What every CEO needs to know about Califorinia's new data breach law
1. What every CEO needs to know about the
$100,000 mouse click and California’s new A.B. 1710
October 2014
Author: Dave Sweigert, M.Sci., CISSP, CISA, PMP
(non-attorney not providing legal advice)
ABSTRACT
Data breaches will now carry a de facto cost of $100 per record with the
implementation of California’s Assembly Bill 1710 (signed into law 9/24/14 and
effective 1/1/15).
Background
With the passage of A.B. 1710
California has now institutionalized the
practice of offering victims of a data
breach free credit monitoring services
for twelve (12) months ($100 cost).
Effective January 1, 2015, an
organizational data breach will now
subject organizations to AB 1710 liability
for the records of Californians.
This adds yet another law (and more
liability) to the legislative, regulatory and
compliance landscape.
Thus, the era of the $100,000 mouse
click has been ushered in. For example,
if a spreadsheet of 1,000 sensitive
records is mistakenly sent to the wrong
e-mail address it can become a
$100,000 mistake. (1,000 x $100 =
$100,000)
Pesky hackers no longer need to fight
against firewalls and Intrusion Detection
Systems (IDS). They can merely
convince a poorly trained workforce
member to rush an email message with
billing information to a purported
bookkeeping clearinghouse email
address – or any other creative social
engineering attack.
Not a question of “if” but “when”
Industry leaders addressing the
consequences of such data breaches
continue to strongly suggest that
organizations focus on appropriate risk
assessments1 and data breach
response capabilities as opposed to old
school over reliance on the latest “gee-
1 Office of Civil Rights Director Jocelyn Samuels
reiterated at a recent industry conference that
organizations dealing in protected health
information (“PHI”) should, and in fact must,
undertake to routinely assess and investigate
vulnerability as part of an effective compliance
program.
2. whiz” cyber hygiene appliance. Many
organizations continue to rely on a patch
work of routers, firewalls and network
gear to protect sensitive data; but, have
not undergone a comprehensive risk
assessment of overall organizational
risk.
To illustrate, consider a recent Office of
Inspector General (OIG)2 audit of the
Kentucky Health Benefit Exchange,
which cited weaknesses in:
• Security planning
• Risk assessments
• Incident response capabilities
These are the “soft skills” that are often
overlooked by senior management,
which may be more focused on line item
costs for new “security” tools and
appliances (e.g., encryption tools, anti-malware
virus protection).
Emergence of new risk frameworks
As described in other articles by the
author, the Cyber Security Framework
(CSF), created by the White House
Executive Order 13636, offers a viable
framework to reduce the consequences
of a data breach.
Senior managers will discover that the
CSF departs from the prescriptive
nature of spelling out security controls
and offers a flexible framework. The
core principles of the framework are:
2 U.S. Department of Health and Human Services,
9/2014, No. A-18-14-30011
• Identify (pre-data breach)
• Protect (pre-data breach)
• Detect (data breach)
• Respond (post-data breach)
• Recover (post-data breach)
Recovery and incident management
As most security industry observers will
admit, it is nearly impossible to
guarantee a secure core infrastructure
and/or enterprise. In fact, many
regulated industry leaders complain that
regulatory compliance does not mean
better data security. This explains why
some government regulators seem
interested only in compliance activities
(pre-incident) while juries tend to focus
on response and recovery actions of
senior management (post-incident).
For most organizations a data breach
seems to be a mathematical inevitability.
Therefore, in the era of AB 1710, data
breach incident response and recovery
planning is no longer a nice to have
option. It is an imperative.
About the author: Dave Sweigert holds
credentials as a Certified Information
Systems Security Professional, Certified
Information Systems Auditor, Project
Management Professional and has
earned separate Masters’ degrees in
Information Security and Project
Management. He is a former security
researcher for the U.S. National Security
Agency and the U.S. Air Force
Electronic Security Command. He is an
active supporter of the National Cyber
League.