What is ‘reasonable’ under California’s new consumer privacy law?

On June 28, 2018, California passed a sweeping new consumer privacy law called the California Consumer Privacy Act of 2018 (Civil Code Sections 1798.100 et seq.) Unless revised by forthcoming regulations promulgated by the California attorney general's office, amended by the California Legislature, or preempted by federal law, the CCPA will take effect Jan. 1, 2020, and will significantly expand the right of California residents to know what personal information has been collected about them from business, for what purpose, and how that information is shared with third parties.

Much has already been written about the CCPA, including how the statute's new definitions of "consumer" (e.g., all California residents including employees) and "personal information" (e.g., IP information and internet activity) will likely introduce difficult compliance challenges for business. Others have written about the statute's ambiguities surrounding the scope of new consumer rights to access and deletion, and the right to opt out of the sale of personal information.

What has received less attention, however, is how courts may approach the statute's limited private right of action, and the potential scope of liability for businesses if those actions are successful.

The private right of action under the CCPA currently applies only if a California resident's non-encrypted or non-redacted personal information is subject to unauthorized "access and exfiltration, theft, or disclosures" as a result of a business' "violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information." Section 1798.150(a)(1). Although the law does not define the phrase "reasonable security procedures and practices," that language is not new. Civil Code Section 1798.81.5, which predates the CCPA by almost 15 years, contains an almost identical standard. Federal laws, such as the Gramm-Leach Bliley Act, likewise contain reasonable security requirements for covered entities. So the million (or multi-million) dollar question for businesses that receive PII now is: What security measure is reasonable?

Many companies currently rely on federal or international standards as a benchmark for "reasonable" security, but those standards vary. One company may track its information security practices with the so-called "NIST" standards (a widely accepted 2014 Cybersecurity Framework prepared by the U.S. Department of Commerce's National Institute of Standards and Technology). Another may track the international security standards created by the International Standards Organization. Or companies may follow industry-specific standards, such as the Common Security Framework developed by the Health Information Trust Alliance ("HITRUST") in the healthcare space, or specific frameworks for the critical infrastructure sectors, such as the U.S. Transportation Services Administration's 2011 Pipeline Security Guidelines or the North American Electric Reliability Corporation's Critical Infrastructure Protection Standards.

California may have its own information security standards, though, separate from federal, international, or industry-specific standards. In 2016, the attorney general expressly endorsed its own view of reasonable security measures in its "2016 California Data Breach Report." The attorney general stated that reasonable security measures include 20 specific security controls set forth in the Center for Internet Security's ("CIS") Critical Security Controls ("Controls"). According to the attorney general, the CIS Controls "define a minimum level of information security that all organizations that collect or maintain personal information should meet," and that "[t]he failure to implement all the Controls that apply to an organization's environment" would constitute a "lack of reasonable security."

While the attorney general's 2016 guidance may appear to establish a floor for determining "reasonable security measures" it is not clear that this opinion would be adopted by a court in a private action brought by a California resident under the CCPA. First, the standard of what is reasonable may change over time. What was reasonable in 2016 may no longer still be reasonable in 2019 or 2020. In fact, the consensus among cybersecurity professionals today is that even the best measures will not protect against a successful hack, and so enterprises should focus on developing redundant and varied measures to mitigate risk, rather than relying on a particular set of security controls that could still be compromised.

The CCPA, as currently amended, does not provide an answer for businesses in selecting an information security standard. The only guidance provided by the CCPA is that the court will consider various factors in determining what is reasonable under the circumstances. If a business guesses wrong, liability can pile up quickly. The damages available to California residents under the CCPA, for example, include statutory damages not less than $100 and not more than $750 per consumer per incident, or actual damages, whichever is greater. Section 1798.150(a)(2). In determining the amount of statutory damages, the court has discretion to consider any "relevant circumstances presented by any of the parties," including factors such as the "nature and seriousness of the misconduct, the number of violations, the persistence of the misconduct, the length of time over which the misconduct occurred, the willfulness of the defendant's misconduct, and the defendant's assets, liabilities, and net worth." Section 1798.150(a)(2). A company that suffers a massive data breach may understandably worry that whatever standard it had adopted, class action plaintiffs may argue successfully that the breach alone goes a long way towards demonstrating that the company chose the wrong standard. A breach that exposes a million consumers' data is automatically a minimum of $100 million in statutory damages.

Most likely, there will not be a clear "one-size-fits-all" approach that offers businesses a safe harbor. Whether and to what degree a business is determined to have maintained a reasonable security posture will likely be based on the business's resources and capabilities, the specific industry, and the nature of the data protected. For example, if the business operates in the healthcare space, adherence to the CIS Controls alone will likely not be sufficient. Likewise, if the business operates within a critical infrastructure sector, adherence to the CIS Controls, without more, may not be considered reasonable under the circumstances.

As the CCPA moves from inception to enforcement, covered businesses should conduct a gap assessment of their current information security/cybersecurity policies, procedures, and practices to ensure they are operating within the appropriate framework to their particular industry. Exhaustive data mapping and data inventory will also help businesses understand the scope of their potential exposure under the CCPA, and ensure the information security practices and policies align with the business's legal obligations. Most likely drawing upon multiple standards to broaden the protections would improve a business's defense, because it would go "beyond" the standards and create a redundancy and resilience that courts would likely appreciate.

And, of course, all these efforts may need to shift as the attorney general prepares proposed CCPA rules to be issued in the fall of 2019, and the California Legislature considers whether to expand the private right of action to the entire CCPA. It may be that, for now, the reasonable thing to do is be unreasonably cautious.