Avoiding the California Privacy and Security Litigation Tsunami: CCPA FAQ: What Are “Reasonable Security Procedures and Practices” under the CCPA?

February 26, 2019

Companies that do business in California know that it is a magnet for class action litigation.  The California Consumer Privacy Act ("CCPA"), a new privacy law that applies to data collected about California residents, will provide even more incentive to plaintiff’s attorneys to bring suit in California.

The CCPA was enacted in early 2018 as a political compromise to stave off a poorly drafted ballot initiative. Although the CCPA is scheduled to go into force in early 2020, there is a great deal of confusion regarding the requirements of the CCPA, including the degree to which it aligns with other privacy regulations such as the European General Data Protection Regulation (“GDPR”).  To help address that confusion, BCLP is publishing a multi-part series to address the most frequently asked litigation-related questions concerning the CCPA.  BCLP is also working with clients to assess – and mitigate – litigation risks for when the CCPA goes into effect by putting in place the policies, procedures, and protocols needed to comply with the Act.

Q. What Are “Reasonable Security Procedures and Practices” under the CCPA?

Under the CCPA’s private right of action, any consumer whose personal information has been compromised in a data breach can sue to recover hefty statutory damages of up to $750 “per customer per incident or actual damages, whichever is greater.”1   Consumers need to prove that the breach resulted from the organization’s failure to “implement and maintain reasonable security procedures and practices appropriate to the nature of the information...”2  Historically elusive, the definition of “reasonable security procedures and practices” is coming into focus.  

On February 25, 2016, the Office of the California Attorney General released its 2016 California Data Breach Report, a study of the data breaches reported to the AG from 2012-2015.  The Report, though now several years old, offers insights into how the Attorney General's office may exercise its enforcement powers under the CCPA and what factors the trier of fact may consider in deciding the “reasonableness” of an organization’s data security procedures.  

Most significant is the Attorney General’s position that the Center for Internet Security's Critical Security Controls (“Controls”), a set of 20 cybersecurity defensive measures, "define a minimum level of information security that all organizations that collect or maintain personal information should meet," and that “[t]he failure to implement all the Controls that apply to an organization’s environment” would “constitute[] a lack of reasonable security.”  In other words, the Controls represent the baseline for “reasonable security procedures and practices.”

Notably, the Breach Report does not create any regulatory obligations, and it is uncertain whether it would be given the same weight by a court as an Attorney General advisory opinion,3 but it strongly suggests that an organization’s security procedures will be benchmarked against the Controls, and/or other well-accepted industry frameworks (e.g., ISO 27002, NIST).  In order to be best prepared to meet the “reasonableness” standard under the CCPA, organizations should consider a gap analysis of their information security practices against the Controls or comparable security frameworks, and a decision to adopt, or not to adopt, the Controls should be well documented and reasoned.


1. CCPA, Section 1798.150(a)(1).

2. Id. (emphasis supplied).

3. California Building Industry Association v. State Water Resources Control Board, 8 Cal. App. 5th 52 (Ct. App. 2017) (Opinions of the Attorney General, while not binding upon courts, are entitled to great weight).