Few firms feel confident enough to assert that their offices’ security procedures are “exceptional.” However, most firms that have implemented some degree of security controls would probably feel comfortable affirming that they exercise “reasonable data security.” Nevertheless, that phrase is vague and ambiguous. What amount and type of controls are enough to be deemed “reasonable?” Unfortunately, until very recently, there was no way to quantify what “reasonable data security” actually meant. In the following article, at least one state attorney general has analyzed the issue, and distributed a compelling report outlining the “minimum level of information security” that all organizations handling personal data should meet.
“California Attorney General Defines Minimum Requirements for ‘Reasonable Cybersecurity’” is a recommended read for those who are concerned that they may not be doing enough to protect customer data. Unfortunately, even those who have devoted substantial time and effort in this area may find that their efforts fail to meet the recommended “minimum” level of information security. As states across the nation begin to develop their own definitions of minimum levels of information security, it is likely that the approach taken in this article will be adopted.