For years, the threshold issue in data breach litigation focused on standing. However, with the California Consumer Privacy Act’s (CCPA’s) private right of action with statutory damages—as well as an apparent shift in general data breach case law—standing likely will not be the central issue in many data breach cases going forward. Instead, the battle line will likely shift to whether or not a company implemented reasonable security measures—an element under the CCPA, as well as common-law tort and contract claims that are frequently asserted in data breach litigation. The question then becomes, “What constitutes reasonable security measures?”
The CCPA does not define reasonable security measures, nor does the forthcoming California Privacy Rights Act (CPRA). There are various industry-specific standards, such as the Gramm-Leach-Bliley Act (GLBA), that provide more detail. Laws like the GLBA, however, may be distinguishable on the grounds that they are focused on specific industries (like financial services) where strict data security is crucial. Recognized standards such as NIST, CIS, and ISO, while helpful, contain several subcontrols that may not apply in all situations, creating factual issues that are difficult to prove on an intuitive level.
Thankfully, Colorado’s attorney general (AG) recently released straightforward guidance in this regard. This article discusses the guidance’s suggested nine key steps that an organization can take to ensure that it is implementing reasonable security measures for protecting consumers’ personal information. While the Colorado guidance will not be binding with respect to the CCPA/CPRA or across all common-law claims, it does provide a road map for how companies can document reasonable security measures through policies that a jury (or other nontech finders of fact) can easily understand.
Per the guidance, the first step that an organization can take includes taking inventory of the types of personal information it collects and, if not already established, creating a system for storing and managing such information. Organizations should monitor employee access to personal information and have a written data retention and destruction policy in place.
Second, organizations should memorialize their data security practices in a written information security policy (WISP). According to the guidance, some common data security practices include data minimization, access control, password management, and encryption. An organization’s information security procedures should also adhere to industry standards where possible (e.g., ISO/IEC 27000 standards for storing employee data, Payment Card Industry’s Data Security Standard for organizations that collect credit card information, etc.). However, it is important to note that the WISP should not simply be a spreadsheet of controls—it should be a comprehensive overview of the program written in plain language.
Third, the guidance recommends adopting a written incident-response plan—both in physical and digital form in case a cyberattack renders the digital copy unusable—as one of the reasonable security measures that an organization can adopt to protect personal information. Such a plan would detail the steps that the organization would take in the event of a security incident, such as notification procedures and remedial actions. To ensure that the organization can execute the response plan, the organization should conduct response training and simulated, interactive exercises that test an organization’s incident-response procedures (i.e., tabletop exercises).
Fourth, reasonable security measures to protect personal information include effective vendor management. Organizations should vet potential vendors and must require—by contract—that vendors adopt and take reasonable and appropriate security measures to protect the personal information that they process on behalf of the organization, allow for regular (and no less than annual) audits by the organization of the vendor’s security procedures, and aid the organization in the event of a security breach. Again, the key is to have some documented process or standard template to demonstrate compliance.
The guidance also recommends that an organization implement an effective employee-training program as a reasonable security measure. As training employees on cybersecurity preparedness and identifying and reporting suspicious emails and other network activity can be critical in preventing potential cyberattacks, the training program should be documented.
Sixth, the guidance recommends that organizations follow the Colorado attorney general’s 2021 ransomware guidance to help bolster their cybersecurity and resilience against ransomware and other attacks. Per the 2021 guidance, best practices for responding to ransomware attacks include multifactor authentication, encryption, end-point detection and response, data backup and ensuring that backup copies are readily accessible off-line, regular system updates and patching, testing incident-response plans, and network segmentation.
The seventh and eighth recommendations identified in the guidance relate to timely breach notification and the actions that an organization takes as a result of a security breach affecting consumers’ personal information. Per the guidance, organizations that process personal information have a duty to protect such information and should conduct a prompt investigation in the event of a security breach. Depending on the type of personal information affected and the magnitude and severity of the breach, organizations may be required to notify consumers and/or the Colorado attorney general within 30 days (with additional notification obligations determined by other state laws). Organizations should also be prepared to compensate affected individuals, such as by providing free credit-monitoring services.
Finally, the guidance recommends that organizations regularly review and update their security policies where necessary. Assessing whether data collection, storage, and use practices are updated for changes to internal processes and applicable risks is key to ensuring that the organization is undertaking reasonable security measures. As organizations introduce new products and services or adopt different business practices, the policies governing security practices should be updated accordingly.
The guidance should be recognized as just that—guidance—and not a technical playbook for data security. But it demonstrates the reality that data security is not just about technical controls. In an era where the sufficiency of a program will be determined by nontechnical fact finders through the normal legal process, companies need to document their programs through legal policies that are easily understood. The Colorado guidance certainly provides a useful road map in that respect, and we can expect to see it cited by both plaintiffs and defendants in the coming years.
