While many companies and service providers are spending significant time and budget on the privacy-related requirements of the forthcoming California Consumer Privacy Act (CCPA), the largest exposure for companies not selling or bartering personal information may be a class action for failing to define and maintain reasonable security. Starting January 1, 2020, consumers will be able to sue businesses under California’s strict new privacy law for data breaches caused by the failure to maintain “reasonable security.” For that reason, businesses should begin reviewing their existing security procedures and practices and implementing any additional measures that will establish a defensible security program according to the state of California.
As described in an earlier Fenwick alert, the California Consumer Privacy Act, effective on January 1, 2020, is the broadest privacy law in the United States. Not only does it expand the definition of personal information, it also provides consumers the ability to file private rights of action and class actions against businesses when personal information is disclosed because of the business’ failure to implement reasonable security. California plaintiffs' counsel will no doubt take advantage of this new law as impacted companies are subject to statutory penalties: the greater of $100 to $750 per consumer per incident or actual damages.1 Additionally, the California Office of the Attorney General may fine companies up to $7,500 for each intentional violation. Unlike the potential 4 percent of global revenue penalty cap on breaches under the EU’s General Data Protection Regulation (GDPR), the CCPA has no cap.
The “Reasonable” Security Standard in California
California, FTC and Others Provide Guidance. The CCPA penalizes a company when a consumer’s “nonencrypted or nonredacted personal information… is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices.” 2 Although the CCPA does not define what security procedures and practices are “reasonable,” there is existing guidance from the state of California as well as other sources.
California Focus on CIS 20 Controls. In 2016, the California Office of the Attorney General published a Data Breach Report in which the attorney general identified 20 Center for Internet Security Controls (CIS Controls) as the “minimum level of information security that all organizations that collect or maintain personal information should meet.”3 The report further indicated that “failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.” The report grouped the CIS Controls by type of action:
|Control Title||Action||Control Reference(s)|
|Count Connections||Know the hardware and software connected to your network.||CSC 1, CSC 2|
|Configure Securely||Implement key security settings.||CSC 3, CSC 11|
|Control Users||Limit user and administrator privileges.||CSC 5, CSC 14|
|Update Continuously||Continuously assess vulnerabilities and patch holes to stay current.||CSC 4|
|Protect Key Assets||Secure critical assets and attack vectors.||CSC 7, CSC 10, CSC 13|
|Implement Defenses||Defend against malware and boundary intrusions.||CSC 8, CSC 12|
|Block Access||Block vulnerable access points.||CSC 9, CSC 15, CSC 18|
|Train Staff||Provide security training to employees, contractors and any vendors with access.||CSC 17|
|Monitor Activity||Monitor accounts and network audit logs.||CSC 6, CSC 16|
|Test and Plan Response||Conduct tests of your defenses and be prepared to respond promptly and effectively to security incidents.||CSC 19, CSC 20|
In addition to the CIS Controls, the attorney general endorsed three other measures in the report:
- Multi-Factor Authentication – Multi-factor authentication should be available to consumer-facing online accounts in addition to employee systems. Multi-factor authentication pairs “something you know,” such as a password or PIN, with “something you are or have,” such as your cellphone or fingerprint.
- Encryption of Data on Portable Devices – Use encryption on laptops and other portable devices.
- Fraud Alerts – Inform consumers about placing a fraud alert on their credit files when there is a breach.
In 2014, the attorney general referenced a similar list of security measures in the “Cybersecurity in the Golden State” report. The 2014 report also recommends that organizations map their data and decide which stored consumer information is actually necessary for their business. Though it is uncertain whether the current or future attorneys general will endorse the positions taken in these two reports, both report recommendations may serve as the minimum steps businesses should take when handling personal information with “reasonable” security.
FTC Cases on Comprehensive Security. The U.S. Federal Trade Commission (FTC) has brought over 500 enforcement actions protecting the privacy of consumer information, including 75 general privacy lawsuits and over 65 cases against companies that have engaged in unfair or deceptive practices that failed to adequately protect consumers’ personal data.4 These past actions and the resulting consent orders provide some insight about what is considered “reasonable” security. For example, one of the first cases for the FTC in 2002 required Eli Lilly to “establish and maintain a four-stage information security program designed to establish and maintain reasonable and appropriate administrative, technical, and physical safeguards to protect consumers' personal information against any reasonably anticipated threats or hazards to its security, confidentiality, or integrity, and to protect such information against unauthorized access, use, or disclosure.”
