United States: Five Steps To Mitigate CCPA Class Action Risk: What Companies Need To Do To Increase Data Security

While many companies and service providers are spending significant time and budget on the privacy-related requirements of the forthcoming California Consumer Privacy Act (CCPA), the largest exposure for companies not selling or bartering personal information may be a class action for failing to define and maintain reasonable security. Starting January 1, 2020, consumers will be able to sue businesses under California's strict new privacy law for data breaches caused by the failure to maintain "reasonable security." For that reason, businesses should begin reviewing their existing security procedures and practices and implementing any additional measures that will establish a defensible security program according to the state of California.

As described in an earlier Fenwick alert, the California Consumer Privacy Act, effective on January 1, 2020, is the broadest privacy law in the United States. Not only does it expand the definition of personal information, it also provides consumers the ability to file private rights of action and class actions against businesses when personal information is disclosed because of the business' failure to implement reasonable security. California plaintiffs' counsel will no doubt take advantage of this new law as impacted companies are subject to statutory penalties: the greater of $100 to $750 per consumer per incident or actual damages.1 Additionally, the California Office of the Attorney General may fine companies up to $7,500 for each intentional violation. Unlike the potential 4 percent of global revenue penalty cap on breaches under the EU's General Data Protection Regulation (GDPR), the CCPA has no cap.

The "Reasonable" Security Standard in California

California, FTC and Others Provide Guidance. The CCPA penalizes a company when a consumer's "nonencrypted or nonredacted personal information... is subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business' violation of the duty to implement and maintain reasonable security procedures and practices." 2 Although the CCPA does not define what security procedures and practices are "reasonable," there is existing guidance from the state of California as well as other sources.

California Focus on CIS 20 Controls. In 2016, the California Office of the Attorney General published a Data Breach Report in which the attorney general identified 20 Center for Internet Security Controls (CIS Controls) as the "minimum level of information security that all organizations that collect or maintain personal information should meet."3 The report further indicated that "failure to implement all the Controls that apply to an organization's environment constitutes a lack of reasonable security." The report grouped the CIS Controls by type of action:

Control Title Action Control Reference(s)
Count Connections Know the hardware and software connected to your network. CSC 1, CSC 2
Configure Securely Implement key security settings. CSC 3, CSC 11
Control Users Limit user and administrator privileges. CSC 5, CSC 14
Update Continuously Continuously assess vulnerabilities and patch holes to stay current. CSC 4
Protect Key Assets Secure critical assets and attack vectors. CSC 7, CSC 10, CSC 13
Implement Defenses Defend against malware and boundary intrusions. CSC 8, CSC 12
Block Access Block vulnerable access points. CSC 9, CSC 15, CSC 18
Train Staff Provide security training to employees, contractors and any vendors with access. CSC 17
Monitor Activity Monitor accounts and network audit logs. CSC 6, CSC 16
Test and Plan Response Conduct tests of your defenses and be prepared to respond promptly and effectively to security incidents. CSC 19, CSC 20

In addition to the CIS Controls, the attorney general endorsed three other measures in the report:

  • Multi-Factor Authentication – Multi-factor authentication should be available to consumer-facing online accounts in addition to employee systems. Multi-factor authentication pairs "something you know," such as a password or PIN, with "something you are or have," such as your cellphone or fingerprint.
  • Encryption of Data on Portable Devices – Use encryption on laptops and other portable devices.
  • Fraud Alerts – Inform consumers about placing a fraud alert on their credit files when there is a breach.

In 2014, the attorney general referenced a similar list of security measures in the "Cybersecurity in the Golden State" report. The 2014 report also recommends that organizations map their data and decide which stored consumer information is actually necessary for their business. Though it is uncertain whether the current or future attorneys general will endorse the positions taken in these two reports, both report recommendations may serve as the minimum steps businesses should take when handling personal information with "reasonable" security.

Other Guidance

FTC Cases on Comprehensive Security. The U.S. Federal Trade Commission (FTC) has brought over 500 enforcement actions protecting the privacy of consumer information, including 75 general privacy lawsuits and over 65 cases against companies that have engaged in unfair or deceptive practices that failed to adequately protect consumers' personal data.4 These past actions and the resulting consent orders provide some insight about what is considered "reasonable" security. For example, one of the first cases for the FTC in 2002 required Eli Lilly to "establish and maintain a four-stage information security program designed to establish and maintain reasonable and appropriate administrative, technical, and physical safeguards to protect consumers' personal information against any reasonably anticipated threats or hazards to its security, confidentiality, or integrity, and to protect such information against unauthorized access, use, or disclosure."

