Under the California Consumer Privacy Act (CCPA), a data breach resulting from a lack of “reasonable security procedures and practices” gives rise to a private right of action (e.g. for a class action lawsuit).
Comments to the final CCPA Regulations asked the California Attorney General for more explicit guidance as to what constitutes such measures.
The answer: This is a fact specific determination and would be too limiting to prescribe.
What to do in the meantime?
- Use a known data protection framework: e.g. NIST CSF or ISO 27001.
- Apply the CIS Top 20 framework which the CA AG mentioned in the CA AG’s 2016 data breach report.
- Look to FTC guidance in “Start with Security,” “Stick with Security” and the recent FTC enforcement actions.
- Look to industry standards but assess them for reasonableness (regarding verification of identity, the AG noted that industry standards may not be adequate or fully updated).
![CCPA Final Regs Reasonable Measures Odia Kagan](https://media-exp1.licdn.com/dms/image/C4E22AQF2LqgXA0heqQ/feedshare-shrink_800/0?e=1596672000&v=beta&t=ncWbxfBoYeP7W3_DxsGuOpWn57sUyIBRd6apTE8Do1s)
[View source.]