CCPA and Minimum Reasonable Security Procedures and Practices: A Floor on “Defendability”

Reasonable Security Procedures and Practices

The California Consumer Privacy Act (CCPA) private right of action establishes statutory damages of between $100 and $750 per incident for consumers whose personal information has been compromised by a breach of personal information resulting from the business’ “violation of the duty to implement reasonable security procedures and practices appropriate to the nature of the information to protect the personal information. (CA Civil Code Section 1798.150(a)(1)).

The statutory exposure for a company with as few as 10,000 “qualifying data elements[1]” is between $1,000,000 and $7,500,000. This combined with the legal duty to acknowledge a breach should one occur, significantly increases the financial risk of a breach.

This increases the importance to a company that it have and maintain appropriate reasonable security procedures and practices.

The Prudent Business Will Want to Implement Defendable Security Procedures and Practices 

Given the financial exposure of a breach, the prudent business will want to ensure it can be defended against a claim that it has failed to implement appropriate reasonable security procedures and practices. Since it is a breach that will trigger consumer action, special attention should be put on defensive strategies that significantly lower the likelihood of a breach.

Minimum Reasonable Security Procedures and Practices: A Floor on Defendability

At the present time, there is no accepted legal definition for what constitutes appropriate reasonable security procedures and practices.The answer will necessarily depend on the size of the company, the quantity and nature of the information it collects and sells, etc.

There are several markers that point the way towards what might constitute appropriate reasonable security procedures and practices in different circumstances:

1. The NIST Cybersecurity Framework is a logical contender for what constitutes reasonable security. The Framework though does not include — nor is it intended to include — security procedures and practices.  It is intended, instead, as the basis upon which an organization can develop its reasonable security procedures and practices.
2. In the California 2016 Data Breach Report, then Attorney General Kamala Harris wrote “The 20 controls in the Center for Internet Security’s Critical Security Controls [CIS-20] define a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.”
3. Like the CIS-20, New York State Department of Financial Services, 23 NYCRR 500, Cybersecurity Requirements for Financial Services Companies contain operational requirements that could serve in part to give specificity to reasonable security procedures and practices. While applicable to larger businesses, like the CIS-20, some of their controls may be too onerous and not commercially reasonable for smaller organizations.
4. NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations may also be useful in defining reasonable security procedures and practices. So might the Payment Card Industry’s Data Security Standard, HIPAA, and Gramm-Leach-Bliley.
5. While it would be hard to argue that a company certified compliant with International Standards Organization ISO 27001, 27002, et al fails to meet the threshold of reasonable security procedures and practices, it is unreasonable to impose a certification standard on smaller organizations for which it may not be commercially reasonable.
6. Believing the CIS-20 to be too onerous for smaller organizations, SecureTheVillage, a 401(c)3 community-based nonprofit founded nearly 4 years ago by Citadel, developed a Code of Basic IT Security Management Practices to serve as a minimal set of information security management practices that a buyer of IT services should require of its IT vendor or MSP; a security floor, so-to-speak. SecureTheVillage has developed a set of Minimum Reasonable Information Security Practices based on its Basic IT Security Management Practices. The objective of the Minimum Reasonable Information Security Practices is to support development of an explicit legal standard that certain practices are so basic that a business’ failure to implement them would serve as prima facie evidence that the business’ security procedures and practices are not reasonable.

Key Links

• SecureTheVillage CCPA ResourceKit: Webinars and papers on the CCPA
• SecureTheVillage Minimum Reasonable Information Security Practices
• SecureTheVillage Webinars on CCPA:
  • April 4: CCPA, Part 1: Law and Risk Management: Online now at SecureTheVillage and ResourceKit
  • May 2: CCPA, Part 2: Managing Data Privacy: Online now at SecureTheVillage and ResourceKit
  • June 6: CCPA, Part 3: Minimum Reasonable Security Practices: Online now at SecureTheVillage and ResourceKit
• SecureTheVillage: Information Security Management ResourceKit: Webinars and papers on information security management
• SecureTheVillage Information Security Management Webinar Series: A monthly information security management webinar designed to provide executives and first-line information security management with the knowledge and understanding they need to lead their organization’s information security and privacy program.