Under the California Consumer Privacy Act (CCPA), a data breach resulting from a lack of “reasonable security procedures and practices” gives rise to a private right of action (e.g. for a class action lawsuit).
Comments to the final CCPA Regulations asked the California Attorney General for more explicit guidance as to what constitutes such measures.
The answer: This is a fact specific determination and would be too limiting to prescribe.
What to do in the meantime?
- Use a known data protection framework: e.g. NIST CSF or ISO 27001.
- Apply the CIS Top 20 framework which the CA AG mentioned in the CA AG’s 2016 data breach report.
- Look to FTC guidance in “Start with Security,” “Stick with Security” and the recent FTC enforcement actions.
- Look to industry standards but assess them for reasonableness (regarding verification of identity, the AG noted that industry standards may not be adequate or fully updated).