Recommendation to Attorney General Becerra to adopt Minimum Reasonable Information Security Practices as a floor on reasonableness, December 3, 2019.
Version 1.0
Last Revision: June 30, 2019
Overview
The phrase reasonable security procedures and practices appears in California law, including the new California Consumer Privacy Act (CCPA).
The phrase is left undefined except that reasonable is to relate to the nature of the information, the security procedures and practices must be reasonable to protect that information.
In the lead-up to and into the early-years of California’s experience with the CCPA we can expect a vigorous dialogue over what the phrase reasonable security procedures and practices will eventually come to mean.
SecureTheVillage believes the security practices described here are a minimum set of security practices that a company (subject to CCPA) must implement and maintain for it to claim that it has reasonable security procedures and practices.
The security practices described here are designed to be a floor: If you are not doing these things, then you do not have reasonable security procedures and practices.
Most definitively, SecureTheVillage is not claiming that a company that implements these practices has reasonable security practices; we are saying that a company’s failure to do so is prima facie evidence that the company’s security procedures and practices are not reasonable.
The Legal Importance of Reasonable Security Procedures and Practices
The California Consumer Privacy Act (CCPA) private right of action establishes statutory damages of between $100 and $750 per incident for consumers whose personal information has been compromised by a breach resulting from the business’ “violation of the duty to implement reasonable security procedures and practices appropriate to the nature of the information to protect the personal information. (CA Civil Code Section 1798.150(a)(1)).
The statutory exposure for a company with as few as 10,000 “qualifying data elements” is between $1,000,000 and $7,500,000. This combined with the legal duty to acknowledge a breach should one occur, significantly increases the financial risk of such a cyber event.
This increases the importance to a company that it have and that it maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.
The phrase implement and maintain reasonable security procedures and practices appears without definition in both the CCPA and CA Civil Code 1798.81.5. Consequently, it is not yet known what constitutes reasonable security procedures and practices. This will emerge as the California legislature amends the Act, as the Attorney General provides guidance, and as case law begins to unfold.
Candidate Descriptors for Reasonable Security Procedures and Practices
There are several markers that point the way towards what might constitute reasonable security procedures and practices:
- The NIST Cybersecurity Framework is a logical contender for what constitutes reasonable security. The Framework though does not include — nor is it intended to include — security procedures and practices. It is intended, instead, as the basis upon which an organization can develop its own security procedures and practices.
- In the California 2016 Data Breach Report, then Attorney General Kamala Harris wrote “The 20 controls in the Center for Internet Security’s Critical Security Controls [CIS-20] define a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.”
- Believing the CIS-20 to be too onerous for smaller organizations, SecureTheVillage developed a Code of Basic IT Security Management Practices to serve as a minimal set of information security management practices, a security floor, so-to-speak, on the security management of the IT infrastructure.
- Like the CIS-20, New York State Department of Financial Services, 23 NYCRR 500, Cybersecurity Requirements for Financial Services Companies contain operational requirements that could serve in part to give specificity to reasonable security procedures and practices. NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations may also be useful in defining reasonable security procedures and practices. So might the Payment Card Industry’s Data Security Standard, HIPAA, and Gramm-Leach-Bliley.
- While it would be hard to argue that a company certified compliant with International Standards Organization ISO 27001, 27002, et al fails to meet the threshold of reasonable security procedures and practices, it is unreasonable to impose a certification standard on smaller organizations for which it may not be commercially reasonable.
SecureTheVillage Objectives
SecureTheVillage is providing these Minimum Reasonable Security Practices to the community as a public service.
- To serve as a straw man in community dialogue over what might constitute reasonable security practices and what might not
- As a baseline for companies to use in designing their own security procedures and practices
- As a guide for attorneys to use in advising their clients on managing the legal risks of CCPA
- As a guide for insurance providers needing to assess the security reasonableness of policy holders
- As a guide to financial institutions in evaluating their exposure to a client’s security incident