Who’s on First? A New State Law Confounds as the Quest to Define “Reasonable Security” Continues
The United States is in a race to adequately regulate the omnipresence and risk of personal data online. Cybersecurity is a topic which frames the issue well, but more and more privacy concepts are up for grabs in this debate. No topical item is more apt for a discussion than The California Consumer Privacy Act.
In June 2018, multiple news outlets hailed Assembly Bill No. 375, as it is officially called, as “historic” and “landmark”. The Bill even directly outs Cambridge Analytica - rare for a piece of legislation to name names. Perhaps this rings true due to the progressive nature of California in the data security law space, contrasted with the stilted nature of federal privacy legislation (at least as it relates to data breach notification), perhaps because the state’s global impact is rivaled by few, or perhaps because several legal interpretations argue the bill is broader in scope than GDPR. Upon further inspection, the Bill clearly borrows heavily from earlier domestic and international regulations, including the General Data Protection Regulation, and other California law, as it seeks to protect Californians and their constitutional right to privacy. While the word “cyber” never appears in the Bill and “computerized” is listed only once, it is a document aimed to combat information security problems and data leakage that stems from an almost daily onslaught of breaches by focusing on protecting personal information or personal data and allowing legal recourse if this personal information is violated. However, what exactly is historical, or groundbreaking remains to be seen.
For purposes of this blog post, the key provision analyzed is as follows:
1798.150. (a) (1) Any consumer whose nonencrypted or nonredacted personal information, as defined in subparagraph (A) of paragraph (1) of subdivision (d) of Section 1798.81.5, is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’ violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information may institute a civil action…
Based on this section of the Bill, logical reasoning dictates that a trigger for a civil action is a breach tied to a business’s unreasonable security procedures and practices. The criticism of this section is obvious, though, because the definition of “maintain reasonable security procedures and practices” is nowhere to be found. Kamala Harris, California’s Attorney General from 2010 to 2016, commented several times about NIST’s influence on the Bill but a review of the Bill Analysis section, fully available online at the link listed above, only revealed references to various civil code, including Cal Civ. Code § 1798.81.5. In fact, “maintain reasonable security procedures and practices” is actually lifted from this section, so at least there is some consistency. Analysis of other state laws reveal similar or exact language. However, one must look outside the Bill for guidance so as not violate a business’s duties. With dollars at stake if a civil action were to prevail, more definition is better than less definition – for everyone.
At this point, the Bill does not officially go into effect until January 1, 2020, which gives businesses plenty of time to plan for its arrival, much like the ramp up to GDPR, but what does this all mean to anyone as it relates to their information security or privacy plan?
Here are five basic steps a business can take to prepare:
Read full details here.
For questions about any of the information found here, contact Erik Rasmussen, Principal and Head of Cybersecurity at Grobstein Teeple.