Information Security Under the CCPA Statute
The CCPA is not, per se, an information security or breach notification statute. California has distinct breach notification and information security statutes (§§1798.82 and 1798.81.5 of the Civil Code, respectively), both of which predate passage of the CCPA. Section 1798.150 represents the CCPA’s requirements for protecting personal information using reasonable security procedures. Noteworthy about this section is that it couches the mandate in the negative, i.e., that the violation of the duty to protect personal information exposes the offending business to a civil action by the victim. The relevant text of §150(a)(1) reads:
Any consumer whose nonencrypted and nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:
A. To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
B. Injunctive or declaratory relief.
C. Any other relief the court deems proper.
If plaintiffs wish to pursue statutory damages, they must give 30 days’ notice so the defendant can “cure” the breach; otherwise, they can go directly to court.
With respect to the cure of a breach, there is no guidance provided by the CCPA statute or the Regulations. What is known is that fixing the problem that caused the breach does not cure it; the offending entity must put the victim in the position they were before the breach. 1
Information Security Under the CCPA Regulations
The CCPA Regulations provide insight into two related, if not overlapping, areas of information security: verification of requestors and implementation of controls to protect personal information. Section 999.313, Responding to Requests to Know and Requests to Delete, prescribes the following with respect to requests to know in the context of information security:
c) Responding to Requests to Know
3) A business shall not provide a consumer with specific pieces of personal information if the disclosure creates a substantial, articulable, and unreasonable risk to the security of that personal information, the consumer’s account with the business, or the security of the business’s systems or networks.
6) A business shall use reasonable security measures when transmitting personal information to the consumer.
Section 999.323 presents General Rules Regarding Verification, some of which include:
a) A business shall establish, document, and comply with a reasonable method for verifying that the person making a request to know or a request to delete is the consumer about whom the business has collected information.
b) In determining the method by which the business will verify the consumer’s identity, the business shall:
1) Whenever feasible, match the identifying information provided by the consumer to the personal information of the consumer already maintained by the business, or use a third-party identity verification service that complies with this section.
d) A business shall implement reasonable security measures to detect fraudulent identity verification activity and prevent the unauthorized access to or deletion of a consumer’s personal
The Regulations prescribe a two-track system for verifying the identity of a requestor: one for requestors with an existing password-protected account and one for everyone else. Within this latter track are two standards, a base one if the requestor desires to know the categories of information collected and a higher one if the requestor desires to know the specific pieces of information collected. Section 999.324, Verification for Password-Protected Accounts, states in pertinent part the following:
a) If a business maintains a password-protected account with the consumer, the business may verify the consumer’s identity through the business’s existing authentication practices for the consumer’s account[.]
b) If a business suspects fraudulent or malicious activity on or from the password-protected account, the business shall not comply with a consumer’s request to know or request to delete until further verification procedures determine that the consumer request is authentic[.]
Section 999.325, Verification for Non-Accountholders, states in pertinent part the following:
a) If a consumer does not have or cannot access a password-protected account with the business, the business shall comply with this section, in addition to section 999.323.
b) A business’s compliance with a request to know categories of personal information requires that the business verify the identity of the consumer making the request to a reasonable degree of certainty. A reasonable degree of certainty may include matching at least two data points provided by the consumer with data points maintained by the business, ….
c) A business’s compliance with a request to know specific pieces of personal information requires that the business verify the identity of the consumer making the request to a reasonably high degree of certainty, which is a higher bar for verification. A reasonably high degree of certainty may include matching at least three pieces of personal information provided by the consumer with personal information maintained by the business …with a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request.
d) A business’s compliance with a request to delete may require that the business verify the identity of the consumer to a reasonable degree or a reasonably high degree of certainty depending on the sensitivity of the personal information and the risk of harm to the consumer posed by unauthorized deletion.
e) Illustrative scenarios follow [deleted]:
In sum, the responsibility to protect the confidentiality, integrity, and availability of consumer personal information is articulated in the context of (1) verifying that a requestor is who they say they are (i.e., protecting confidentiality) and (2) employing “reasonable security procedures and practices” to protect the integrity and availability of that information. In 2016, the California Attorney General’s office published a report on data breaches that occurred during the period of 2012-2015. Among the recommendations made by the Attorney General is that
[t]he 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security. 2
Citations to the report by the current California Attorney General are noteworthy by their absence, and it is unclear as to whether businesses should invest in advancing compliance using the Critical Security Controls.
Finally, the statute’s requirement that the procedures and practices be “appropriate to the nature of the information” implies that a business must first conduct a risk assessment to understand the potential for harm that could result from the exposure of that information, or from its destruction or damage to its integrity. The lack of such an assessment could expose the business to charges of not understanding the scope of the risk to personal information in its care.
1. See Romero v. Dep’t Stores Nat’l Bank, 725 F. App’x 537, 540 (9th Cir. 2018).
2. California Data Breach Report 2012-2015, Kamala D. Harris, Attorney General, California Department of Justice (2016), at v.