HB Ad Slot
HB Mobile Ad Slot
What exactly am I supposed to do to protect information? Does the CCPA provide a specific security standard?
Friday, February 19, 2021

No.

The regulations implementing the CCPA only require that a business utilize reasonable security in the context of personal information collected or processed for specific purposes – i.e., consumer requests and information provided in response to access requests. The Office of the Attorney General (OAG) has stated that what constitutes “reasonable security measures” in these contexts is a “fact-specific determination” for which a business should “consult with an attorney who is aware of all pertinent facts and relevant compliance concerns.”1

Prior to the enactment of the CCPA, the OAG published a report on data breaches within the state that specifically identified the 20 controls set forth in the Center for Internet Security’s Critical Security Controls (CIS) as the “minimum level of security” an organization should meet.2 The report states that the “failure to implement all of the Controls that apply to an organization’s environment constitutes a lack of reasonable security.” 3

In comparison, the European GDPR requires that a company “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, [to personal data].”4 Like the CCPA, the GDPR does not set forth or incorporate a specific security standard, or framework, or require that companies utilize specific technology when securing information.

FSOR Appendix A at 134, 311 (Response 431, 924).

Available at http://src.bna.com/cFY

Available at http://src.bna.com/cFY

4 GDPR, Article 32(1).

HB Ad Slot
HB Ad Slot
HB Mobile Ad Slot
HB Ad Slot
HB Mobile Ad Slot
HB Ad Slot
HB Mobile Ad Slot
 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins