I’ve previously posted a link to a report by the California Attorney General on breaches in California and recommendations, but I like that this post by Hunton & Williams focuses on the how the recommendations relate to “reasonable security:”
Importantly, the Report states that, “[t]he failure to implement all the [Center for Internet Security’s Critical Security] Controls that apply to an organization’s environment constitutes a lack of reasonable security” under California’s information security statute. Cal. Civ. Code § 1798.81.5(b) requires that “[a] business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.”
You can read the rest of their post here, but I want to pull out one part of their summary of the recommendations:
Organizations, particularly in the health care industry, should consistently use strong encryption to protect personal information on laptops and other portable devices, and should consider it for desktop computers.
So even though HIPAA doesn’t require encryption, if you are not using strong encryption, you might be running afoul of California’s law (even though it’s a “should” and not “shall”). And this is where state attorney generals may have a significant role to play in privacy enforcement, as Danielle Citron argues in her new paper.