The California Consumer Privacy Act of 2018 represents the most comprehensive, stringent consumer data privacy law enacted in the United States to date. One of the most critical aspects of the CCPA relates to the law’s private right of action provision, which is triggered when a company suffers a data breach and is found to have violated its duty to implement “reasonable” security measures to safeguard consumers’ personal information from being improperly accessed. Significantly, the CCPA’s private right of action will inevitably lead to a significant spike in bet-the-company consumer class action litigation in California once the new law goes into effect.
To further complicate matters, data breaches themselves have spiked substantially in both frequency and severity in recent years — a trend that shows no signs of slowing down at any point in the foreseeable future. Combined, covered businesses must ensure that they thoroughly address the CCPA’s “reasonable” security requirement as part of their CCPA compliance efforts in order to steer clear of opening themselves up to being on the receiving end of potentially game-changing data breach-related class action litigation. Fortunately, there are several vital tactics and strategies that can be employed to build a defensible data security program that satisfies the CCPA’s “reasonable” security requirement.
The CCPA’s “Reasonable” Security Requirement and Private Right of Action Provision
The CCPA requires that a “business that owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonably security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” Importantly, the CCPA affords consumers a private right of action to file suit against covered entities when their “nonencrypted or nonredacted personal information ... is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”
Consumers can pursue individual or class lawsuits under the private right of action and, if successful, can recover between $100 and $750 per incident in statutory damages or actual damages, whichever is greater. Although this damages figure may seem small at first blush, businesses that fall under the scope of the CCPA must keep in mind that a class of just 10,000 consumers under the CCPA would subject a business to $7.5 million in potential exposure.
Ultimately, the CCPA’s private right of action provision will almost certainly lead to a significant uptick in the amount of consumer-initiated, data breach-related class action litigation in California for the foreseeable future, with covered businesses likely to see lawsuits filed anytime a data breach takes place involving California residents. The CCPA’s private right of action is particularly troublesome because it eliminates the rather significant Article III standing roadblock that ordinarily exists in these types of cases, which mandates that plaintiffs must allege that they sustained some sort of “concrete” injury in order to maintain an actionable suit following a data breach. Rather, the CCPA’s private right of action provision provides a clear path for plaintiffs who suffer no actual injury or damage to pursue class action litigation if their data is compromised by a data breach.
Importantly, in order for the CCPA’s private right of action to be triggered, a covered business must experience a data breach event that arises from the business’s failure to implement and maintain “reasonable security procedures and practices appropriate to the nature of that information.” However, while the CCPA opens covered entities up to significant potential liability exposure for data breaches stemming from violations of the duty to implement “reasonable” security measures, the law does not define this duty nor provide any insight as to what satisfies the threshold for maintaining “reasonable” security measures. Thus, significant uncertainty exists as to what covered businesses can do to meet this “reasonable” security requirement so as to avoid the possibility of being hit with a CCPA consumer class action.
“Reasonable” Security Compliance Tips
So what are covered businesses to do in order to ensure compliance with the CCPA’s “reasonable” security requirement in the absence of any codified standards? As a starting point, covered businesses should remain cognizant of the fact that the CCPA’s private right of action provision does not provide for a strict liability standard.
Rather, consumers will be required to establish that any data compromise event was the result of the business’s failure to implement and maintain “reasonable” security practices. As such, businesses that are able to establish that affirmative actions were taken by the entity to safeguard sensitive personal information can provide themselves with a stringent defense to liability in the event the organization is sued under the CCPA’s private right of action provision in the wake of a data breach event.
In terms of actionable compliance steps themselves, an effective approach for businesses to take in order to satisfy the CCPA’s “reasonable” security requirement is to implement the data security measures that were previously endorsed by the former California attorney general in its 2016 data breach report. In the report, the California attorney general endorsed the Center for Internet Security’s Critical Security Controls, which consists of a set of 20 different data security safeguards that were viewed by the then-attorney general as constituting reasonable security measures.
Importantly, in the report the then-attorney general notes that the CIS Controls “identify a minimum level of security that all organizations should meet,” and that the failure to implement all of the controls that apply to an organization’s environment would constitute a “lack of reasonable security.” As such, these CIS controls can be used as a guide for satisfying the “reasonable” security requirement of California’s new privacy law.
In addition, covered entities should also consider supplementing the CIS Controls by incorporating other well-accepted information security frameworks into their security programs, which can aid in further demonstrating a business’s satisfaction of the “reasonable” security requirement so as to avoid litigation under the CCPA’s private right of action provision. Some examples of reputable frameworks that organizations can consider adopting are the International Organization for Standardization's 27001 series and the National Institute of Standards and Technology’s cybersecurity framework.
Furthermore, covered businesses should also formally document their data security policies, procedures and practices in a written information security plan, or WISP. A WISP should entail a written record of all of the various data security safeguards that the company has implemented that are appropriate to the nature of the information that is possessed and maintained by the business. In addition, an organizational WISP should also document the entity’s risk assessment and the safeguards that have been implemented to address and minimize those risks, as well as a detailed data breach incident response plan which addresses identified or foreseeable risks and which can be rapidly deployed in the event a business experiences a breach of its systems or networks.
Moreover, as data breaches will trigger class actions under the CCPA, covered entities should place a special emphasis on implementing defensive strategies to minimize the likelihood of data compromise events from taking place. One key tactic that covered businesses can utilize is to perform periodic risk assessments to identify the primary risks to the personal information possessed by the entity, and to implement any necessary modifications to the organization’s information security program so as to minimize the risk of these vulnerabilities being exploited by a data breach. In addition, another extremely effective way to assess organizational networks and defense mechanisms to determine how they may be exploited by a data breach is to conduct internal and external penetration tests, which simulate real-world attack scenarios so that businesses can shore up their data security practices and protocols before any vulnerabilities can be exploited by malicious actors.
Finally, as the CCPA’s private right of action applies to the improper access of “nonredacted” and “unencrypted data,” covered businesses must ensure that they utilize robust redaction and encryption methods whenever possible, and monitor these particular data-protection tools to ensure their ongoing effectiveness.
Today, business entities in all industries are experiencing more and more attempted — and many times successful — data breach attacks from malicious outsiders, as well as data compromise incidents originating from inside the organization. Cyberattacks and data breaches have become so commonplace today that it is no longer a matter if whether businesses will fall victim to a data breach, but a question of when and to what extent a data breach event will take place.
At the same time, the CCPA’s “reasonable” security requirement and private right of action provision greatly increase the potential scope of liability exposure faced by covered entities stemming from data breach incidents. As such, now more than ever organizations that fall under the scope of the CCPA must implement effective defensive mechanisms to shield their networks, systems and data from cyberattacks.
While what exactly constitutes “reasonable” security measures under the CCPA remains unclear, there are several concrete steps that covered businesses can implement to build a defensible security program that will be able to withstand scrutiny in the event the institution suffers a data breach and subsequently finds itself on the receiving end of a consumer-initiated CCPA class action. By implementing the best practices described above, companies can put themselves in the best position to proactively minimize the risk of experiencing a catastrophic data breach, while at the same time putting in place robust security measures that satisfy the CCPA’s “reasonable” security standard.
"Meeting Calif. Privacy Law's 'Reasonable' Security Standard," by David J. Oberly was published in Law360 on July 25, 2019. Reprinted with permission.