The California Privacy Rights Act (CPRA), passed in November, 2020, added to the California Consumer Privacy Act (CCPA) an express obligation for covered businesses to adopt reasonable security safeguards to protect personal information. The CPRA also clarified the CCPA’s private right of action for consumers whose personal information is breached due to a failure to implement such safeguards. But, remember, reasonable security safeguards are already required under California law, and that requirement is not limited to businesses subject to the CCPA/CPRA.
The CPRA adds subsection (e) to Cal. Civ. Code 1798.100, as follows:
A business that collects a consumer’s personal information shall implement reasonable security procedures and practices appropriate to the nature of the personal information to protect the personal information from unauthorized or illegal access, destruction, use, modification, or disclosure in accordance with Section 1798.81.5.
California Civil Code section 1798.81.5 requires a business that:
owns, licenses, or maintains personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.
Unlike the CCPA/CPRA, section 1798.81.5 defines “business” more broadly to include “a sole proprietorship, partnership, corporation, association, or other group, however organized and whether or not organized to operate at a profit.” Thus, even if the CCPA, as amended by the CPRA, does not apply to your business, California law still may require the business to have reasonable security safeguards.
The meaning of “reasonable safeguards” is not entirely clear in California. One place to look, however, is in the California Data Breach Report former California Attorney General and now Vice President, Kamala D. Harris, issued in February, 2016. According to that report, an organization’s failure to implement all of the 20 controls set forth in the Center for Internet Security’s Critical Security Controls constitutes a lack of reasonable security.
So, although the CPRA generally is operative on January 1, 2023, California businesses might look to the 20 CIS controls at least as a starting point for securing personal information. With regard to which personal information to secure to minimize exposure under the CCPA/CPRA’s private right of action, the law is a bit more clear.
The CCPA extended the private right of action for data breaches only to personal information “defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5”:
(A) An individual’s first name or first initial and the individual’s last name in combination with any one or more of the following data elements, when either the name or the data elements are not encrypted or redacted:
(i) Social security number.
(ii) Driver’s license number, California identification card number, tax identification number, passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual.
(iii) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
(iv) Medical information.
(v) Health insurance information.
(vi) Unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual. Unique biometric data does not include a physical or digital photograph, unless used or stored for facial recognition purposes.
The CPRA added to this list, a consumer’s “email address in combination with a password or security question and answer that would permit access to the account.”
In the event a CCPA-covered business experiences a data breach involving personal information, the CCPA authorized a private cause of action against the business if a failure to implement reasonable security safeguards caused the breach. If successful, a plaintiff can seek to recover statutory damages in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief and any other relief the court deems proper. This means that plaintiffs generally do not have to show actual harm to recover. In case you were wondering, CCPA data breach litigation has already commenced.
To bring such an action under the CCPA, a consumer must provide the business 30 days’ written notice specifying the violation and giving the business an opportunity to cure. If cured under the CCPA, no action may be initiated against the business for statutory damages. However, the CPRA clarifies that businesses cannot cure a failure to have reasonable safeguards before the breach:
implementation and maintenance of reasonable security procedures and practices pursuant to Section 1798.81.5 following a breach does not constitute a cure with respect to that breach.
The CPRA also calls for additional regulations requiring businesses whose processing of consumers’ personal information presents significant risk to consumers’ privacy or security, to (i) perform a cybersecurity audit on an annual basis, and (ii) submit to the California Privacy Protection Agency on a regular basis a risk assessment concerning the processing of personal information.
There is more to come following the passage of the CPRA, and businesses should be monitoring CCPA/CPRA developments. However, it is critical to ensure reasonable security safeguards are in place to protect personal information.