“[P]rivacy legislation should have some kind of safe harbor provision in it so that companies understand that if they take certain steps, what they are doing is consistent with the law.”  Karen Zacharia, Chief Privacy Officer at Verizon

The California Consumer Privacy Act (CCPA) provides unparalleled rights for California residents with regard to data privacy.  The CCPA contains an expansive definition of “personal information” and establishes completely new data privacy entitlements for California consumers, including rights to access, delete and opt-out of the sale of personal information.  In addition, the CCPA provides new statutory damages and consumer private rights of action in the event of a data breach.

The CCPA defines a data breach as the “unauthorized access and exfiltration, theft, or disclosure” of “nonencrypted or nonredacted personal information” resulting from “the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”  (Emphasis added).  Violations of this provision are subject to statutory penalties of $100 to $750 per incident as well as additional actual damages and injunctive relief.  In addition, the California Office of Attorney General (OAG) has the authority to issue fines and sanctions up to and including $7,500.00 per violation.  An organization’s net worth and assets, as well as any intentional noncompliance, are valid considerations for the courts and the OAG when assessing appropriate penalties and fines.  It is noteworthy that consumers are not required to prove actual damages to bring a private action; proof that personal, nonredacted and nonencrypted information was subject to a data breach establishes the necessary standing for private actions under the law.

“Reasonable security” is not defined in the CCPA, leaving organizations in a quandary as to when and how to assert the law’s “safe harbor” as a defense against consumer claims when personal information is breached.  Recognized security programs such as the National Institute of Science and Technology’s (NIST) Cybersecurity Framework, the ISACA Control Objectives for Information and Related Technologies (COBIT), the International Organization for Standardization (ISO) 27000 standards, etc. may meet the “reasonable security” requirement.  However, there is no precedent in California establishing the “reasonableness” or legal defensibility of these security frameworks.  This uncertainty casts doubt as to whether the implementation of such complex, and potentially expensive and time consuming, protocols is worthwhile.

The singular guidance for organizations seeking a reliable standard for “reasonable security” was provided by the OAG in its 2016 California Data Breach Report (Report).  The Report analyzed data breach events between 2012 and 2015 and determined that the 20 controls in the Center for Internet Security’s (CIS) Critical Security Controls (CSC 20) establish “a minimum level of information security that all organizations that collect or maintain personal information should meet.”  California’s then attorney general, Kamala Harris, stated that “[The CSC 20] are the priority actions that should be taken as the starting point of a comprehensive program to provide reasonable security.”  The Report warns that “the failure to implement all the [CSC] Controls that apply to an organization’s environment constitutes a lack of reasonable security.”

It remains to be seen whether implementation of the CSC 20, as well as any additional CSC controls that apply to a the specific organization, will provide the “reasonable security” standard necessary to successfully defend against claims in the event of a data breach.  To date, the CSC framework provides the best protection against CCPA claims, but the predictability of qualifying for the CCPA “safe harbor” based on implementation of these protocols remains elusive.