While many companies and service providers are spending significant time and budget on the privacy-related requirements of the forthcoming California Consumer Privacy Act (CCPA), the largest exposure for companies not selling or bartering personal information may be a class action for failing to define and maintain reasonable security. Starting January 1, 2020, consumers will be able to sue businesses under California’s strict new privacy law for data breaches caused by the failure to maintain “reasonable security.” For that reason, businesses should begin reviewing their existing security procedures and practices and implementing any additional measures that will establish a defensible security program according to the state of California.
As described in an earlier Fenwick alert, the California Consumer Privacy Act, effective on January 1, 2020, is the broadest privacy law in the United States. Not only does it expand the definition of personal information, it also provides consumers the ability to file private rights of action and class actions against businesses when personal information is disclosed because of the business’ failure to implement reasonable security. California plaintiffs' counsel will no doubt take advantage of this new law as impacted companies are subject to statutory penalties: the greater of $100 to $750 per consumer per incident or actual damages.1 Additionally, the California Office of the Attorney General may fine companies up to $7,500 for each intentional violation. Unlike the potential 4 percent of global revenue penalty cap on breaches under the EU’s General Data Protection Regulation (GDPR), the CCPA has no cap.
California, FTC and Others Provide Guidance. The CCPA penalizes a company when a consumer’s “nonencrypted or nonredacted personal information… is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices.” 2 Although the CCPA does not define what security procedures and practices are “reasonable,” there is existing guidance from the state of California as well as other sources.
California Focus on CIS 20 Controls. In 2016, the California Office of the Attorney General published a Data Breach Report in which the attorney general identified 20 Center for Internet Security Controls (CIS Controls) as the “minimum level of information security that all organizations that collect or maintain personal information should meet.”3 The report further indicated that “failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.” The report grouped the CIS Controls by type of action:
|Control Title||Action||Control Reference(s)|
|Count Connections||Know the hardware and software connected to your network.||CSC 1, CSC 2|
|Configure Securely||Implement key security settings.||CSC 3, CSC 11|
|Control Users||Limit user and administrator privileges.||CSC 5, CSC 14|
|Update Continuously||Continuously assess vulnerabilities and patch holes to stay current.||CSC 4|
|Protect Key Assets||Secure critical assets and attack vectors.||CSC 7, CSC 10, CSC 13|
|Implement Defenses||Defend against malware and boundary intrusions.||CSC 8, CSC 12|
|Block Access||Block vulnerable access points.||CSC 9, CSC 15, CSC 18|
|Train Staff||Provide security training to employees, contractors and any vendors with access.||CSC 17|
|Monitor Activity||Monitor accounts and network audit logs.||CSC 6, CSC 16|
|Test and Plan Response||Conduct tests of your defenses and be prepared to respond promptly and effectively to security incidents.||CSC 19, CSC 20|
In addition to the CIS Controls, the attorney general endorsed three other measures in the report:
In 2014, the attorney general referenced a similar list of security measures in the “Cybersecurity in the Golden State” report. The 2014 report also recommends that organizations map their data and decide which stored consumer information is actually necessary for their business. Though it is uncertain whether the current or future attorneys general will endorse the positions taken in these two reports, both report recommendations may serve as the minimum steps businesses should take when handling personal information with “reasonable” security.
FTC Cases on Comprehensive Security. The U.S. Federal Trade Commission (FTC) has brought over 500 enforcement actions protecting the privacy of consumer information, including 75 general privacy lawsuits and over 65 cases against companies that have engaged in unfair or deceptive practices that failed to adequately protect consumers’ personal data.4 These past actions and the resulting consent orders provide some insight about what is considered “reasonable” security. For example, one of the first cases for the FTC in 2002 required Eli Lilly to “establish and maintain a four-stage information security program designed to establish and maintain reasonable and appropriate administrative, technical, and physical safeguards to protect consumers' personal information against any reasonably anticipated threats or hazards to its security, confidentiality, or integrity, and to protect such information against unauthorized access, use, or disclosure.”
The Fenwick team has extensive experience in these cases in a variety of roles: advising the FTC as an expert witness, representing the company during litigation of the case, serving as the independent assessor of the company and counseling companies through such assessments. Our team's experience includes more than a dozen comprehensive privacy and information security cases, including major cases with global technology, financial, and healthcare companies. Through this experience, we have observed that most companies align their security practices with recognized frameworks, such as the International Organization for Standardization (ISO) 27001 series, the National Institute of Standards and Technology (NIST) Cybersecurity Framework and PCI Data Security Standard (PCI DSS). Healthcare companies may also align to healthcare-specific frameworks and regulations, such as the HIPAA Security Rule.
Other Industry Frameworks. Most companies may be more familiar with these traditional frameworks than with the CIS 20, especially if the companies operate with government data. To ensure that they have established reasonable security for CCPA compliance, companies may choose to operate under the frameworks that best fit their business (like ISO), but evaluate their frameworks and controls against the CIS 20 to confirm that the control standards would be met in the event of a data breach, financing transaction or merger and acquisition due diligence. Other frameworks we have seen used include the Microsoft Security Development Lifecycle (MS SDL), the Gramm-Leach-Bliley Act Safeguards Rule, and, to a lesser extent, COBIT, ITIL and state guidance such as 201 CMR 17 from Massachusetts. A common theme for all frameworks is that “reasonable security” is a process that comprises identifying data to be secured, assessing risks, implementing controls, and monitoring and updating the controls.
Best Practices. Separately, the FTC has published a best practices guide, “Start With Security: A Guide for Business,” in which the agency encourages organizations to put their security standards in writing in contracts with vendors.
* Barbara Wong is a summer associate in Fenwick’s corporate group.
2 1798.150. (a) (1)
3 Version 7.1 is the latest version of the CIS Controls and was released in April 2019. There are some minor changes in the controls from those listed here.
4 Federal Trade Commission Privacy & Data Security Update (2017): An Overview of the Commission’s Enforcement, Policy Initiatives, and Consumer Outreach and Business Guidance in the Areas of Privacy and Data Security: January 2017 – December 2017, and Federal Trade Commission Privacy & Data Security Update for 2018.