Document your proposed Data Security Plan for California Mir

Document your proposed Data Security Plan for California Miramar University’s vital data assets. This assessment must include

Data type definition

Prioritization of data in terms of damage if data lost/stolen

Identification of relevant statuary and regulatory requirements for data protection

NOTE: You are expected to use your own judgment to assume what type of data CMU uses. You are NOT expected to use CMU\'s real data plan.

Solution

Since 2012, businesses and government agencies have been required to notify the Attorney General on breaches affecting more than 500 Californians. In our latest report, we analyze all such breaches from 2012 through 2015. In it we present our findings on the nature of the breaches that are occurring, what can be learned from them about threats and vulnerabilities, and we make recommendations aimed at reducing the risk of data breaches and mitigating the harms that result from them.

In the past four years, the Attorney General has received reports on 657 data breaches, affecting a total of over 49 million records of Californians. In 2012, there were 131 breaches, involving 2.6 million records of Californians; in 2015, 178 breaches put over 24 million records at risk. This means that nearly three in five Californians were victims of a data breach in 2015 alone.

These breaches occurred in all parts of our economy: retailers and banks, doctors, dentists and hospitals, gaming companies, spas, hotels, restaurants, government agencies, schools, and universities. The majority of the reported breaches were the result of cyber attacks by determined data thieves, many of whom took advantage of security weaknesses. Breaches also resulted from stolen and lost equipment containing unencrypted data, and from both unintentional and intentional actions by insiders (employees and service providers).

Types of Breach

Types of Data Breached

Industry Sectors

Reasonable Security

Securing data is challenging, with technology evolving rapidly, business practices relying increasingly on the collection and use of personal information, and sophisticated cyber criminals waging an escalating battle. Yet securing information is the ethical and legal responsibility of the organizations with which individuals entrust their personal information. The legal obligations to secure personal information include an expanding set of laws, regulations, enforcement actions, common law duties, contracts, and self-regulatory regimes. California’s information security statute requires businesses to use “reasonable security procedures and practices…to protect personal information from unauthorized, access, destruction, use, modification, or disclosure.” Federal laws, including the Gramm Leach Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA), contain general security requirements for the financial services and health care industries. Authoritative security standards describe the measures that organizations should take to achieve an appropriate standard of care for personal information.

State Breach Laws

As the number of state data breach laws has grown in recent years, there has been an effort to pass a federal law that would preempt state laws. The rationale offered has been a reduction of the burden of complying with the different state laws. The proposals under consideration in Congress, however, have tended to set the bar far below California’s current level of protection. They would also in many cases preempt not only state laws on data breach but also longstanding information security and consumer protection statutes.

Recommendations