Under the California Consumer Privacy Act, any California consumer whose personal information is compromised “as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices … may institute a civil action.”[1]
Consumers can initiate this private right of action right now, whereas other consumer rights can only be enforced by the Attorney General beginning in July.[2]
Why This Matters
Most civil actions filed against companies during the last decade were dismissed. Why? Consumers were unable to demonstrate a suitable harm. Sure, cybersecurity incidents are a hassle for consumers to deal with, but that alone was not enough. Recently, however, courts have said “the hassle” is enough, at least for cases to proceed past their initial stages. This has led to a steady rise in both the number of cases that are settled and their dollar amounts.
Complicating things further, under the CCPA proving harm doesn’t necessarily matter. If personal information is compromised because of a failure to implement and maintain reasonable security, the CCPA quantifies harm to be “not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident” or an amount higher if proven.[3] What matters is whether your security is reasonable.
Google’s search engine defines reasonable as “as much is appropriate or fair.” For those who reminisce about how they spent three years in law school learning the many ways “reasonable” can be interpreted, the CCPA may trigger déjà vu; neither the CCPA nor its proposed regulations defines “reasonable security.” But reliable guidance is available.
Reasonable Security Under the CCPA
In 2016, the California Attorney General endorsed the CIS Critical Security Controls developed by the Center for Internet Security (“CIS”), a non-profit organization “dedicated to enhancing the cybersecurity readiness and response among public and private sector entities.”[4]
Similar to the NIST Cybersecurity Framework endorsed by the Federal Trade Commission,[5] the CIS Controls were developed to help organizations manage their cybersecurity risks.[6] The CIS Controls consist of 20 controls and describe why each control is critical.
For example, Control No. 7 addresses protections for email and web browser applications since this is where users take actions that substantially increase a company’s risk.[7] The CIS Controls list and describe 10 specific actions that companies should take to implement this control.
Control No. 8 describes the importance of blocking or identifying the presence of malicious software designed “to attack your systems, devices, and your data.”[8] The CIS Controls list and describe eight controls that companies should implement for this control.
Control No. 17 focuses on security awareness and training programs since “the actions of people also play a critical part in the success or failure of an enterprise.”[9] The CIS Controls list and describe nine ways companies should implement this control.
While there is still uncertainty around the meaning of some CCPA requirements, the CIS Controls provide a baseline of the various factors that would constitute reasonable security under the CCPA, as does the NIST Cybersecurity Framework and as will the pending NIST Privacy Framework: A Tool for Improving Privacy Through Enterprise Risk Management, currently being developed.[10]
Civil actions by California consumers will inevitably be filed in the coming weeks and months. If you have legal questions about the reasonable security requirement under the CCPA and the CIS Controls, please reach out to one of our Global Privacy & Security Blog authors.
[1] Cal. Civil Code § 1798.150(a) (emphasis added).
[2] To see if a company is covered by the CCPA see the criteria explained in this article: https://www.stoel.com/legal-insights/legal-updates/ccpa-is-coming.
[3] Cal. Civil Code § 1798.150(a)(1)(A) (emphasis added).
[4] Center for Internet Security, Center for Internet Security & California Attorney General Staff Offer Cybersecurity Guidance to Small Businesses, https://www.cisecurity.org/press-release/center-for-internet-security-california-attorney-general-staff-offer-cybersecurity-guidance-to-small-businesses/ (Oct. 10, 2016).
[5] Romaine Marshall, Stoel Rives LLP, Achieving Industry Standards, https://www.stoelprivacyblog.com/2019/10/articles/privacy/achieving-industry-standards/ (Oct. 28, 2019).
[6] Center for Internet Security, CIS Controls, https://www.cisecurity.org/controls/, (last visited Jan. 7, 2020) (a copy of the most recent version of the controls (CIS Controls version 7.1) can be obtained via this link: https://learn.cisecurity.org/cis-controls-download).
[7] CIS Controls (version 7.1) at 29.
[8] CIS Controls (version 7.1) at 32.
[9] CIS Controls (version 7.1) at 59.
[10] National Institute of Standards and Technology, Preliminary Draft of the Privacy Framework, https://www.nist.gov/privacy-framework/working-drafts (Sept. 6, 2019).