CA Consumer Privacy Act (CCPA)

Reasonable Security Procedures and Practices

The California Consumer Privacy Act (CCPA) private right of action establishes statutory damages of between $100 and $750 per incident for consumers whose personal information has been compromised by a breach of personal information resulting from the business’ “violation of the duty to implement reasonable security procedures and practices appropriate to the nature of the information to protect the personal information. (CA Civil Code Section 1798.150(a)(1)).

The statutory exposure for a company with as few as 10,000 “qualifying data elements[1]” is between $1,000,000 and $7,500,000. This combined with the legal duty to acknowledge a breach should one occur, significantly increases the financial risk of a breach.

This increases the importance to a company that it have and maintain appropriate reasonable security procedures and practices.

The Prudent Business Will Want to Implement Defendable Security Procedures and Practices 

Given the financial exposure of a breach, the prudent business will want to ensure it can be defended against a claim that it has failed to implement appropriate reasonable security procedures and practices. Since it is a breach that will trigger consumer action, special attention should be put on defensive strategies that significantly lower the likelihood of a breach.

Minimum Reasonable Security Procedures and Practices: A Floor on Defendability

At the present time, there is no accepted legal definition for what constitutes appropriate reasonable security procedures and practices.The answer will necessarily depend on the size of the company, the quantity and nature of the information it collects and sells, etc.

There are several markers that point the way towards what might constitute appropriate reasonable security procedures and practices in different circumstances:

1. The NIST Cybersecurity Framework is a logical contender for what constitutes reasonable security. The Framework though does not include — nor is it intended to include — security procedures and practices.  It is intended, instead, as the basis upon which an organization can develop its reasonable security procedures and practices.
2. In the California 2016 Data Breach Report, then Attorney General Kamala Harris wrote “The 20 controls in the Center for Internet Security’s Critical Security Controls [CIS-20] define a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.”
3. Like the CIS-20, New York State Department of Financial Services, 23 NYCRR 500, Cybersecurity Requirements for Financial Services Companies contain operational requirements that could serve in part to give specificity to reasonable security procedures and practices. While applicable to larger businesses, like the CIS-20, some of their controls may be too onerous and not commercially reasonable for smaller organizations.
4. NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations may also be useful in defining reasonable security procedures and practices. So might the Payment Card Industry’s Data Security Standard, HIPAA, and Gramm-Leach-Bliley.
5. While it would be hard to argue that a company certified compliant with International Standards Organization ISO 27001, 27002, et al fails to meet the threshold of reasonable security procedures and practices, it is unreasonable to impose a certification standard on smaller organizations for which it may not be commercially reasonable.
6. Believing the CIS-20 to be too onerous for smaller organizations, SecureTheVillage, a 401(c)3 community-based nonprofit founded nearly 4 years ago by Citadel, developed a Code of Basic IT Security Management Practices to serve as a minimal set of information security management practices that a buyer of IT services should require of its IT vendor or MSP; a security floor, so-to-speak. SecureTheVillage is currently developing a set of Minimum Reasonable Information Security Practices based on its Basic IT Security Management Practices. The objective of the Minimum Reasonable Information Security Practices is to support development of an explicit legal standard that certain practices are so basic that a business’ failure to implement them would serve as prima facie evidence that the business’ security procedures and practices are not reasonable.

How Citadel Can Help — Defendable Security Procedures and Practices

Citadel Information Group has provided information security management services to businesses and the not-for-profit community for 17 years. Our operational experience in-the-trenches coupled with the work we and our colleagues have done at SecureTheVillage have given us extensive experience in the operational meaning of reasonable security procedures and practices.

Citadel implements security procedures and practices designed to be defendable against a claim of failing to be reasonable.

1. We conduct a “gap analysis” to identify what, if anything, needs to be done to implement Citadel’s proprietary Information Security Management Program. Our program has been designed in accordance with the information security management standards identified above to be compatible with SecureTheVillage’s forthcoming Minimum Reasonable Information Security Practices.
2. We work with the client to fully implement Citadel’s Information Security Management Program. This step serves as the foundation for being defendable.
3. We work with the client and it’s legal team to document any additional security procedures and practices that might be needed in the client’s particular situation. Together with the Information Security Management Program these form appropriate reasonable security procedures and practices.
4. We then work with the client to implement appropriate reasonable security procedures and practices.

In addition to ensuring defendable security procedures and practices, Citadel also assists companies ensure their ability to comply with CCPA’s request to disclose and to delete. This requires (i) identifying the information a company has about a consumer (data inventory), (ii) documenting the desktops, databases, servers, websites, cloud platforms, and other platforms where the information is located (data mapping), (iii) documenting the 3rd-parties with which it has shared that information, and (iv) implementing data retention and destruction procedures.

Key Links

• SecureTheVillage CCPA ResourceKit: Webinars and papers on the CCPA
• SecureTheVillage: Information Security Management ResourceKit: Webinars and papers on information security management
• SecureTheVillage Information Security Management Webinar Series: A monthly information security management webinar designed to provide executives and first-line information security management with the knowledge and understanding they need to lead their organization’s information security and privacy program.
• SecureTheVillage Minimum Reasonable Information Security Practices (Under development)
• SecureTheVillage Webinars on CCPA:
  • April 4: CCPA, Part 1: Law and Risk Management: Online now at SecureTheVillage and ResourceKit
  • May 2: CCPA, Part 2: Managing Data Privacy: Online now at SecureTheVillage and ResourceKit
  • June 6: CCPA, Part 3: Minimum Reasonable Security Practices

We invite you to contact us for more information on how Citadel’s CCPA, GDPR, and Other Information Security and Privacy Management Services can provide you Information Security Peace of Mind®.

By submitting this form, you give us permission to contact you.