California is one of the leading states for cybersecurity law and resources. The recently released report from the Attorney General’s office on cybersecurity provides insights for small businesses in any state. The California Data Breach Report summarizes information gleaned from 4 years of required data breach incident reporting to the state.
Based on the analysis of reported breaches, the AG’s office recommends the following:
- The 20 controls identified in the Center for Internet Security’s Critical Security Controls represent standards that should be met by all businesses as the minimum level of cyber security measures.
- Online businesses should use multi-factor authentication for better security than just name and password access.
- Strong encryption should be used on all portable devices and ideally, on desktop computers as well.
- After a breach, businesses should recommend impacted customers place a fraud alert on their credit files.
- Businesses will potentially benefit if states collaborated on standardizing key components in state breach laws.
The report summarized a thorough analysis of the findings. Of specific interest to small businesses, the data indicates:
- Comparing small businesses to large businesses, they had a larger share of health care and professional services data breaches but fewer financial sector data breaches.
- Breaches resulting from physical theft were more common among small businesses than large businesses. Physical theft included loss of unencrypted data stored on portable devices and desktop computers as well as paper documents.
- The most common cause of a data breach was in the category of hacking and malware attacks. 59% of the incidents reported by small businesses were in this category.
- Small business breaches resulted in theft on a mean/average of 9,850 records.
Breach Notice Laws
California’s law covers any person or business that does business in the state – not just businesses located in California. Some other states have this similar coverage. You can find a link to a specific state’s laws at the National Conference of State Legislatures website.
For more information on how to protect small business from threats and hacks check out the NCI one-day training available for Cybersecurity for Small Business and Non-profits at http://www.nationalcybersecurityinstitute.org/training/
California’s Attorney General’soffice. Retrieved from https://oag.ca.gov/cybersecurity
Center for Internet Security (2016). CIS Critical Security Controls. Retrieved from https://www.cisecurity.org/critical-controls.cfm
National Conference of State Legislatures (2016, January, 4). Security Breach Notification Laws. Retrieved from http://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx