The Impact of CIS 20 on Business in California

The Problem of Privacy in California

According to reports from government agencies and private businesses to the California Attorney General’s office, there have been 657 data breaches within the state that have put the personal and financial records of 60% of Californians at risk since 2012. The number of breaches has increased steadily since 2012, the year in which reports were officially accepted by the California Attorney General.

The industries reporting data breaches spanned across all lines of business: Financial institutions, professional offices, hotels and spas, educational facilities and government agencies all reported cyber attacks from data thieves who were looking for personal and financial information to use in malicious ways. In most cases, these thieves were able to take advantage of security weaknesses in the digital infrastructure of these businesses and agencies. Hacking far outweighed the threat of physical breaches, with malware threatening the records of 54% of Californians attacked along with 90% of the records breached.

The Assessment

In a report from the Attorney General’s office, officials noted that California seem to have a higher standard for protection than federal laws implemented. The final result of federal laws that preempted California state laws with regards to privacy was a lift of the standards, not more protection for California residents.

The Response

Aside from the relatively new law that now requires all businesses and agencies to report data breaches of a certain size to the California Attorney General, California has also implemented a program known as CIS 20. CIS stands for the Center for Internet Security. The 20 stands for the 20 security controls that demarcate a minimum level of IT security that all businesses in California must meet in order to remain in compliance with the state government.

The Result

Many companies have found it incredibly difficult to meet the standard for reasonable cyber security measures as dictated by the CIS 20 initiative. The federal government has not even been able to define what cyber security measures are relevant or adequate to maintain a reasonable level of protection for people who entrust their information to businesses. The United States Court of Appeals actually stated that the FTC does not have to define the standards in FTC v. Wyndham Worldwide Corp., 799 F.3d 236 (3d Cir. 2015). The difficulty in creating an actual policy out of the 20 standards set forth in the CIS 20 initiative seemed to coincide with the findings of the Court of Appeals, regardless of the positive change that the California Attorney General’s office hopes to instill in the business community of the state.

In general, CIS 20 initiatives seem to require that all hardware and software deployments address security first, even deployments that have nothing to do with security at all. For instance, CRM applications are intended to be easy to use, not to protect any other aspect of the system that it is working on.

According to CIS 20 initiatives, businesses are also required to update software and security patches continuously, monitoring their systems constantly for security breaches. Most companies simply do not have the manpower to do this, nor the budget to hire a third party service around-the-clock.

The Final Effect

Although the intentions of the California Attorney General’s office may be pure, the standards that they set forth are not within the financial wheelhouse of most California business operations. The result will be an overarching decline in business unless some agreement can be made as to how the recommendations set forth in the CIS 20 initiative will actually translate into policy.

{company} is the trusted choice when it comes to staying ahead of the latest information technology tips, tricks, and news. Contact us at {phone} or send us an email at {email} for more information.