“Reasonable” appears several times in the California Consumer Privacy Act (CCPA), and most notably in the section on the private right of action for a data breach resulting from “a business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.”
But what is “reasonable?” While not defined in the CCPA, there are a few benchmarks to follow. In 2016, the California Office of the Attorney General issued a Data Breach Report that lists safeguards that the former Attorney General viewed as constituting reasonable security practices, including a set of twenty data security controls published by the Center for Internet Security, multi-factor authentication, and encryption of data in transit. Compliance with an information security framework may also lend towards a finding of reasonable security, including the National Institute of Standards and Technology Cybersecurity Framework or the International Organization for Standardization 27001 series. Guidance may also be taken from enforcement actions in other jurisdictions. For example, the Federal Trade Commission, which enforces Section 5 of the FTC Act against unfair or deceptive acts or practices, routinely publishes resources and guidance on practical security measures an organization can take. Additionally, the 2019 amendments to New York’s breach notification law offers certain benchmarks in defining reasonable security requirement.
In a data breach lawsuit, the question of “reasonableness” will likely play out among plaintiffs’ and defendants’ experts before a jury. Accordingly, it is important to have appropriate-and justifiable-data security practices in place that are routinely updated and monitored for compliance, as well as an incident response plan, particularly in view of the private right of action for a data breach under the CCPA. At the very least, keeping personal information encrypted or redacted whenever possible is a great first step to avoid a civil suit under the CCPA.