Photo by Franck on Unsplash
In 2020, with large portions of the global workforce abruptly sent home indefinitely, IT departments nationwide scurried to equip workers of unprepared companies to work remotely.
This presented an issue. Many businesses, particularly small businesses, barely have the minimum network defenses set up to prevent hacks and attacks in the centralized office. When suddenly everyone must become their own IT manager at home, there are even greater variances between secure practices, enforcement, and accountability.
“Reasonable Security” Requirements under CCPA/CPRA and Other Laws
Under the California Consumer Privacy Act (CCPA), the implementation of “reasonable security” is a defense against a consumer’s private right of action to sue for data breach. A consumer who suffers an unauthorized exfiltration, theft, or disclosure of personal information can only seek redress if (1) the personal information was not encrypted or redacted, or (2) the business otherwise failed its duty to implement reasonable security. See Cal. Civ. Code § 1798.150.
Theoretically, this means that a business that has implemented security measures—but nevertheless suffers a breach—may be insulated from liability if the security measures could be considered reasonable measures to protect data. Therefore, while reasonable security is not technically an affirmative obligation under the CCPA, the reduced risk of consumer liability made reasonable security a de facto requirement.
However, under the recently passed California Privacy Rights Act (CPRA), the implementation of reasonable security is now an affirmative obligation. Under revised Cal. Civ. Code § 1798.100, any business that collects a consumer’s personal information shall implement reasonable security procedures and practices to protect personal information. See our CPRA unofficial redlines.
An organization must meet certain thresholds to be defined as a “business” under the CCPA or CPRA. These thresholds typically exclude many small or even medium businesses from being subject to CCPA. However, the requirement of “reasonable security” that applies under the data breach statutes from Cal. Civ. Code § 1798.80 et seq. are inclusive of any “business”—regardless whether it is small or large, for-profit or non-profit:
A business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
Former California Attorney General Kamala Harris released guidance for what “reasonable security” means in a 2016 report and recommended implementing the Center for Internet Security (CIS) Critical Security Controls for Effective Cyber Defense (the CIS Controls).
The CIS controls span twenty different controls, categorized by Implementation Groups (IG) that take into account the size and risk profile of the organization. An IG1 organization is typically a small business dealing with low-volume or low-sensitivity information and has limited resources. On the other end, an IG3 organization is a large enterprise dealing with highly sensitive information and typically has the ability to hire in-house security experts.
The controls are comprehensive and cover inventory, configuration, and monitoring of the business’s hardware, software, and inbound/outbound network connections. Many controls also address work-from-home setups, such as Sub-Control 12.11:
Require all remote login access to the organization’s network to encrypt data in transit and use multi-factor authentication.
Reviewing the CIS controls, conducting a gap analysis to determine which controls are currently in place and which are deficiently implemented, and documenting the process is a good first step toward reasonable security.
The Weakest Link in the Chain
However, even if a business has gone above and beyond “reasonable security” and has hypothetically managed to ensure the security of the business’s systems to 100% certainty, its vendors’ security cannot be under the same amount of control.
This is readily apparent when considering the recent SolarWinds supply chain attack. By definition, a supply chain attack targets less secure entities in the supply chain in order to reach an intended end target. SolarWinds, a network management software and major data processor announced in December 2020 that a security incident that affected its systems also affected systems serving the U.S. Departments of Treasury, Commerce, and Homeland Security.
Part of implementing reasonable security also includes vetting the security of service providers and vendors used by the business. The CCPA currently obligates the business to restrict its service providers from retaining, using, or disclosing personal information for any reason other than for the specific purpose of performing the contract or other allowed business purposes under the CCPA. However, there are no further obligations with respect to overseeing the service provider’s security.
The CPRA amendments now mandate the inclusion of several additional provisions in the business’s contract with service providers that were previously not required under CCPA. Under CPRA, any business that collects personal information and shares that information with any third party, service provider, or contractor must enter into a contract with that other party and ensure that the following provisions appear in the contract:
(1) Obligation on the third party, service provider, or contractor to use or share the personal information only for limited and specified purposes;
(2) Obligation on the third party, service provider, or contractor to comply with CPRA and provide the same level of privacy protection as the business;
(3) The business’s right to ensure that the third party, service provider, or contractor complies with CPRA and related contractual obligations;
(4) Obligation on the third party, service provider, or contractor to notify the business if it can no longer comply with CPRA or related contractual obligations;
(5) The business’s right to stop and remediate unauthorized use of personal information by the third party, service provider, or contractor.
These additional provisions mean that businesses will need to exercise greater oversight into the service providers and vendors that it uses.
Cyber liability insurance
While businesses might customarily have a range of insurance policies, such as commercial general, automobile, or workers compensation liability, one area of overlooked coverage may be cyber insurance.
The security of all systems cannot be guaranteed to 100% certainty, and even after meeting or exceeding the implementation of reasonable security, a business may still be vulnerable to an attack. As the cliched saying goes, “It’s not a matter of if, it’s a matter of when.”
Ransomware, social engineering, and phishing attacks can happen to any business, small or large, and can pose expensive costs to remediate. In 2020, the global cost of ransomware was approximately $20 billion. Even when the business’s data can be successfully recovered from backups to avoid paying the ransom, some ransom groups have threatened instead to release the data publicly, leading to additional costs for resolving a public breach. Other sobering statistics for small businesses demonstrate that cyber insurance is not only for large companies:
- 43% of cyber-attacks target small business.
- In 2018, cyber-attacks cost small businesses an average of $34,604.
- 60% of small companies go out of business within six months of a cyber-attack.
In order to mitigate the risks of a crippling attack, any business with sensitive data should examine their options for cyber insurance coverage. In considering the business’s supply chain, it is also wise to write in minimum cyber insurance coverage requirements in contracts with service providers and vendors.
Since remote working environments appear to be the reality continuing through 2021, businesses should review their security posture, ensure that they adequately implement reasonable security measures, and address any gaps, including those of their service providers and vendors. For gaps that may prove impossible to meet, the business should consider cyber insurance policy options.