The California Data Breach Report "provides an analysis of the data
breaches reported to the California attorney general from 2012-2015."
In nearly all cases, the breaches exploited vulnerabilities for which
fixes had been available for more than a year. California state law
states,
"A business that owns, licenses, or maintains personal
information about a California resident shall implement and maintain
reasonable security procedures and practices appropriate to the nature
if the information." The report goes on to say that organizations that
do not implement the Center for Internet Security's (CIS) 20 Critical
Security Controls would be found to demonstrate "a lack or reasonable
security."
http://www.nextgov.com/cybersecurity/2016/02/california-says-companies-should-embrace-nsa-developed-data-protections/126151/
