The CCPA requires ‘reasonable security.’ What exactly does that mean?

On Jan. 1, 2020, California consumers will wake up to a new era of expansive data privacy rights. Businesses that serve them will more likely greet the new year with compliance headaches induced by the California Consumer Privacy Act of 2018, or CCPA. 

The CCPA, which goes into effect Jan. 1, requires companies that serve California residents to have “reasonable security” in place to protect sensitive consumer information. Trouble is, the term reasonable security is amorphous. But the potential consequences are not: The CCPA provides a very structured “private right of action” that allows consumers to sue businesses that mishandle their private data. 

While California has not issued prescriptive safeguards for reasonable security, it earlier pointed to a set of guidelines that frames its thinking on the matter. In a 2016 report, the state attorney general endorsed the Center for Internet Security’s 20 CIS Controls as a baseline for reasonable security. The 20 CIS Controls identify a minimum level of security that all data-driven organizations should meet. It’s a great initial check against the measures that matter, including authentication, administrative privilege, mobile device security, incident-response plans, and data-protection policies, among 15 others.

If you haven’t addressed CCPA yet, now’s the time to act. Using the 20 CIS Controls as a guide, your first step should be a risk-based assessment of your cybersecurity and privacy threats and safeguards. This evaluation will help you define your organization’s specific risk sensitivity, and then tailor security and privacy controls to meet (or exceed) that level. In particular, you’ll need to take a hard look at the lifecycle of data covered by the CCPA, including customer, corporate, regulatory, and third-party partner information. It will also be crucial to document how these different types of data are collected, stored, accessed, processed, transmitted, and protected. 

Next, compare how your assessment stacks up against the CIS guidelines. This exercise will help you understand your current and future-state security maturity, as well as chart an implementation roadmap that can be used to demonstrate that your security is, in fact, reasonable. 

You’ll need more than 20

While the 20 CIS Controls is a solid start, particularly given its endorsement by the California attorney general, the framework doesn’t address all CCPA provisions. Among the thorniest is the ability to access and delete consumer information on demand, known as a consumer fulfillment request. When a business receives a verified consumer fulfillment request, it will be required to provide access to and/or delete the requester’s personal information. Satisfying these consumer requests is all but certain to require new or updated processes, workflows, and technologies. Failure to do so can result in costly financial penalties, lawsuits, and, of course, negative headlines. 

Another major risk category missing from the 20 CIS Controls is due diligence of third-party partners. Your organization’s security, after all, is only as strong as your weakest vendor’s. That’s why it’s essential to conduct a comprehensive risk assessment of business partners that the company shares information with. This evaluation should identify in detail specific vendor security controls in place to protect personal information. 

Also note that you’ll need to review all contracts with third parties with whom you share, sell, or otherwise process consumer data. Most organizations will need to renegotiate contracts to cover data safeguards and controls mandated by the CCPA. Large organizations with hundreds, or even thousands, of vendors will be hardest hit. 

It’s not set in stone: Pending amendments

The CCPA goes into effect in a matter of weeks, but it remains a work in progress. Over the past year, a flurry of amendments has been introduced; some have been signed into law and others have languished in the legislature. Some of the most significant potential changes are likely to include: 

- Personal data of employees, contractors, and applicants will be exempted by most provisions of the CCPA. But organizations will be required to educate employees on data-privacy procedures, including written policies published in employee handbooks. Significantly, this exemption is due to expire Jan. 1, 2021, which means that employee data could later be brought into scope. Keep an eye on this one over the next 15 months. 

- Similarly, most personal information generated by B2B transactions will be exempt. But like the employee provision, this exemption is due to sunset Jan. 1, 2021.

- Online-only businesses that have direct relationships with consumers can simply provide an email address for contact with data requestors. Other companies will be required to offer two or more methods for submitting requests for information. 

You have to prepare for reasonable

As amendments are added and provisions are sunsetted, the concept of reasonable security is likely to evolve. There’s no way to predict how it will morph over time, but we do know that security and business leaders will need to proactively build a CCPA-compliant cybersecurity and privacy program to prepare for changes and deflect risks. 

Another unknown among many businesses is that they don’t fully grasp the liability implications of the CCPA. That’s understandable, given that the CCPA is the first law of its kind in the U.S., and that California will not begin enforcement until July 1, 2020. 

But here’s one thing you can bet on: If you continue to back-burner the CCPA, you may be putting yourself, your board, and your CEO at risk.