, incident response and management, penetration tests and red team exercises, maintenance, monitoring, and analysis of audit logs, and vulnerability assessment and remediation.

With so many controls that businesses are required to put in place, it’s easy to see how an organization could quickly become overwhelmed with their implementation and maintenance. Additionally, if an organization was to take on such an effort on its own, the process would likely be complicated, time consuming, and above all, expensive. For those reasons, it’s important for businesses to invest in partnering with a managed security service provider that can create an implementation and security services plan specifically for their organizations and ensure they are legally compliant.

Dunbar Security Solutions provides managed services nationwide that specifically address areas of the CIS 20 and provide 360 degree protection from cyber-attacks.