Interactive Counsel

Arent Fox's interactive media law blog - latest news and trends in advertising, data security & privacy, and IP.

Interactive Counsel

Heading for the Breaches: California Recommends Data Security Measures


Heading for the Breaches: California Recommends Data Security Measures

The California Office of the Attorney General (OAG) recently released a report detailing a comprehensive analysis of the data breaches reported to the OAG between 2012 and 2015. Fifty million records of Californians were reportedly breached during those four years. The report acknowledges that security is a challenging endeavor for organizations, but points out that many of the breaches reported could have been prevented by taking reasonable security measures.
The report provides the following key recommendations for businesses:

  1. Minimum Security Controls. Organizations that collect or maintain personal information should meet, at a minimum, the 20 controls identified in the Center for Internet Security’s Critical Security Controls.
  2. Strong Authentication Procedures. Organizations should implement multi-factor authentication for consumer-facing online accounts that contain sensitive personal information. They should also consider multi-channel authentication for administrators and for employees or vendors with remote access to internal systems – this requires adding an out-of-channel mechanism, such as a text message sent to a cellphone to get a one-time use code.
  3. Strong Encryption. Organizations should consistently use strong encryption to protect personal information on computing devices, such as laptops, phones, tablets, and desktop computers.
  4. Breach Fraud Alert. Organizations should encourage individuals affected by a breach of Social Security Numbers or driver’s license numbers to place a fraud alert to monitor their credit records for suspicious activities. They should make this option very prominent in their breach notices.

California’s Data Breach Report is noteworthy because it provides actionable takeaways for organizations to implement, including specific security controls.
Arent Fox’s Cybersecurity & Data Protection group will continue to monitor developments in the data protection field. For more information on meeting these requirements, please do not hesitate to contact Sarah L. Bruno.


Add this blog to your RSS feed reader.

Arent Fox In Your Inbox
To subscribe to Arent Fox Alerts and other news, click here.


Arent Fox LLP, founded in 1942, is internationally recognized in core practice areas where business and government intersect. With more than 350 lawyers, the firm provides strategic legal counsel and multidisciplinary solutions to clients that range from Fortune 500 corporations to trade associations. The firm has offices in Los Angeles, New York, San Francisco, and Washington, DC.