The Fenwick team has extensive experience in these cases in a variety of roles: advising the FTC as an expert witness, representing the company during litigation of the case, serving as the independent assessor of the company and counseling companies through such assessments. Our team's experience includes more than a dozen comprehensive privacy and information security cases, including major cases with global technology, financial, and healthcare companies. Through this experience, we have observed that most companies align their security practices with recognized frameworks, such as the International Organization for Standardization (ISO) 27001 series, the National Institute of Standards and Technology (NIST) Cybersecurity Framework and PCI Data Security Standard (PCI DSS). Healthcare companies may also align to healthcare-specific frameworks and regulations, such as the HIPAA Security Rule.

Other Industry Frameworks. Most companies may be more familiar with these traditional frameworks than with the CIS 20, especially if the companies operate with government data. To ensure that they have established reasonable security for CCPA compliance, companies may choose to operate under the frameworks that best fit their business (like ISO), but evaluate their frameworks and controls against the CIS 20 to confirm that the control standards would be met in the event of a data breach, financing transaction or merger and acquisition due diligence. Other frameworks we have seen used include the Microsoft Security Development Lifecycle (MS SDL), the Gramm-Leach-Bliley Act Safeguards Rule, and, to a lesser extent, COBIT, ITIL and state guidance such as 201 CMR 17 from Massachusetts. A common theme for all frameworks is that "reasonable security" is a process that comprises identifying data to be secured, assessing risks, implementing controls, and monitoring and updating the controls.

Best Practices. Separately, the FTC has published a best practices guide, "Start With Security: A Guide for Business," in which the agency encourages organizations to put their security standards in writing in contracts with vendors.

Five Steps Companies Should Take Now

  1. Adopt a Recognized Information Security Framework. Adopt a framework such as ISO, NIST, PCI DSS or the CIS Controls based on best practices for your company's industry. In our experience, ISO is the most common.
  2. Create a Data Inventory and Risk Assessment. Make an inventory of both the sensitivity and location of personal information data. Based on that inventory, companies can scope the boundaries of their security programs and then assess risk. Companies can follow established risk assessment procedures, such as the NIST SP 800-53A.
  3. Establish a Basic Security Process. Even if a company is earlier stage and does not implement all aspects of a framework, it is important that the key program building blocks that are common to all programs are put into place, including:
    • Adopting a written information security policy
    • Training employees
    • Securing and limiting access to data stores that contain personal information
    • Implementing an incident response action plan and
    • Practicing the action plan, so that it becomes routine when an incident does occur.
  1. Implement or Strengthen Key Controls. In addition to key program building blocks and the 20 key CIS controls, the most common controls that companies strengthen or address vulnerabilities for include:
    • Access Controls: Review access to systems containing personal data and implement consistent reliable provisioning, deprovisioning and access review processes for such systems as well as blocking vulnerable access points.
    • MFA: Implement multi-factor authentication for critical systems.
    • Encryption: Use encryption for personal information in transit and at rest.
    • Log Monitoring/Alerting: Implement monitoring and alerting to identify unusual or suspicious network activity whether internal (e.g., failed logon attempts) or external (e.g. intrusion detection).
    • Attack and Penetration Testing: Conduct regular reviews and test security to defenses to identify and remediate any weaknesses before a data breach occurs.
  1. Disclose Third-Party Sharing. Review key system interfaces, application programming interfaces (APIs), software development kits (SDKs) and other data sharing methods involving third-parties, especially those used for AdTech and marketing analytics. Given the number of recent enforcements in the E.U. and U.S. for inadequate transparency and safeguards relating to third-party data sharing (including large fines by the CNIL and FTC), companies should take extra care in their privacy policies to identify and clearly disclose any external sharing of information (and avoid undisclosed third parties who use the information for their own purposes).


1 1798.155.(b)

2 1798.150. (a) (1)

3 Version 7.1 is the latest version of the CIS Controls and was released in April 2019. There are some minor changes in the controls from those listed here.

4 Federal Trade Commission Privacy & Data Security Update (2017): An Overview of the Commission's Enforcement, Policy Initiatives, and Consumer Outreach and Business Guidance in the Areas of Privacy and Data Security: January 2017 – December 2017, and Federal Trade Commission Privacy & Data Security Update for 2018.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Events from this Firm
11 Dec 2019, Other, Los Angeles, United States

Fenwick counsel Robert Brownstone will be lead chair in this highly interactive colloquium providing a deep understanding and practical advice regarding major e-discovery challenges facing organizations today.

12 Dec 2019, Conference, New Orleans, United States

Robert Brownstone will present on December 12 at 3:15pm on The E-Workplace: Privacy Issues and Cyber Security.

27 Jan 2020, Conference, California, United States

One of the most visible and highly-regarded securities and corporate law conferences in the country, the Securities Regulation Institute reaches prominent attorneys from both firm and in-house practices.

In association with
Related Topics
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Mondaq Free Registration
Gain access to Mondaq global archive of over 375,000 articles covering 200 countries with a personalised News Alert and automatic login on this device.
Mondaq News Alert (some suggested topics and region)
Select Topics
Registration (please scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions