The CCPA permits consumers to bring suit if a data breach occurs that was “a result of” the business failing to “implement and maintain reasonable security procedures and practices . . . .” 1 As a result, strict liability should not attach simply because a data breach occurred. Put differently, a plaintiff must prove both that the breach was a result of the business’s security procedures and that those procedures were not reasonable given a number of factors such as the type of data that the business collected, the industry segment, the size of the business, the type of breach that occurred, etc.