Skip to content

Are you ready for HIPAA 2.0? Find out…

Close
  • Products
    • Products

      • Governance Suite Use Spirion’s suite to enhance data security posture management
      • Sensitive Data Platform Scan, classify, remediate using SaaS solution
      • Sensitive Data Finder Automate Subject Rights Request processing
      • Sensitive Data Watcher Actively monitor and understand your data
      • Sensitive Data Manager Scan, classify, remediate using on-premise solution
    • Learn more

      • Data Security Posture Management Identify security and privacy risks wherever data lives and secure where it travels.
      • Data Risk Assessment Proactive audit – discover how your org protects its sensitive data before a data breach occurs
      • Data Impact Assessment Reactive audit – respond to an incident for swift and accurate data breach mitigation
      • Privacy-Grade™ Compliance and privacy standards that set the bar for sensitive data protection.
    • Technology

      • CADIA Advanced ML/AI to accurately discover and classify sensitive data
      • AnyFinds™ Minimize false positives and deliver accurate matches
      • Interrogated Platforms More data sources than anyone including both unstructured and structured data
      • Marketplace Integrate with security tools and explore resources to boost data protection
      • Governance Framework Outlines key stages of readiness to safeguard sensitive data and maintain compliance.
    • WHITE PAPER

      Complete Your Microsoft 365 Data Protection Stack
  • Solutions
    • Industry Solutions

      • eCommerce
      • Finance
      • Healthcare
      • Higher Education
      • Manufacturing
      • Telecommunications
    • Security & Privacy Use Cases

      • Data Security Posture Management (DSPM)
      • Microsoft Purview Integration
      • DISCOVER: Sensitive data-at-rest is data-at-risk
      • CLASSIFY: Unify data governance efforts with context-rich classification
      • CONTROL: Reduce the risk and cost of a data breach
      • COMPLY: Accelerate PCI-DSS compliance
    • Compliance

      • Overview
      • GDPR
      • CCPA
      • CMMC
      • CPRA
      • GLBA
      • HIPAA
      • The New York SHIELD Act
      • PCI DSS
      • Other
    • WHITE PAPER

      Complete Your Microsoft 365 Data Protection Stack
  • Resources
    • Resources

      • Blog
      • Case Studies
      • Data Sheet
      • Events
      • MS Purview Calculator
      • Podcast
      • Whitepapers & Research
    • Core Expertise

      • How to take a data-centric approach to security
      • What are cyber insurance requirements?
      • What is data lifecycle management?
      • What is data loss prevention?
      • What is a data risk assessment?
      • What is endpoint security?
      • What is a sensitive data governance framework?
    • Core Capabilities

      • Data Discovery Software Tools: Capabilities and Benefits
      • What is sensitive data discovery?
      • What is semantic data discovery?
      • What is data classification?
      • What is data remediation?
    • WHITE PAPER

      Complete Your Microsoft 365 Data Protection Stack
  • Partners
  • Customers
    • Customers

    • Customer Services
    • Customer Portal
    • Premium Support
  • Company
    • Company

    • About Us
    • Careers
    • Leadership
    • News
    • Our History
  • Search
  • Contact
 Build your own demo
Build your own demo
  • Products
    • Governance Suite
    • Sensitive Data Platform
    • Sensitive Data Finder
    • Sensitive Data Watcher
    • Sensitive Data Manager
    • Learn more
      • Data Security Posture Management
      • Data Risk Assessment
      • Data Impact Assessment
      • Privacy-Grade™
    • Technology
      • CADIA
      • AnyFInds™
      • Interrogated Platforms
      • Marketplace
      • Governance Framework
  • Solutions
    • Industry Solutions
      • eCommerce
      • Finance
      • Healthcare
      • Higher Education
      • Manufacturing
      • Telecommunications
    • Security & Privacy Use Cases
      • Data Security Posture Management (DSPM)
      • Microsoft Purview Integration
      • DISCOVER: Sensitive data-at-rest is data-at-risk
      • CLASSIFY: Unify data governance efforts with context-rich classification
      • CONTROL: Reduce the risk and cost of a data breach
      • COMPLY: Accelerate PCI-DSS compliance
    • Compliance
      • Overview
      • GDPR
      • CCPA
      • CMMC
      • CPRA
      • GLBA
      • HIPPA
      • The New York SHIELD Act
      • PCI DSS
      • Other
  • Resources
    • Resources
      • Blog
      • Case Studies
      • Data Sheet
      • Events
      • MS Purview Calculator
      • Podcast
      • Whitepapers & Research
    • Core Expertise
      • How to take a data-centric approach to security
      • What are cyber insurance requirements?
      • What is data lifecycle management
      • What is data loss prevention?
      • What is a data risk assessment?
      • What is endpoint security?
      • What is a sensitive data governance framework?
    • Core Capabilities
      • Data Discovery Software Tools: Capabilities and Benefits
      • What is sensitive data discovery?
      • What is semantic data discovery?
      • What is data classification?
      • What is data remediation?
  • Partners
  • Customers
    • Customer Services
    • Customer Portal
    • Premium Support
  • Company
    • About Us
    • Careers
    • Leadership
    • News
    • Our History
  • Contact
Build your own demo
Hero Starlight Image
  • CCPA Summary and Key Issues

