CCPA Data Security Requirements: What Is Reasonable Security?

The California Consumer Privacy Act (CCPA) gives California citizens the right to know how companies are collecting, storing, sharing and selling their data. To comply with the CCPA, businesses not only need to allow consumers to opt out of data sharing: They also need to maintain reasonable security to protect personal information from unauthorized access. In this article, we will look at the data security requirements of the CCPA and explain what justice officials mean by “reasonable security”.

CCPA Overview

The California Consumer Privacy Act (CCPA) was passed in 2018 to enhance privacy and consumer protections for California residents. Broadly speaking, it gives consumers the right to know what personal information companies are collecting about them, to request that businesses delete or correct their data and to opt out of the sale or sharing of their information.

Although the CCPA is a piece of state legislation, it can apply to businesses outside of California if they collect personal information from California residents.

CCPA Privacy Provisions

The CCPA and its 2020 amendment, the California Privacy Rights Act (CPRA), establish several basic rights to give consumers more control over how businesses collect and share their data. These are the most important provisions in the CCPA:

  • Right to know: Consumers have the right to know what information businesses collect about them and who they share it with or sell it to. They also have the right to access that information upon request.

  • Right to delete: Consumers have the right to request that businesses delete their personal information. However, businesses are not required to comply if the information is used for purposes such as providing a service, engaging in research, complying with legal obligations or purely internal use.

  • Right to correct: Consumers have the right to request that a business correct inaccurate personal information about them.

  • Right to opt out: Consumers have the right to tell businesses not to sell or share their information. Businesses are required to provide notice of this right to opt out. Businesses are not allowed to sell or share the data of children under 16 without affirmative authorization. For children under 13, authorization from a parent or guardian is needed.

  • Right to limit use and disclosure: Consumers have the right to tell businesses to limit the use of their personal data to what is necessary to provide the good or service in question.

  • Right of no retaliation: Businesses cannot discriminate against consumers that exercise their CCPA rights by denying them service, charging different prices or providing a different level of service.

What Data Is Covered by the CCPA?

The CCPA protects the privacy of personal information, i.e. information that relates to a particular consumer or household. This includes various types of data, but excludes information that is publicly available through local, state or federal records.

Data protected under the CCPA includes:

  • Real name, alias or other identifiers

  • Email address

  • IP address

  • Phone number

  • Address

  • Social security number

  • Driver’s license, passport or ID number

  • Biometric data

  • Bank account number

  • Credit or debit card number

  • Financial information

  • Purchase history

  • Internet history

  • Medical information

  • Health insurance information

  • Employment information

Who Needs to Comply with the CCPA?

The California Consumer Privacy Act (CCPA) applies to companies that do business in California and fulfill one or more of these three categories:

  • Gross annual revenue of more than 25 million dollars

  • Buys, sells or shares information of more than 100,000 California consumers or households

  • At least 50% of revenue is generated by selling California residents personal information

However, the CCPA includes exceptions for organizations that are regulated through other laws, such as health care providers covered by HIPAA or financial institutions covered by the GLBA.

CCPA Security Requirements

Under the CCPA, consumers have the right to pursue statutory damages if their personal data is involved in a data breach and the business in question has failed to maintain reasonable security.

The requirement to implement and maintain reasonable security procedures and practices technically predates the CCPA and can be found in the California Civil Code Section 1798.81.5. Regardless, organizations that want to avoid data breach lawsuits need to ensure any personal information they collect is protected by a reasonable level of security.

What Is Reasonable Security?

The question of what exactly the CCPA means by “reasonable security” has caused a lot of debate and confusion pretty much from day one. Legal frameworks often give no specific technical definitions since that would fall outside the expertise of policy-makers. For example, consider how the GDPR likewise refers to “appropriate technical and organisational measures”.

In the case of the CCPA, the use of the word reasonable is rooted in tort law, where courts often have to debate the line between reasonable care and negligence when assessing liability. Unfortunately, this means that there is currently no official definition for what constitutes reasonable security.

