The California Consumer Privacy Act (Part Three of Three)

This group of Frequently Asked Questions (FAQ) about the more notable provisions of the CCPA is the third of a three-part series.  Part 1 addresses the scope and applicability of the Act and Part 2 addresses consumer rights and required disclosures under the Act.     

Why Are Reasonable Security Practices Significant Under the CCPA?

As noted in Part 1 of this series, the CCPA’s private right of action allows for damages in the event of a security incident or data breach if the company that suffered the incident or breach failed to maintain reasonable security practices and procedures.  Thus, a critical element of a company’s defense to a lawsuit under the Act is proof that it maintained reasonable security practices and procedures.  What this means from a legal perspective is that, in the event of a lawsuit, a defendant company must prove that a breach or incident occurred despite the company’s exercise of due care.  For this purpose, due care would equal reasonable security practices and procedures, which are also sometimes known as best practices.      

What Are Reasonable Security Practices and Procedures Under the CCPA?

The Act does not define, describe, specify, enumerate, list or identify what it deems to be reasonable security practices or procedures.  However, there are currently any number of information sources that may provide some guidance on the topic.    

For example, in February 2016, the California Office of the Attorney General released the California Data Breach Report, which analyzed breaches from 2012 to 2015 and provided guidance on what businesses could consider as reasonable security.  The report identified 20 controls from the Center for Internet Security’s Critical Security Controls (CIS Controls) as the minimum level of information security that all organizations that collect or maintain personal information should meet.  The Report noted that the failure to implement all of the controls that apply to an organization’s enforcement constitutes a lack of reasonable security.  Although this report does not have the force of law, it certainly provides valuable information regarding what would constitute reasonable security practices under the Act. Controls that the Report recommends include, among other things, the use of multi-factor identification and the consistent use of strong encryption to protect personal information on laptops and other portable devices. 

Guidance regarding reasonable security practices can also be found in any number of third-party protocols for best practices, which are similar to the CIS Controls.  Examples of these protocols include the National Institute of Standards and Technology Cybersecurity Framework (NIST), the Control Objectives for Information and Related Technologies (COBIT) and certain  International Organization for Standardization (ISO) standards.

Additionally, in its enforcement actions, the FTC typically makes a determination as to whether or not companies took commercially reasonable steps to protect data.  A review of the FTC’s findings in those actions provides substantial guidance as to what is deemed to be a reasonable security practice and what is not. 

Finally, in April of 2019, the Department of Justice issued an Evaluation of Corporate Compliance Programs to assist U.S. prosecutors in making decisions as to whether, and to what extent, a corporation’s compliance program was effective at the time of a criminal offense.  This evaluation is helpful in assessing a company’s compliance program with respect to statutes like the CCPA.  The  guidance highlights three questions to be considered in reviewing a corporate compliance program:

• Is the compliance program well designed?
• Is the program being applied earnestly, in good faith and effectively?
• Does the program work?

The DOJ recommends that a corporate compliance program include an adequate risk-assessment structure, policies and procedures, training and communications, a confidential reporting structure and investigative process and third-party management.

Going forward, California will also be issuing regulations in connection with CCPA that should  provide further guidance on this issue. 

Check this space for Part 1 and Part 2 of the FAQ series.  For questions about or assistance with the CCPA, I can be reached at kathy@kdwinger.com or 520-391-4475.

The information presented here is for general educational purposes only. It does not constitute legal advice and does not create an attorney-client relationship.