  • Consent
  • Enforcement
  • Financial Incentives
  • Jurisdictional Thresholds
  • Information Security
  • Marketing and Advertising
  • Notices to Consumers
  • Personal Information
  • Privacy Policy
  • Requests for Disclosure of Personal Information
  • Requests for Deletion
  • Service Providers
  • Sales of Minors’ Information
  • Sales to Third Parties
  • Verification of Requestors
View CCPA Act

Information Security

Information Security Under the CCPA Statute

The CCPA is not, per se, an information security or breach notification statute. California has distinct breach notification and information security statutes (§§1798.82 and 1798.81.5 of the Civil Code, respectively), both of which predate passage of the CCPA. Section 1798.150 represents the CCPA’s requirements for protecting personal information using reasonable security procedures. Noteworthy about this section is that it couches the mandate in the negative, i.e., that the violation of the duty to protect personal information exposes the offending business to a civil action by the victim. The relevant text of §150(a)(1) reads:

Any consumer whose nonencrypted and nonredacted personal information … is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action for any of the following:

A. To recover damages in an amount not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.
B. Injunctive or declaratory relief.
C. Any other relief the court deems proper.
[emphasis added]

If plaintiffs wish to pursue statutory damages, they must give 30 days’ notice so the defendant can “cure” the breach; otherwise, they can go directly to court.
With respect to the cure of a breach, there is no guidance provided by the CCPA statute or the Regulations. What is known is that fixing the problem that caused the breach does not cure it; the offending entity must put the victim in the position they were before the breach. 1

Information Security Under the CCPA Regulations

The CCPA Regulations provide insight into two related, if not overlapping, areas of information security: verification of requestors and implementation of controls to protect personal information. Section 999.313, Responding to Requests to Know and Requests to Delete, prescribes the following with respect to requests to know in the context of information security:

c) Responding to Requests to Know

3) A business shall not provide a consumer with specific pieces of personal information if the disclosure creates a substantial, articulable, and unreasonable risk to the security of that personal information, the consumer’s account with the business, or the security of the business’s systems or networks.

*

*

*

6) A business shall use reasonable security measures when transmitting personal information to the consumer.

[emphasis added]

Section 999.323 presents General Rules Regarding Verification, some of which include:

a) A business shall establish, document, and comply with a reasonable method for verifying that the person making a request to know or a request to delete is the consumer about whom the business has collected information.

b) In determining the method by which the business will verify the consumer’s identity, the business shall:

1) Whenever feasible, match the identifying information provided by the consumer to the personal information of the consumer already maintained by the business, or use a third-party identity verification service that complies with this section.