In the absence of an official definition by California legislators, many have latched on to prior recommendations by the California Department of Justice (DOJ). In the 2016 California Data Breach Report, for example, then AG Kamala Harris recommends the Center for Internet Security’s Critical Security Controls as a baseline for reasonable security, alongside a few specific recommendations like strong encryption and multi-factor authentication.

However, the Data Breach Report’s endorsement of the CIS Controls is not a binding recommendation. Experts have pointed out that there are many other standards that could be used as the basis for reasonable security practices, from ISO 27001 to the NIST Cybersecurity Framework. And in CCPA lawsuits, the question of whether a company is at fault for a data breach is generally not settled by adherence to a specific framework, but overall reasonable precaution.

Thus, a few guidelines do appear.

First, as stated above, reasonableness remains the CCPA’s standard.

Second, a cybersecurity breach can still happen notwithstanding the maintenance of reasonable security procedures adapted to avoid the breach.

Third, the mere fact of the breach by itself does mean that business’s cybersecurity procedures were unreasonable.

Fourth, the existence of higher quality or state-of-the-art security measures is insufficient by itself to demonstrate that a business’s procedures were unreasonable.

Fifth, the absence of any security procedures, of any person trained in privacy of cybersecurity, and of regular risk assessments represent a common theme underlying a finding of unreasonableness.

And, finally, reasonableness always requires some balancing: the level of security must be appropriate to the risk and the cost of additional safeguards.

Source: What Is A “Reasonable Security Procedure And Practice” Under the California Consumer Privacy Act’s Safe Harbor? (Scott J. Hyman, Genevieve R. Walser-Jolly, Elizabeth Farrell)

CIS Controls: Best Practice Security

While it is far from the only way to demonstrate CCPA compliance, there is little doubt that implementing the CIS Controls shows a reasonable level of security.

The CIS Controls are a set of “prescriptive, prioritized and simplified” cybersecurity best practices created by the Center for Internet Security (CIS). Put simply, the CIS Controls offer a list of essential safety measures companies should adhere to, grouped into 20 categories.

Since organizations of different size have different security needs and different resources available to them, the CIS Controls are split into three implementation groups: Group 1 marks recommendations for companies of all sizes, Group 2 is medium-sized enterprises and above and Group 3 is for large-scale enterprises.

CCPA: Data Access Requirements

If you want to comply with the CCPA and show that you protect personal information with a reasonable level of security, there are multiple best practices for data access you need to follow:

  • 1

    Lifecycle Automation: A structured onboarding and offboarding process ensures that every user receives the right privileges – and loses access as soon as they leave the organization. The best way to automate provisioning is through role-based access control.

  • 2

    Least Privilege Access: No one in your organization should have access to data they do not need. This concept is also known as the principle of least privilege. Enforcing least privilege access requires accurate provisioning and regular permission audits.

  • 3

    User Access Reviews: Even with a secure onboarding process, unwanted privileges can build up over time as users switch departments or join projects. Regularly checking these permissions through user access reviews reduces access risk.

tenfold: The Easy Way to Govern Data Access

The CIS Controls, NIST CSF or ISO 27001: No matter which framework you choose, all cybersecurity standards will tell you that preventing unwanted access is a cornerstone of effective data security.

But with dozens of apps, hundreds of users and thousands of files, managing access is no easy task. Onboarding users manually quickly leads to chaos, and the built-in tools for systems like Active Directory and Microsoft 365 simply do not give you the visibility you need.

Which is why you need tenfold, the easiest way to manage IT access. Our revolutionary no-code IAM solution gives you all the features you want out of a governance platform – lifecycle automation, end user self-service, data access governance and user access reviews – paired with lightning-fast setup and simple interface that makes access management a breeze! Learn more by watching our demo video or signing up for a free trial!

Manage Identities & Access With Ease: Learn How tenfold Can Help

About the Author: Joe Köller

Joe Köller is tenfold’s Content Manager and responsible for the IAM Blog, where he dives deep into topics like compliance, cybersecurity and digital identities. From security regulations to IT best practices, his goal is to make challenging subjects approachable for the average reader. Before joining tenfold, Joe covered games and digital media for many years.