[Update: After publication of the below post, AB 1035 was amended to remove the below-referenced language. The fact that the California legislature considered defining what constitutes “reasonable security procedures and practices” for purposes of the CCPA’s private right of action but, at least as of now, did not proceed with such legislation leaves businesses subject to the CCPA with little to no legislative direction as to how they can demonstrate that they are undertaking reasonable security procedures and practices. It also exposes the CCPA to the argument that the subject language is void for vagueness. Given the substantial penalties businesses are exposed to under the CCPA’s private right of action, the failure of the legislature to address this issue is notable especially considering that Ohio implemented legislation last year that California could have used as a guide.]
Given the near ubiquitous coverage of proposed CCPA amendments, it may be hard to believe that any bill could fly under the radar, but that appears to be the case with AB 1035, which would amend the CCPA’s private right of action to link “reasonable security procedures and practices” to NIST standards.
By way of background, § 1798.150 of the CCPA creates a private cause of action for any “consumer whose nonencrypted or nonredacted personal information . . . is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information . . . .” For such violations, consumers are authorized to recover “not less than one hundred dollars ($100) and not greater than seven hundred and fifty ($750) per consumer per incident or actual damages, whichever is greater.”
However, one significant problem with that provision is that no one quite knows what constitutes “reasonable security procedures and practices.” For guidance, privacy and information security professionals have often relied on the California Attorney General Office’s 2016 Data Breach Report, which states:
The 20 controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.
AB 1035, however, would amend § 1798.150 to include the following new definition:
As used in paragraph (1), “reasonable security procedures and practices” include, but are not limited to, a cybersecurity program that reasonably conforms to the current version, or a version that has been revised within the one-year period before the date of a security breach, of any of the following:
(A) The Framework for Improving Critical Infrastructure Cybersecurity developed by the National Institute of Standards and Technology (NIST).
(B) NIST Special Publication 800-171.
The bill would also amend California’s information security statute, California Civil Code § 1798.81.5, to include the same definition.
AB 1035’s use of the phrase “include, but are not limited to” and its omission of the CIS Controls from the enumerated list of conforming programs is likely to create confusion and risk for organizations that invested resources to abide by the Attorney General Office’s guidance.
The bill’s narrow focus on NIST also ignores that there are other information security standards – such as ISO27001 – that are routinely used by organizations to demonstrate information security compliance. By comparison, when Ohio recently created a safe harbor for certain data breach-related claims it included not only NIST standards but also the CIS Controls and ISO2700 family, among others.
The bill’s preamble explains the proposed amendment as follows:
Existing law requires a business that owns, licenses, or maintains personal information about a California resident to implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure. Existing law, the California Consumer Privacy Act of 2018, beginning on January 1, 2020, grants a consumer various rights with regard to personal information relating to that consumer that is held by a business, including the right to know what personal information is collected by a business and to have information held by that business deleted, as specified. The act specifically authorizes a consumer whose nonencrypted or nonredacted personal information, as defined, is subject to unauthorized access and exfiltration, theft, or disclosure as a result of the business’s failure to maintain reasonable security procedures and practices appropriate to the nature of the information to institute a civil action for various damages.
This bill would define “reasonable security procedures and practices” for the purposes of those provisions to include a cybersecurity program that reasonably conforms to specified standards published by the National Institute of Standards and Technology.
Although the bill is a long way from becoming law, it did pass unanimously out of committee on April 30th with one abstention. Over the next few months, Husch Blackwell’s privacy and data security blog will continue to provide updates on AB 1035 as well as other proposed CCPA amendments. Register here to stay up-to-date on these bills.
Finally, it should be noted that AB 1035 is one of two bills directed at amending the CCPA’s private right of action. The other bill – SB 561 – would expand the private right of action to cover violations of the CCPA’s privacy rights, not just for data breaches.