There is no shortage of admonitions for business people to maintain ‘proper’ information security practice. However, much of this guidance stops there and is of little use for those seeking specific guidance as to steps which they should take. Even the more specific guidance which does exist, is often tied to then-existing technology and becomes obsolete in short order.

However, the California Attorney General’s office has recognized many of these shortcomings and provided us with a report and summary of recommendations which are the most specific which we have seen and which are not likely to become obsolete in the near term.  The report discusses the special needs of those in the health care field as well as the more generalized needs of businesspeople in all fields. Click here to review California Data Breach Report (February 2016) and irrespective of your location, we urge you to print and read it.

As a legal matter, both the face of the report and general legal principles indicate that a failure to utilize at least good faith efforts to substantially implement the major provisions of the report which apply to your situation are likely to have an adverse impact upon your legal posture if and when you become involved in proceedings associated with a data breach. In today’s environment, such proceedings should be considered more likely than not.

While we do not have any direct knowledge of anticipated responses, our general experience indicates that cyber-liability and E&O insurers will apply some or all of this material in their underwriting process.

In addition to urging the strong encryption of health care data, particularly that stored or processed on portable media such as phones, laptops and USB drives, the report enumerated other major elements of good security practice. A high level summary is contained below. Whether you are an IT manager or a general manager overseeing IT functions, we encourage you to review this table and the linked material which elaborates on its terms, and address how your organization is applying and implementing its direction.

Our Privacy and Compliance partners are available to assist with this process.

The following table summarizes the Controls, grouped by the type of action they feature. The complete list of Controls is found in Appendix A.

Count Connections Know the hardware and software connected to your network. (CSC 1, CSC 2)
Configure Securely Implement key security settings. (CSC 3, CSC 11)
Control Users Limit user and administrator privileges. (CSC 5, CSC 14)
Update Continuously Continuously assess vulnerabilities and patch holes to stay current. (CSC 4)
Protect Key Assets Secure critical assets and attack vectors. (CSC 7, CSC 10, CSC 13)
Implement Defenses Defend against malware and boundary intrusions. (CSC 8, CSC 12)
Block Access Block vulnerable access points. (CSC 9, CSC 15, CSC 18)
Train Staff Provide security training to employees and vendors with access. (CSC 17)
Monitor Activity Monitor accounts and network audit logs. (CSC 6, CSC 16)
Test and Plan Response Conduct tests of your defenses and be prepared to respond promptly and effectively to security incidents. (CSC 19, CSC 20)


If you would like additional information, please contact any of the following FisherBroyles partners:

Lisa Carroll
(312) 919-9479

Marty Robins
(847) 277-2580

Palo Alto
Kimberly Booher
(650) 636-5958