Reasonable Security Procedures and Practices
The California Consumer Privacy Act (CCPA) private right of action establishes statutory damages of between $100 and $750 per incident for consumers whose personal information has been compromised by a breach of personal information resulting from the business’ “violation of the duty to implement reasonable security procedures and practices appropriate to the nature of the information to protect the personal information. (CA Civil Code Section 1798.150(a)(1)).
The statutory exposure for a company with as few as 10,000 “qualifying data elements[1]” is between $1,000,000 and $7,500,000. This combined with the legal duty to acknowledge a breach should one occur, significantly increases the financial risk of a breach.
This increases the importance to an organization that it have and maintain appropriate reasonable security procedures and practices.
Given the financial exposure of a breach, the prudent business will want to ensure it can be defended against a claim that it has failed to implement appropriate reasonable security procedures and practices. Since it is a breach that will trigger consumer action, special attention should be put on defensive strategies that significantly lower the likelihood of a breach.
At the present time, however, there is no accepted legal definition for what constitutes appropriate reasonable security procedures and practices.The answer will necessarily depend on the size of the company, the quantity and nature of the information it collects and sells, etc.
SecureTheVillage, a nonprofit that brings together information security practitioners, IT professionals, attorneys, risk managers, law enforcement, educators, and others, has developed a set of Minimum Reasonable Information Security Practices. The objective of this minimum set of practices is to support development of an explicit legal standard that certain practices are so basic that a business’ failure to implement them would serve as prima facie evidence that the business’ security procedures and practices are not reasonable. The Minimum Reasonable Information Security Practices are designed to be a floor on reasonableness.
How Citadel Can Help — Defendable Security Procedures and Practices
Citadel Information Group has provided information security management services to businesses and the nonprofit community for 17 years. Our operational in-the-trenches experience coupled with the work we and our colleagues have done at SecureTheVillage have given us extensive experience in the operational meaning of reasonable security procedures and practices.
Citadel first implements security procedures and practices designed to ensure that the organization meets the minimum practices. We follow this up with additional procedures and practices to ensure appropriate reasonable security procedures and practices are in place. This provides the foundation of appropriate reasonableness.
- We conduct a “gap analysis” to identify what, if anything, needs to be done to implement Citadel’s proprietary Information Security Management Program. Our program has been designed in accordance with the information security management standards identified above to be compatible with SecureTheVillage’s Minimum Reasonable Information Security Practices.
- We work with the client to fully implement Citadel’s Information Security Management Program. This step serves as the foundation for being defendable.
- We work with the client and it’s legal team to document any additional security procedures and practices that might be needed in the client’s particular situation. Together with the Information Security Management Program these are designed to form appropriate reasonable security procedures and practices.
- We then work with the client — often in the role of vCISO — to implement appropriate reasonable security procedures and practices.
Meeting Other CCPA Privacy Requirements
In addition to ensuring defendability, Citadel also assists companies ensure their ability to comply with CCPA’s request to disclose and to delete.
- Data Inventory / Data Mapping: We work with the client to identify and document the consumer information it has
- Desktops, databases, servers, websites, cloud platforms, laptops, mobile devices and other platforms where information is located
- 3rd-parties with which it shares information
- We work with the client to ensure its ability to delete customer information upon request
- We work with the client to implement appropriate data retention and destruction procedures
For More Information
Citadel Blog Post: CCPA and Minimum Reasonable Security Procedures and Practices: A Floor on “Defendability”
SecureTheVillage: Minimum Reasonable Security Practices
SecureTheVillage California Consumer Privacy Act (CCPA), including 3 webinars
We invite you to contact us for more information on how Citadel’s CCPA, GDPR, and Other Information Security and Privacy Management Services can provide you Information Security Peace of Mind®.
By submitting this form, you give us permission to contact you.