This is the eleventh installment in Hogan Lovells’ series on the California Consumer Privacy Act.
Much of the focus on the California Consumer Protection Act (“CCPA”) has been on the new rights that it affords California consumers, including the rights to access, delete, and opt out of the sale of their personal information. But arguably the greatest risk to covered businesses involves data security, as the CCPA creates for the first time a private right of action with substantial statutory penalties for breaches involving California consumers’ personal information.
This installment of the Hogan Lovells’ CCPA series explains the CCPA’s security requirement and consequences for non-compliance, and describes security controls that most organizations can implement to mitigate this risk.
Available statutory penalties
The CCPA allows consumers to sue businesses when their “nonencrypted or nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” Violations of this provision are subject to statutory penalties of $100 to $750 per incident (which did not previously exist for breaches involving California residents’ personal information), additional actual damages, and injunctive relief. Judges may consider a defendant’s “assets, liabilities, and net worth” in determining the precise award.
Prior to filing a lawsuit, California consumers who are seeking only statutory damages must provide a defendant business thirty days’ written notice of the alleged CCPA violation(s). If the business “cures” any identified issues within thirty days, then the consumer may not sue (although it is unclear whether and how a business may be able to “cure” a data incident or breach). However, consumers seeking to recover actual damages may proceed to filing without any written notice.
In addition to consumer actions, the Attorney General may issue fines of up to $7,500 per violation, with this maximum penalty reserved for cases involving intentional noncompliance.
There is the potential for extremely high penalties under either type of action, with statutory fines able to be multiplied by the number of impacted individuals.
So, what is “reasonable” security?
Although the CCPA penalizes covered businesses for breaches arising from a “violation of the duty to implement and maintain reasonable security procedures and practices,” it neither defines this duty nor what security procedures and practices are “reasonable.” However, this duty already existed in California law prior to the CCPA, and the California Attorney General has endorsed various security measures in prior contexts. Companies may be able to mitigate risk under the CCPA by incorporating these security measures into their CCPA compliance programs.
In 2016, the California Office of the Attorney General published a “Data Breach Report,” which analyzed the recent history of data breaches across industries and identified security lapses that led to those breaches. The report listed safeguards that the then-current Attorney General viewed as constituting reasonable security practices, emphasizing a set of twenty data security controls published by the Center for Internet Security (“CIS Controls”) as the universal baseline (as applicable) for any information security program:
The 20 controls in the [CIS]’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.
The Attorney General pointed to a similar list of safeguards in a 2014 “Cybersecurity in the Golden State” report. While it is not yet clear whether the 2014 and 2016 reports will reflect the current or future Attorney General’s view of “reasonable” security under the CCPA, implementing these controls, absent further guidance, may serve as a baseline for a defensibly “reasonable” information security program. At minimum, a breach due to a failure to implement the CIS Controls may be viewed as presumptively “unreasonable” under the CCPA standard.
Many of the CIS Controls may be familiar to businesses that have already evaluated their compliance with legal information security requirements like the EU General Data Protection Regulation, the New York Department of Financial Services’s Cybersecurity Regulation, or Massachusetts’s Standards for the Protection of Personal Information of Residents of the Commonwealth. The CIS Controls also reflect many safeguards that the Federal Trade Commission has signaled to be appropriate through its guidance, enforcement actions, and consent decrees. These sources echo that core components of a reasonable security program include a written information security program, oversight by a designated security officer or supervisor, employee training, vendor management, an incident response plan, and ongoing risk assessment and management.
Complying with a recognized information security framework in addition to the CIS Controls, such as the National Institute of Standards and Technology Cybersecurity Framework or the International Organization for Standardization (ISO) 27001 series, will also help a business demonstrate that its security is reasonable. After adopting specific security controls, it is important for an organization to incorporate those controls into its internal-facing policies and procedures, and to test for compliance with those controls.
What to do?
The private right of action for data security violations under the CCPA is a game-changer. Unlike the CCPA’s privacy provisions and individual rights, which are enforced by the California Attorney General, the CCPA expressly grants plaintiffs the right to sue, which they will almost certainly do after any prominent breach that impacts a critical mass of California residents. Moreover, the CCPA’s private right of action and statutory penalties cover breaches of all personal information, removing the rather significant impediment of plaintiffs having to prove that they were financially harmed to sustain a lawsuit following a data breach.
Despite the uncertainty regarding the CCPA’s security requirements and enforcement, a prudent course of action is to implement a strong risk-based security program, incorporating the security controls previously endorsed by the California Office to the Attorney General, and to regularly review the program’s effectiveness. Since the CCPA defines “reasonable” security based on the nature of the personal information a company holds, a key first step for many organizations is to map the data held by the organization in order to determine the most “reasonable” set of controls to best protect it.
In addition, given that the CCPA’s private right of action is conditioned in part on any compromised data being “nonredacted” or “nonencrypted,” businesses are well-advised to assess whether appropriate redaction and encryption methods are employed and operating effectively. In addition to evaluating an organization’s own security program, it is also important to take steps to vet the security measures employed by one’s service providers, as conducting reasonable security diligence of one’s vendors is a component of many reputable security standards.
Although amendments to the CCPA delayed regulatory enforcement until July 1, 2020, the amendments did not affect the private right of action. With the private right of action available to aggrieved consumers as of January 1, 2020, the time is now to begin documenting the lifecycle of the data that covered businesses collect, use, and disclose, consider further investments in defensible security controls to protect that data, and establish processes to confirm operational effectiveness of such controls.