The regulations implementing the CCPA only require that a business utilize reasonable security in the context of personal information collected or processed for specific purposes – i.e., consumer requests and information provided in response to access requests. The Office of the Attorney General (OAG) has stated that what constitutes “reasonable security measures” in these contexts is a “fact-specific determination” for which a business should “consult with an attorney who is aware of all pertinent facts and relevant compliance concerns.”1
Prior to the enactment of the CCPA, the OAG published a report on data breaches within the state that specifically identified the 20 controls set forth in the Center for Internet Security’s Critical Security Controls (CIS) as the “minimum level of security” an organization should meet.2 The report states that the “failure to implement all of the Controls that apply to an organization’s environment constitutes a lack of reasonable security.” 3
In comparison, the European GDPR requires that a company “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, [to personal data].”4 Like the CCPA, the GDPR does not set forth or incorporate a specific security standard, or framework, or require that companies utilize specific technology when securing information.
1 FSOR Appendix A at 134, 311 (Response 431, 924).
4 GDPR, Article 32(1).