CCPA and ‘Reasonable Security’: A Game Changer
On January 1, 2020, the California Consumer Privacy Act of 2018 (CCPA) went into effect. The CCPA applies to a wide range of companies and broadly governs the collection, use and sale of personal information of California residents (i.e., consumers and certain other individuals) and households.
The CCPA provides that consumers may seek statutory damages of between $100 and $750, or actual damages if greater, against a company in the event of a data breach of nonredacted and nonencrypted personal information that results from the company’s failure to implement reasonable security. The amount of the statutory damages depends on factors such as the nature and seriousness of the company’s misconduct, the number of violations, the persistence of the company’s misconduct, the length of time over which the misconduct occurred, and the company’s assets, liabilities and net worth. To defend against these consumer actions, a company must show that it has implemented and maintains reasonable security procedures and practices appropriate to the nature of the personal information it is processing.
This CCPA private right of action promises to shake up the data breach class action landscape in which such actions have generally been settled for small amounts or dismissed due to lack of injury. With the CCPA, companies now face potentially staggering damages in relation to a breach. To provide some context, a data breach affecting the personal information of 1,000 California consumers may result in statutory damages ranging from $100,000 to $750,000, and a data breach affecting the personal information of one million California consumers may result in statutory damages ranging from $100 million to $750 million. These potential statutory damages dwarf almost every previous large data breach settlement in the United States.
To mitigate the risk of this increased exposure, companies need to take key steps to ensure they have implemented reasonable security procedures and practices.
What Is Reasonable Security?
The CCPA does not define “reasonable security.” In fact, the obligation for a company to implement and maintain reasonable security procedures and practices is not directly found in the CCPA, but in California Civil Code Section 1798.81.5. This provision obligates a company that processes personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information it processes.
In contexts outside of the CCPA, California regulators have endorsed certain security measures as providing “reasonable security.” In February 2016, the California Department of Justice (DOJ) released the California Data Breach Report, a comprehensive overview of data breaches affecting California residents between 2012 and 2015 (Report). The Report included 20 data security controls published by the Center for Internet Security (CIS Controls) that the DOJ identified as the “minimum level of information security that all organizations that collect or maintain personal information should meet.” The Report further stated that “the failure to implement all the controls that apply to an organization’s environment constitutes a lack of reasonable security.” The CIS Controls include:
Basic CIS controls, such as inventory and control of hardware assets and software assets; continuous vulnerability management; controlled use of administrative privileges; and maintenance, monitoring and analysis of audit logs;
Foundational CIS controls such as email and web browser protections; malware defenses; data recovery capabilities; controlled access based on the need to know; and account monitoring and control; and
Organizational CIS controls, such as incident response and management and penetration tests and red team exercises.
As the Report indicated, the CIS Controls provide only the minimum level of information security. Companies should consider including in their information security programs elements from industry-recognized information security frameworks, such as the National Institute of Standards and Technology cybersecurity framework and the International Organization for Standardization’s 27001 series. Additionally, some companies may have implemented elements of the CIS Controls through compliance with other information security requirements such as the Gramm-Leach-Bliley Act, the New York Department of Financial Services’ Cybersecurity Regulation, or Massachusetts’ Standards for the Protection of Personal Information of Residents of the Commonwealth.
What Steps Should Companies Take?
To defend against private actions by consumers in the event of a breach and to fulfill their obligations under the law, companies should implement an information security program that, at a minimum, includes the CIS Controls endorsed by the California DOJ. A company’s information security program must be appropriate to the nature and sensitivity of the personal information that the company is processing. Accordingly, a key first step is to conduct a data mapping exercise to determine data flows and the types of personal information collected and maintained. Companies should also audit their current information security policies and practices to identify areas of risk, gaps in coverage and areas for improvement. The information gained from the data mapping exercise and the audit can help inform what additional measures a company may need to implement and identify what security measures may be appropriate to protect the personal information that a company is processing.
Next, companies should formally document their policies and procedures in a written information security program (WISP) that is reviewed regularly. The WISP identifies the administrative, technical and physical safeguards a company employs to protect the personal information that it is processing. The WISP should also document personnel training, vendor management, risk assessments and measures to mitigate risk, and include an incident response plan and data retention policy. Companies will also want to be able to demonstrate that they have actively carried out key elements of their WISP, such as by conducting security risk assessments and audits on a regular basis, preferably carried out by a qualified third party. Companies may consider engaging a law firm to oversee a risk assessment or audit by a third party, thereby protecting the results of any assessment or audit under attorney-client privilege.
As part of implementing reasonable security, companies may also want to consider the ways in which they can shift liability and risk through contractual provisions with third parties. Under California Code Section 1789.81.5(c), companies that disclose personal information about California residents to nonaffiliated third parties are required to contractually obligate those third parties to implement and maintain reasonable security procedures and practices, unless the third parties are themselves subject to the California law. By ensuring that contracts with third parties include these contractual provisions, companies demonstrate that they are implementing measures to protect personal information even when the information is processed by third parties.
Companies may also want to consider how they are maintaining and storing personal information in their systems. The CCPA’s private right of action applies to a breach of nonredacted and nonencrypted personal information. By redacting and encrypting the personal information that a company maintains in accordance with the standards required by the CCPA, companies may be able to defend against statutory damages in a private action brought after a breach.