From an information security perspective, laws often have the goal of maintaining and protecting three components: the confidentiality, integrity, and availability of data. Maintaining the confidentiality of data means that unauthorized disclosures of the information are successfully prevented. In the process, appropriate technical safeguards are incorporated, such as encryption and the implementation of firewalls. Preserving the integrity of data helps to ensure that information is protected from any unauthorized or unintentional modification or deletion. A number of privacy laws require covered entities to ensure that consumer information is correct, such as the Fair Credit Reporting Act in the United States. And finally, ensuring the availability of information entails making it readily accessible to those authorized to use it.
The CCPA: California Consumer Privacy Act governs the collection and disclosure of consumers’ personally identifiable information (“PII”). In addition, the CCPA requires that businesses implement and maintain “reasonable security procedures and practices” pursuant to protecting the PII of consumers. In practice, this requirement seeks to preserve the three components that have been discussed: confidentiality, integrity, and availability of data.
This article will discuss the following three topics:
- When are “reasonable security measures” required under the CCPA?
- What constitutes “reasonable security measures” under the CCPA?
- Consequences for failing to provide “reasonable security measures” under the CCPA
When are “reasonable security measures” required under the CCPA?
The CCPA states that “any consumer whose nonencrypted or nonredacted personal information is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the the personal information may institute a civil action . . . .”
“Nonencrypted or nonredacted personal information” is defined as:
- An individual’s first name or first initial and the individual’s last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
- Social security number;
- Driver’s license number or any unique state identification number
- Account number, or a credit or debit card number, in combination with the credentials needed to access the account
- Medical information
- Health information
- Biometric data
What constitutes “reasonably security measures” under the CCPA?
So what measures constitute “reasonable security measures” under the CCPA? Although not explicitly defined by the CCPA, previous statements made by the California Attorney General indicate that failing to comply with the Center for Internet Security’s (“CIS”) Critical Security Controls could constitute a lack of reasonable security under the law.
CIS Control 13 provides specific measures businesses may take pursuant to providing reasonable security. These measures include the following:
- Create a data inventory mapping the flow of sensitive information
- Remove sensitive data not regularly accessed by the business
- Monitor and block unauthorized network access
- Monitor and detect any unauthorized use of encryption
- Encrypt the hard drives of all mobile devices
- Manage USB devices
- Encrypt data on the USB devices
These measures are largely consistent with the three foundational principles of security previously discussed: confidentiality, integrity, and availability. Companies that create a data inventory will be better positioned to determine who has access to sensitive information, how that information is stored, and what security measures are already in place to protect the data. Mapping the data’s lifecycle will allow the business to conduct an accurate risk assessment of what threats, if any, may result in breaches of data in violation of the CCPA.
CIS Control 13 also stresses the importance of “data minimization” with respect to removing sensitive data not regularly accessed by the business. This practice provides a number of benefits from a CCPA compliance standpoint. Referring back to data inventories, removing sensitive data is more doable if a business is able to readily identify where the information is located in the company’s network. Moreover, deleting data no longer used by the business decreases the risk that the information will be exposed in an unauthorized breach under the CCPA. These data minimization principles draw parallels with Europe’s General Data Protection Regulation, which requires data processing to be limited to what is necessary to perform a stated purpose.
Because the CCPA requires “reasonable” security measures, it is likely that determining exactly what constitutes as such will depend on the circumstances. For example, widespread system encryption for a large corporation may be deemed as a reasonable security measure while at the same time deemed unnecessary or unreasonable for a small business’s computer network. As the enforcement period begins on July 1st, 2020, businesses should expect clarification as to what constitutes reasonable security measures under the CCPA.
Consequences for failing to provide “reasonable security measures” under the CCPA
Should a business be found to have failed to implement reasonable security measures under the CCPA, the law provides consumers with the ability to file lawsuits against those businesses under certain circumstances. Moreover, noncompliant businesses could be subject to enforcement actions brought by the California State Attorney General. These enforcement actions may result in significant fines depending on how many consumers are impacted by the data breach.