Failure to implement CIS controls constitutes lack of reasonable security. Being unreasonable can lead to a negligence lawsuit.
California law states that businesses that collect personal information have a duty to implement reasonable security practices and procedures to protect the personal information. The standard for reasonable security is the Center for Internet Security (CIS) Critical Security Controls (CSC). Failing to meet CIS CSC as a minimum level of information security is a failure to rise to a reasonable standard of care, which constitutes a breach of duty. If damages are caused as a proximate result of the business’s failure to meet the reasonable standard set by CIS CSC, then the business can be liable to compensate for those damages under a negligence claim in California civil courts. (The CIS Critical Security Controls for Effective Cyber Defense version 6, https://www.cisecurity.org/critical--‐controls.cfm)
The National Governor’s Association, and California Attorney General, Kamala Harris, have concluded that CIS CSC is the baseline standard that all businesses that collect personal information must meet. (http://www.prnewswire.com/news-releases)
The current version 6 of the CIS CSC provides 94 pages of guidance on 20 different control areas. Each of the 20 security controls represents a cyber-security standard that must be met in order to avoid liability in legal claims for negligence cause of action.
I help businesses exceed these standards. Contact me if you’d like to discuss more or you’d like a copy of the CIS CSC today.