*

*

*
d) A business shall implement reasonable security measures to detect fraudulent identity verification activity and prevent the unauthorized access to or deletion of a consumer’s personal
information.
[emphasis added]

The Regulations prescribe a two-track system for verifying the identity of a requestor: one for requestors with an existing password-protected account and one for everyone else. Within this latter track are two standards, a base one if the requestor desires to know the categories of information collected and a higher one if the requestor desires to know the specific pieces of information collected. Section 999.324, Verification for Password-Protected Accounts, states in pertinent part the following:

a) If a business maintains a password-protected account with the consumer, the business may verify the consumer’s identity through the business’s existing authentication practices for the consumer’s account[.]
b) If a business suspects fraudulent or malicious activity on or from the password-protected account, the business shall not comply with a consumer’s request to know or request to delete until further verification procedures determine that the consumer request is authentic[.]
[emphasis added]

Section 999.325, Verification for Non-Accountholders, states in pertinent part the following:

a) If a consumer does not have or cannot access a password-protected account with the business, the business shall comply with this section, in addition to section 999.323.
b) A business’s compliance with a request to know categories of personal information requires that the business verify the identity of the consumer making the request to a reasonable degree of certainty. A reasonable degree of certainty may include matching at least two data points provided by the consumer with data points maintained by the business, ….

c) A business’s compliance with a request to know specific pieces of personal information requires that the business verify the identity of the consumer making the request to a reasonably high degree of certainty, which is a higher bar for verification. A reasonably high degree of certainty may include matching at least three pieces of personal information provided by the consumer with personal information maintained by the business …with a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request.

d) A business’s compliance with a request to delete may require that the business verify the identity of the consumer to a reasonable degree or a reasonably high degree of certainty depending on the sensitivity of the personal information and the risk of harm to the consumer posed by unauthorized deletion.

e) Illustrative scenarios follow [deleted]:

f) If there is no reasonable method by which a business can verify the identity of the consumer to the degree of certainty required by this section, the business shall state so in response to any request and, if this is the case for all consumers whose personal information the business holds, in the business’s privacy policy [i.e., their privacy notice].
[emphasis added]

In sum, the responsibility to protect the confidentiality, integrity, and availability of consumer personal information is articulated in the context of (1) verifying that a requestor is who they say they are (i.e., protecting confidentiality) and (2) employing “reasonable security procedures and practices” to protect the integrity and availability of that information. In 2016, the California Attorney General’s office published a report on data breaches that occurred during the period of 2012-2015. Among the recommendations made by the Attorney General is that

[t]he 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security. 2

Citations to the report by the current California Attorney General are noteworthy by their absence, and it is unclear as to whether businesses should invest in advancing compliance using the Critical Security Controls.

Finally, the statute’s requirement that the procedures and practices be “appropriate to the nature of the information” implies that a business must first conduct a risk assessment to understand the potential for harm that could result from the exposure of that information, or from its destruction or damage to its integrity. The lack of such an assessment could expose the business to charges of not understanding the scope of the risk to personal information in its care.


1. See Romero v. Dep’t Stores Nat’l Bank, 725 F. App’x 537, 540 (9th Cir. 2018).
2. California Data Breach Report 2012-2015, Kamala D. Harris, Attorney General, California Department of Justice (2016), at v.

Ready to get started?

Schedule a personalized demo with one of our data security experts to see Spirion data protection solutions in action.

Watch demo now
Discover, protect and comply.

Protect sensitive information with a solution that is customizable to your organizational needs. When your job is to protect sensitive data, you need the flexibility to choose solutions that support your security and privacy initiatives.

Governance Suite →

social icon
Industry Solutions

Not knowing where sensitive client financial data resides and failing to take the right security precautions can be a costly mistake for your organization. Find out how Data privacy is treated in your sector.

Read more →

  • Products
    • Sensitive Data Platform
    • Sensitive Data Finder
    • Sensitive Data Watcher
  • Solutions
    • What is sensitive data discovery?
    • What is data loss prevention?
    • What is data classification?
    • Security Use Cases
  • Compliance
    • News
    • Services
  • Need Help?
    • Customer Portal
    • 646-863-8301​​​​​​​​​​​​​​​​​​​​​
    • 3030 North Rocky Point Drive West,
      Suite 470
      Tampa, FL 33607
LATEST BLOG POSTS
  • When “Good Enough” Fails: Why Spirion Succeeds Where Microsoft Purview Falls Short
  • Navigating DOJ’s New Data Security Program (DSP): How Spirion’s DSPM Solution Safeguards National Security Data
  • Accelerate Sensitive Data Discovery with Spirion’s Differential Scanning Technology 

© 2024 Spirion, LLC. All Rights Reserved

  • Legal
  • Privacy
  • Sitemap