The Fenwick team has extensive experience in these cases in a variety of roles: advising the FTC as an expert witness, representing the company during litigation of the case, serving as the independent assessor of the company and counseling companies through such assessments. Our team's experience includes more than a dozen comprehensive privacy and information security cases, including major cases with global technology, financial, and healthcare companies. Through this experience, we have observed that most companies align their security practices with recognized frameworks, such as the International Organization for Standardization (ISO) 27001 series, the National Institute of Standards and Technology (NIST) Cybersecurity Framework and PCI Data Security Standard (PCI DSS). Healthcare companies may also align to healthcare-specific frameworks and regulations, such as the HIPAA Security Rule.
Other Industry Frameworks. Most companies may be more familiar with these traditional frameworks than with the CIS 20, especially if the companies operate with government data. To ensure that they have established reasonable security for CCPA compliance, companies may choose to operate under the frameworks that best fit their business (like ISO), but evaluate their frameworks and controls against the CIS 20 to confirm that the control standards would be met in the event of a data breach, financing transaction or merger and acquisition due diligence. Other frameworks we have seen used include the Microsoft Security Development Lifecycle (MS SDL), the Gramm-Leach-Bliley Act Safeguards Rule, and, to a lesser extent, COBIT, ITIL and state guidance such as 201 CMR 17 from Massachusetts. A common theme for all frameworks is that “reasonable security” is a process that comprises identifying data to be secured, assessing risks, implementing controls, and monitoring and updating the controls.
Best Practices. Separately, the FTC has published a best practices guide, “Start With Security: A Guide for Business,” in which the agency encourages organizations to put their security standards in writing in contracts with vendors.
Five Steps Companies Should Take Now
1. Adopt a Recognized Information Security Framework. Adopt a framework such as ISO, NIST, PCI DSS or the CIS Controls based on best practices for your company’s industry. In our experience, ISO is the most common.
2. Create a Data Inventory and Risk Assessment. Make an inventory of both the sensitivity and location of personal information data. Based on that inventory, companies can scope the boundaries of their security programs and then assess risk. Companies can follow established risk assessment procedures, such as the NIST SP 800-53A.
3. Establish a Basic Security Process. Even if a company is earlier stage and does not implement all aspects of a framework, it is important that the key program building blocks that are common to all programs are put into place, including:
- Adopting a written information security policy
- Training employees
- Securing and limiting access to data stores that contain personal information
- Implementing an incident response action plan and
- Practicing the action plan, so that it becomes routine when an incident does occur.
4. Implement or Strengthen Key Controls. In addition to key program building blocks and the 20 key CIS controls, the most common controls that companies strengthen or address vulnerabilities for include:
- Access Controls: Review access to systems containing personal data and implement consistent reliable provisioning, deprovisioning and access review processes for such systems as well as blocking vulnerable access points.
- MFA: Implement multi-factor authentication for critical systems.
- Encryption: Use encryption for personal information in transit and at rest.
- Log Monitoring/Alerting: Implement monitoring and alerting to identify unusual or suspicious network activity whether internal (e.g., failed logon attempts) or external (e.g. intrusion detection).
- Attack and Penetration Testing: Conduct regular reviews and test security to defenses to identify and remediate any weaknesses before a data breach occurs.
5. Disclose Third-Party Sharing. Review key system interfaces, application programming interfaces (APIs), software development kits (SDKs) and other data sharing methods involving third-parties, especially those used for AdTech and marketing analytics. Given the number of recent enforcements in the E.U. and U.S. for inadequate transparency and safeguards relating to third-party data sharing (including large fines by the CNIL and FTC), companies should take extra care in their privacy policies to identify and clearly disclose any external sharing of information (and avoid undisclosed third parties who use the information for their own purposes).