Data Security under the California Consumer Privacy Act: Instructions Not Included

California flag original“Reasonable security.” If you’re a California business, this is what’s generally expected of you (e.g., Cal. Civ. Code § 1798.81.5).  If you collect personal data, you are expected to secure it.  But what’s the right level of cybersecurity under the California Consumer Privacy Act of 2018 (CCPA)?  Are specific frameworks recommended? Let’s wade into the murky waters ….

Historical Background

In the February 2016 “California Data Breach Report,” then-California Attorney General Kamala Harris stated, “if companies collect consumers’ personal data, they have a duty to secure it. An organization cannot protect people’s privacy without being able to secure their data from unauthorized access.”

In 2018, California Governor Brown signed Assembly Bill 375, now known as the CCPA. It’s a comprehensive data privacy law that gives California residents new rights concerning their personal information.  Businesses will have to protect the personal data they collect, store, or process.

The CCPA has been amended once – so far.  This amendment occurred in 2018, when the California legislature passed Senate Bill 1121, a “technical corrections” bill.  A second amendment, Senate Bill 561, introduced by Attorney General Xavier Becerra and Senator Hannah-Beth Jackson, is working its way through the legislative process as of today. It contains further amendments and corrections. Most notably, SB 561 removes the 30-day cure period for businesses and expands consumers’ rights to bring civil actions for damages.

Enforcement is slated to begin January 1, 2020.

Data Security Standards

In its current form, the CCPA does not tell us what level of data security is required. That’s problematic. Data security is not a digital button you toggle on and turn green.  Data security programs take significant time and money to implement.

To compare, the GDPR includes a little more language on data security standards. Under the GDPR, data security is a general obligation for all companies processing personal data from the European Union. Specifically, the GDPR requires “appropriate technical and organizational measures to ensure a level of security appropriate to the risk” (Article 32).

The CCPA provides “a private right of action in connection with certain unauthorized access and exfiltration, theft, or disclosure of a consumer’s nonencrypted or nonredacted personal information, as defined.”  It also refers to “misconduct.”  Even though data security is not specifically addressed, we know it’s needed to accomplish the data privacy objectives of the law. For example, data security prevents unauthorized access.  A lapse in data security could be evidence of misconduct that leads to legal action.

So what kind of security program will satisfy the law?

Here’s a clue: the #1 recommendation from California’s AG in the 2016 “California Data Breach Report” is to implement a cybersecurity framework.

The report recommends “that organizations implement the 20 controls in the Center for Internet Security’s Critical Security Controls, affirmatively stating that the failure to implement such controls would constitute a lack of reasonable security.”

The CIS Controls – formerly the SANS Top 20 – is a well-respected set of security controls. CIS recently released Version 7.1, which is available for free. The CIS Controls nicely map to the NIST Cybersecurity Framework.  Also, as we reported on before, the CIS Controls are expressly mentioned in the 2018 Ohio Data Protection Act, the Ohio law that creates a safe harbor for organizations that adopt one of the named cybersecurity compliance frameworks.

But the CIS Controls are not the only framework to consider. For most companies, there are multiple cyber frameworks available. Suitability ranges from minimally-compliant to wildly ambitious.

So, based on the AG’s report and other tidbits, we will continue to advise that implementing a relevant cybersecurity framework is an effective way to establish “reasonable security” under the CCPA and other California data breach law.  Obtaining validation of compliance with that framework is best, but implementing one is a good start.

Clarification Needed – ASAP

Clarification on CCPA’s data security standard is needed by many companies.

The International Association of Privacy Professionals (IAPP) examined the CCPA and found that it “will apply to more than 500,000 U.S. companies, the vast majority of which are small- to medium-sized enterprises.”  Some of these companies will be interpreting California security standards for the first time.  In these cases, ambiguity is the enemy.

Businesses within scope will be asking this question:  Does my cybersecurity program satisfy California’s data security requirements?  The CCPA and implementing regulations needs to provide guidance on this question.

Clarification is needed now. The CCPA takes effect on January 1, 2020.  However, the law also includes a 12-month look back provision. The look back gives California consumers rights to access the information gathered on them from the past 12 months. If you do the math, that mean consumers will have the right to access their personal data collected or stored as of January 1, 2019.  This means that businesses in scope need to begin risk assessments, data inventorying, and recordkeeping from that date onwards.  As of today, that’s about 4 months ago. Ouch, just ouch.

When data security laws are unclear, bad things happen. Businesses may take a wait-and-see attitude. Data goes unprotected.  Security and compliance jobs become more complex. In this current, high-tempo environment, clear data security standards are key to successful implementation of the law.

The author, Colleen H. Johnson, JD, ( is Sera-Brynn’s senior legal analyst.